TryHackMe | Mustacchio

A TryHackMe room made by zyeinn featuring a lot of stuff!

Tasks

user.txt

root.txt

Vulnerabilities

Hash credentials in source code.

Weak password

XXE injection

Not calling binary from $PATH

NMAP

Port 80 and 22 is open
After a full port scan, it reveals port 8765 is also open.

Foothold

After running Gobuster, I checkout the directories and found interesting stuff in custom/js directory.

Using CrackStation, the hash in mobile.js seems to be a MD5 and can be cracked.

Opening up the users.bak it seems like a config file but there is also credentials there.

After that I went to check out port 8765, which seems to be a admin page. We can login using the credentials we found earlier.

Opening up the page, it asks us to give the page a comment. Typing nothing into it alerts us.

Perhaps this is hinting us towards XXE injection.
Let’s look at the source code.

Looks, like user barry has a ssh key and there is something in /auth/

Does it look familiar? Some of you might say HTML but it’s actually XML. So it matches what the comment field wants, a name, author and comment. Let’s edit this and add a payload. For this, I referred PayloadsAllThings.

Basically, the ‘lmao’ variable will be printed out as a comment.It will print out the private key, let’s try to ssh in with the name barry.
This will fail since the id_rsa is protected by a password.

Do not worry, we have ssh2john for this.

You will then receive the cracked password! Let’s ssh into it.

Privesc

user.txt can be found instantly on barry’s home directory.

Let’s find a SUID to escalate privileges.

But before that, let’s run sudo. Sadly, the user barry needs a password and none of our cracked password works. That’s fine let’s enumerate.

This caught my eye during the linpeas enumeration. It’s self-made binary. Let’s check it out. This binary basically is the live log of the server.
Checking out the binary, it seems like we can’t edit it. Let’s look at it with strings.
Let’s look how its fetching these logs.

Looks like it’s using the tail binary. But the catch here is that, it doesn’t call it from it’s full path such as /usr/bin. Let’s create add a malicious path and make our own tail so it executes our’s tail.

So now whenever we run the tail binary, it should use our tail binary first since it’s first in our $PATH.
And just like that, we managed to root the box! Head over to /root and grab that root flag!

Student that loves FOSS