# Mustacchio ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaTHFFXZxqsN2tZVzm%2F-McaUA11Xfw7LrQizWpJ%2Fimage.png?alt=media\&token=c1c6e029-c49c-4296-ad5f-c22159be86bc) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.193.190 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaTHFFXZxqsN2tZVzm%2F-McaUIC6rLESTxhnNE7M%2Fimage.png?alt=media\&token=4bfdbaee-c0ea-4f50-94d7-682f700eba1d) Just in case lets run a scan on all ports ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaWahiVzuql3XI9UcV%2Fimage.png?alt=media\&token=96ceafe6-4ce0-45ee-9692-b6566fe6bdee) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80,8765 * (**-oN nmap**): Saving it into a file called nmap ``` nmap -sV -sC -p 22,80,8765 -oN nmap 10.10.193.190 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaTHFFXZxqsN2tZVzm%2F-McaW8wIixAZ5zQ63Jsn%2Fimage.png?alt=media\&token=c1fb1122-3fe6-4ca1-9676-2f2a7c6ca9be) ## Enumeration ### Port 80: HTTP Lets visit the site on port 80 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaTHFFXZxqsN2tZVzm%2F-McaUdXZ6Pzv_aJVEzn0%2Fimage.png?alt=media\&token=cfb14c44-81c7-445d-967e-2183cc44eb24) Its a well made website, Lets run a `gobuster` scan. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.193.190/ ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaTHFFXZxqsN2tZVzm%2F-McaVz8n1BCzNCyIz1-3%2Fimage.png?alt=media\&token=ae14d96b-5f37-41f1-93cf-68e2025c3d69) There is a interesting directory called `custom`, lets check it out. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaTHFFXZxqsN2tZVzm%2F-McaWEqyZzMD1bZ1fKav%2Fimage.png?alt=media\&token=3e9be855-7f1d-4a1f-9152-9e1682ecfc64) We have two folders, after checking them out, the `js` folder has something interesting ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaTHFFXZxqsN2tZVzm%2F-McaWQrlDnsgHixBmFOx%2Fimage.png?alt=media\&token=8e40156c-0d0c-4bd4-98b5-b840c547cb2a) Lets Download this `users.bak` file, it has I think credentials, so lets see what type of file it is. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaWtGBaiA20Sw7QXdU%2Fimage.png?alt=media\&token=3c9a8b9e-ed36-4b51-a7f3-bd2a779f7e36) Its a SQLite file, lets open this file with `sqlitebrowser` ``` sqlitebrowser users.bak ``` Looking through the application, we can see the hashed password for the user `admin` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaXGbn8kr6JoDjmXra%2Fimage.png?alt=media\&token=8c01128b-c112-4749-91a6-f042f8c4f883) Lets crack this. First save it in a file called `hash`, and then lets use `john the ripper` to crack the password. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaXeFZNe_oPwT0Jmw7%2Fimage.png?alt=media\&token=99beb045-acc6-4d75-9d53-2704b1c26377) We have the password, but we do not have a place to login, lets check the other http page running on the machine ### Port 8765: HTTP ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaXx1Dhlc9ROWvk3qJ%2Fimage.png?alt=media\&token=d98a33be-d4b0-4926-9d49-b8aac4e3b151) We have a login page, lets login with the credentials we just found ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaY6TKtFI8YUWezr4T%2Fimage.png?alt=media\&token=bde28088-930a-4b32-9553-db0049e23c8d) It is asking us to submit a comment, lets do this. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaYYh1dlTVwI-G2bbB%2Fimage.png?alt=media\&token=683c882a-0a63-417f-83f0-346f888c98d7) We do not see what is happening clearly, so lets capture the request on `burp` and check what is happening on the backend of this website. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaYztCeOvUmX2-nXzI%2Fimage.png?alt=media\&token=acd394ad-7147-4b41-a7e5-b9fd2d98520b) Lets send this to `repeater` so that we can test different requests. Lets submit the request. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaZE40O-t2CtXkvqkQ%2Fimage.png?alt=media\&token=59b75f4f-351f-4a58-9979-3dfeff3c0f8a) Ok we have several interesting thing to look at. * We have a username `Barry` * The URL `/auth/dontforget.bak` * The POST parameter is called `xml` * The function `checktarea` First lets look at the `/auth/dontforget.bak` file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaZtP_S_b7cQ_WXeY1%2Fimage.png?alt=media\&token=d612fdab-20f5-42d2-bd94-c76de0ed17da) Ok, it contains xml. Lets check if it is vulnerable to `XXE` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McabpJ6KwsSq9EYrz7n%2Fimage.png?alt=media\&token=324ebf83-2744-4407-813c-2c97f58e52ed) ## Exploitation We can see that it is vulnerable , now lets try to read the `id_rsa` file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaeloXmtVWCKotNAJl%2Fimage.png?alt=media\&token=3d65974a-20ee-46d2-9624-9286f1e16499) Once we submit this we get a response ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-Mcaes_c5CSZtw1WWHi9%2Fimage.png?alt=media\&token=2dd1b5e4-c4f9-48e5-aa79-7a49aa952651) Its a private key, lets copy it, we can copy it easier by going to the source code ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-Mcaf1YjXfuzm6MF2O9K%2Fimage.png?alt=media\&token=cd4f8a11-6464-495e-9d5d-3d88b3f5084c) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-Mcaf9r2niN_bVzWXkbH%2Fimage.png?alt=media\&token=0360b31f-04cf-489f-a4d9-900103959dd4) Once saved in a file called `id_rsa`, lets crack the password using `john the ripper`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McafTYCdi8apQbVwzwv%2Fimage.png?alt=media\&token=ecfb86e7-c562-4158-8e6b-d5c20790a8b0) Now we have the password for the user barry, lets login through ssh. But first we need to set the right permission for the `id_rsa` file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McafpC9tb9ubdO_EPb8%2Fimage.png?alt=media\&token=996074b6-774c-4a8c-8d86-2dbae82a9fa3) We can read the `user.txt` file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-Mcag2Ybow93lsXvZPp6%2Fimage.png?alt=media\&token=50621fda-aa6d-4b24-bc50-08aa86ee1db5) ## Privilege Escalation Lets look for `SUID bits`. ``` find / -perm -u=s -type f 2>/dev/null ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McagHlJvKl-GfAuldS9%2F-McaiXBTu3dvuX5WQOLz%2Fimage.png?alt=media\&token=e64ef34c-b59b-4676-984f-8b198a6c36d3) The `/home/joe/live_log` file looks interesting as it is not a common `SUID` file. Lets look at what the file is doing ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McagHlJvKl-GfAuldS9%2F-Mcaj7mA8GEHQGv-eNni%2Fimage.png?alt=media\&token=10549d39-d9b9-4c98-8761-065f8400c96f) They are logs, lets use the `strings` command to see more information on the file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McagHlJvKl-GfAuldS9%2F-McajLYxnnMT0zIcMvrg%2Fimage.png?alt=media\&token=a7024172-f2d5-403d-83e6-4c881bde7bab) The highlighted lines look interesting. Looking at it for a while, we can see that the tail command is used to show the content of the `/var/log/nginx/access.log` file, we can exploit this by creating our own tail binary, and execute it so that we can get root on the machine. We can do this by changing the `PATH` variable to the directory we mention. Lets first make a file called `tail` in the `/home/barry` directory and add these lines of code. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McajPq3g0Ccz4WuDNQq%2F-McalAd31xv9SNjKp2pq%2Fimage.png?alt=media\&token=b178d2d6-e1c0-438f-a754-0b1583304936) Now lets give the file all permissions ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McajPq3g0Ccz4WuDNQq%2F-McalEgOhRc1r1J-lUUG%2Fimage.png?alt=media\&token=142cbeab-1abf-4f35-bf4c-bd91144cb94a) Now lets set the `PATH` variable to `/home/barry` as the tail file is here. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McajPq3g0Ccz4WuDNQq%2F-McalWD_dVUhUdCK861G%2Fimage.png?alt=media\&token=d73675cf-c375-4c9c-9e25-476b0cbf179d) Now in theory if we run the `live_log` file, we should get root, so lets do that. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McajPq3g0Ccz4WuDNQq%2F-McaljUC6PZv0Vi7HRh8%2Fimage.png?alt=media\&token=f5a77d57-4fdc-416d-a6a2-215af876269e) We are root. We can also read the root flag. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McajPq3g0Ccz4WuDNQq%2F-McalrFYnJt-CAbbieY1%2Fimage.png?alt=media\&token=1ab81427-e28f-4c52-9fe7-173d89aafa21)