My TryHackMe Writeups

Writing THM excersise solvings here and my thoughts on how to solve them

Project maintained by NaystyX Hosted on GitHub Pages — Theme by mattgraham

Mustacchio

https://tryhackme.com/room/mustacchio

Tasks

I started again with nmap to find which ports would be vulnerable.

image

Going to http I found a website with some text and images so I decided to run gobuster

image

After looking at /custom I found a users.bak file

image

Which appeared to be a user database file with admin and password? admin1868e36a6d2b17d4c2745f1659433a54d4bc5f4b

image

image

Running hashcat gave me the password for admin bulldog19. I just needed to figure out where to put this so I ran nmap with more ports

image

At port 8765 I found an admin panel

image

image

I decided to open burpsuite and view what sending a comment does and it showed something about /auth/dontforget.bak

image

image

Seeing the file be xml I thought that it could have XML external entity (XXE) injection vulnerability

I made a injection payload and submitted it.

image

image

Now I wanted to get barrys id_rsa file and I could do that by changing the request a bit.

image

Now I got the rsa now I just neet to use it to login

image

image

image

I started doing a priviledge escalation checklist and when doing find / -perm -u=s -type f 2>/dev/null I found /home/joe/live_log

When viewing it I found this

image

Noticing that the command tail doesn’t specify an absolute path, which opens it to vulnerability

image

So I decided to make a tail file and looked online what would be a good payload and found that version and after running ./live_log I got root access and flag

Conclusion

The hardest part was to find a way to get into the ssh but after that quite pleasable. Very good CTF in my opinion