# Mustacchio

![](/files/-McaUA11Xfw7LrQizWpJ)

## Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**)

```
nmap -Pn 10.10.193.190
```

![](/files/-McaUIC6rLESTxhnNE7M)

Just in case lets run a scan on all ports

![](/files/-McaWahiVzuql3XI9UcV)

Detailed Nmap Scan :&#x20;

Command Breakdown:&#x20;

* (**-sV):** Service version
* (**-sC**): Default nmap scripts
* (**-p):** Specifying ports 22,80,8765
* (**-oN nmap**): Saving it into a file called nmap

```
nmap -sV -sC -p 22,80,8765 -oN nmap 10.10.193.190
```

![](/files/-McaW8wIixAZ5zQ63Jsn)

## Enumeration&#x20;

### Port 80: HTTP

Lets visit the site on port 80

![](/files/-McaUdXZ6Pzv_aJVEzn0)

Its a well made website, Lets run a `gobuster` scan.

```
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.193.190/
```

![](/files/-McaVz8n1BCzNCyIz1-3)

There is a interesting directory called `custom`, lets check it out.

![](/files/-McaWEqyZzMD1bZ1fKav)

We have two folders, after checking them out, the `js` folder has something interesting

![](/files/-McaWQrlDnsgHixBmFOx)

Lets Download this `users.bak` file, it has I think credentials, so lets see what type of file it is.

![](/files/-McaWtGBaiA20Sw7QXdU)

Its a SQLite file, lets open this file with `sqlitebrowser`

```
sqlitebrowser users.bak
```

Looking through the application, we can see the hashed password for the user `admin`

![](/files/-McaXGbn8kr6JoDjmXra)

Lets crack this. First save it in a file called `hash`, and then lets use `john the ripper` to crack the password.

![](/files/-McaXeFZNe_oPwT0Jmw7)

We have the password, but we do not have a place to login, lets check the other http page running on the machine

### Port 8765: HTTP

![](/files/-McaXx1Dhlc9ROWvk3qJ)

We have a login page, lets login with the credentials we just found

![](/files/-McaY6TKtFI8YUWezr4T)

It is asking us to submit a comment, lets do this.

![](/files/-McaYYh1dlTVwI-G2bbB)

We do not see what is happening clearly, so lets capture the request on `burp` and check what is happening on the backend of this website.

![](/files/-McaYztCeOvUmX2-nXzI)

Lets send this to `repeater` so that we can test different requests. Lets submit the request.

![](/files/-McaZE40O-t2CtXkvqkQ)

Ok we have several interesting thing to look at.

* We have a username `Barry`
* The URL `/auth/dontforget.bak`
* The POST parameter is called `xml`
* The function `checktarea`

First lets look at the `/auth/dontforget.bak` file

![](/files/-McaZtP_S_b7cQ_WXeY1)

Ok, it contains xml. Lets check if it is vulnerable to `XXE`&#x20;

![](/files/-McabpJ6KwsSq9EYrz7n)

## Exploitation

We can see that it is vulnerable , now lets try to read the `id_rsa` file

![](/files/-McaeloXmtVWCKotNAJl)

Once we submit this we get a response

![](/files/-Mcaes_c5CSZtw1WWHi9)

Its a private key, lets copy it, we can copy it easier by going to the source code

![](/files/-Mcaf1YjXfuzm6MF2O9K)

![](/files/-Mcaf9r2niN_bVzWXkbH)

Once saved in a file called `id_rsa`, lets crack the password using `john the ripper`.

![](/files/-McafTYCdi8apQbVwzwv)

Now we have the password for the user barry, lets login through ssh. But first we need to set the right permission for the `id_rsa` file.

![](/files/-McafpC9tb9ubdO_EPb8)

We can read the `user.txt` file

![](/files/-Mcag2Ybow93lsXvZPp6)

## Privilege Escalation

Lets look for `SUID bits`.&#x20;

```
find / -perm -u=s -type f 2>/dev/null
```

![](/files/-McaiXBTu3dvuX5WQOLz)

The `/home/joe/live_log` file looks interesting as it is not a common `SUID` file.

Lets look at what the file is doing

![](/files/-Mcaj7mA8GEHQGv-eNni)

They are logs, lets use the `strings` command to see more information on the file.

![](/files/-McajLYxnnMT0zIcMvrg)

The highlighted lines look interesting.

Looking at it for a while, we can see that the tail command is used to show the content of the `/var/log/nginx/access.log` file, we can exploit this by creating our own tail binary, and execute it so that we can get root on the machine. We can do this by changing the `PATH` variable to the directory we mention.

Lets first make a file called `tail` in the `/home/barry` directory and add these lines of code.

![](/files/-McalAd31xv9SNjKp2pq)

Now lets give the file all permissions

![](/files/-McalEgOhRc1r1J-lUUG)

Now lets set the `PATH` variable to `/home/barry` as the tail file is here.

![](/files/-McalWD_dVUhUdCK861G)

Now in theory if we run the `live_log` file, we should get root, so lets do that.

![](/files/-McaljUC6PZv0Vi7HRh8)

We are root. We can also read the root flag.

![](/files/-McalrFYnJt-CAbbieY1)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/mustacchio.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.