Hackthebox — Tenet Walkthrough
As always we first start with nmap scan to find which ports are open and which services running on those ports.
- -sC : to run default nmap scripts
- -sV: to detect service versions
We get back the following result showing that two ports are open.
- Port 22 is for SSH service
- Port 80 is for HTTP service
We visit the HTTP service and a apache default page is welcoming us.
We check the page source but nothing seems useful for us.
We run a gobuster scan.
We note that this is a WordPress site. We might run wpscan on it to determine the version used and enumerate any installed plugins but not yet. Let’s first enumerate more.
Nothing here… How about the page source?
The page source reveals a subdomain.
We add it into our hosts file.
Let’s visit tenet.htb! We enumerate each page one by one to get something useful.
Yes! There is a comment.
did you remove THE SATOR PHP FILE and THE BACKUP?? the migration program is incomplete! why would you do this?!
neil
Well, a php file called sator and a backup file must be found.
So, in this context we try to find some directories, files.
sator might be a subdomain of tenet.htb. We add it into our hosts file.
Another default page.
The php file mentioned in the comment is here.
We run a gobuster scan for this subdomain to get more information.
It reveals a wordpress directory.
Again! Nothing here…
Meanwhile, let’s run a gobuster scan with php extension specified.
We come up the comment. A backup file must be found, right?
We ask Google. After read some posts, bak which is a file extension name might be the answer for us.
In computing, “.bak” is a filename extension commonly used to signify a backup copy of a file.
When a program is about to overwrite an existing file (for example, when the user saves the document they are working on), the program may first make a copy of the existing file, with .bak appended to the filename. This common .bak naming scheme makes it possible to retrieve the original contents of the file. In a similar manner, a user may also manually make a copy of the file before the change and append .bak to the filename.
Let’s try it manually.
And there we go! This one worked.
A php script must be read and understood in order to move forward.
- It looks like it is a php object deserialization stuff. That means we might be able to exploit it by using PHP Object Deserialization.
- The __destruct function might be used for remote code execution vulnerability. Because it uses file_put_contents that writes the variable data to the file defined in the user_file.
We create our exploit in php.
- First, we create a class called DatabaseExport
- user_file will be a php file which contains a reverse shell command.
- The defined class DatabaseExport will be serialized and pass it as the input to the variable arepo.
So, we serialized the class which contains reverse shell payload and then urlencoded to pass to the GET variable called “arepo”.
Browse the page.
Paste the output as the value to the variable arepo.
Good! The php file joker.php is uploaded. Time to call the file and get our reverse shell back.
While netcat is listening port 7070, we get back the reverse shell back.
Upgrade the shell to a full interactive shell.
Let’s dig in.
We need to be neil in order to read the user flag.
We go to the wordpress directory and try to find something interesting , useful.
A config file contains neil’s credentials.
We successfully switch the user as neil and get the user flag.
SSHing to the box is always preferred. Let’s ssh as user neil.
Privilege Escalation
First thing first we check the sudo capabilities of user neil.
Let’s check the script.
What this script simply does is,
- it writes id_rsa.pub key to a file that is randomly generated as the format of ssh-XXXXXXXX
- and then copies the content of the file to the root/authorized_keys file as known hosts.
- and deletes the tmp file.
What we will do here is, we add our ssh key to the tmp file just before the script gets the content of the tmp file and copies it to the authorized_keys in root directory.
The script is ready. It will be in an infinite loop that continiously tries to find using ssh-* (any file which starts with ssh-) and then add our key inside of it .
Everything seems fine! We run the script.
SSHing is ready as root. We will run it just after run the enableSSH.sh script on the box.
Let’s run the script.
And run the command on the local machine right after.
Voila! We are seccessfully in and get the root flag.
Thank you for your time.
Originally published at http://atalaysblog.wordpress.com on June 12, 2021.
