TryHackME — Mustacchio
First of all lets start with port scanning with the following command
nmap -Pn -p- 10.10.186.21 - T4and see which service is working on which port , so we get 3 ports , lets visit the webpage hosted at the http service.
besides the nmap port scanning , start the directory enumeration as well with gobuster with the following command:
gobuster dir -u http://10.10.186.21 -w /usr/share/wordlists/dirb/common.txt -t 100
we get 5 directories that we can access , but the only useful directory is the index.html one that is hosting the webpage as well , lets visit it , but it also does not contain any useful information in the page as well in its source code.
since we have 8765/ tcp open ultraseek-http port also open so upon visiting the port 8765 we found a login page but we do not know its email or password.
upon visiting the webpage at the custom directory found above from the directory enumeration process we are able to find a user.bak file that contains a username of admin and password that is hashed.
now we can get the password form the hashed password by brute-forcing.
lets first identify the type of the found hash with hash-identifier by using the following command
hash-identifier 1868e36a6d2b17d4c2745f1659433a54d4bc5f4b
so the hash is of type SHA-1 , lets store the hash in a separate file and then use the hashcat to brute-force it.
hashcat - m 100 -a 0-0 hash.txt /usr/share/wordlists/rockyou.txt
another way is to check the hash value from crackstation.net
lets login into the admin panel with the found username and password
lets check the source code for the new page we just found
from the page source i get to find 2 useful information , it gives us a path to a backup file at the address
“Example=/auth/dontforget.bak”
and secondly it tells that the user barry can ssh using his key , but to do that first we need the ssh key for the user barry.
lets download the dontforget.bak file first and then check its content
so it gives us a xml structure to post a comment , lets first check if our comment section box supports xml , if yes then lets perform the xxe on the comment section box.
we check the above said thing by checking the request in our burp suite.
Hence , it is confirmed that xml is supported on the comment section box so that means we can try performing xxe attack on the comment section box.
lets try downloading the payload from the pentest monkey repository
lets copy the payload form it and make a xml based on the structure we got from the dontforget.bak
upon submitting the payloaded xxe we can access the passwd file.
since we just found the username of barry via page source, we can try getting the ssh key from “/home/barry/.ssh/id_rsa” directory.
you can copy the ssh key from the page source so that it is formatted well when you copy it.
copy the ssh key form the source file and store it in a file.
store the ssh in barry_hash.txt file , since the ssh key we got is in private key we have to load its hash and then brute force the hash , we can convert the private key into hash , first download the python script for it using the following command:
wet https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py
use the below command to brute-force the hash to find the password using the following command:
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hashthen use the following command to check the found password:
john --show id_rsa.hash
before ssh-ing to the barry`s account change its permission into 600 for the hashed converted key
chmod 600 barry_hash.txtnow lets ssh into the barry`s account using the ssh key with found password.
ssh -i barry_hash.txt barry@10.10.7.251
after getting the ssh , capture the user flag from the home directory.
lets find the files that the user barry can execute with root privileges , from which the “live_log” file looks promising
/home/joe/live_log binary looks interesting. After running strings command on this binary, I found that it is using tail command
Now if we observe carefully, tail is not called from it's actual path, we can take advantage of this by adding our own path in $PATH environment variable and creating a new file with name tail.
lets cd to the tmp directory and perform that operation.
create a tail file in the tmp directory and add it to the $PATH environment variable , then make it executable as using chmod +x /tmp/tail now run the binary log file using the ./live_log
after that we have the root access , now we can find the root flag cd to /root
and you have completed the box.
CTF finished! clap 👏 this writeup and leave a comment ✍️ , Thank you.
