HackTheBox Writeup — Tenet

Faisal Husaini
5 min readJun 12, 2021

--

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.10.223

Port Scan / Enumeration

nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.10.223

I got 2 Open Ports:

  • Port 22 → OpenSSH 7.6p1
  • Port 80 → Apache httpd 2.4.29

Operating System Running → Ubuntu

Web

Checking the web in the browser

Running Gobuster on the web

Checking the /wordpress directory on the web, it seems to be broken

On the source code, it reveals that the DNS leads to tenet.htb, so adding it to my hosts file

Accessing the web after that or through the domain name

A well structured wordpress website appears and then checking the comments, the user neil left with a comment saying that there was a sator php file and a backup for it being removed from the web

The file was removed from the domain, but from the IP it was accessible

Now trying some of random backup file extensions with this file, the .bak extension worked and I got a download to the backup file

Checking the contents of the backup file, which was surely reasonable to be a php file backup

Analysing the code, it clearly tells that a destruct function is being used and then being passed through the unserialize function, hence, confirming the PHP deserialization vulnerability

User

Since from the code, it was confirmed that PHP Deserialization vulnerability occurs on the web

Creating my own php code to make our serialize payload to get running whoami system command on remote target

Running the php scripts gives me the serialized payload which will create a faisal.php file on remote target that php file will have the contents of system function executing whoami

Before I can use the payload on the URL, I need to URL encode the payload

Now entering the URLencoded payload on the arepo parameter as it was stated on the php code backup, it returns with a database update message

Accessing the faisal.php file which got uploaded, it is confirmed that code execution is successful

Now I will modify my PHP code for the payload to make it create a payload to get command execution through GET parameters

Running the PHP file, I get my updated payload

Now doing the same steps of URL Encoding and then putting on the vulnerable arepo parameter and command execution is confirmed

Since there wordpress website hosted on this server, I can get the DB details

After getting the user neil’s password, I try to connect through SSH

Now can get the user flag in the usual location as always

Root

Running the sudo -l command, I can see that the current user can run a bash script at /usr/local/bin directory without password with sudo

Checking the code under that script, I see that it echoes the content from /tmp/ssh-XXXXXX and then save it root’s ssh directory as authorized_keys, I can manipulate this to put my own ssh keys there

I created a simple bash script which I will run on the remote machine which will be running an infinite while loop of copying my ssh key and saving it into the /tmp/ssh-* named directory

Running my script as well as running the vulnerable sudo bash script, I get a message of the key being added successfully

Connection to root user through SSH is successful

Getting the root flag as the same location usually

--

--

Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover