HackTheBox Writeup — Tenet
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.10.223
Port Scan / Enumeration
nmap -sC -sV -p- -Pn --min-rate=10000 -oN nmap 10.10.10.223
I got 2 Open Ports:
- Port 22 → OpenSSH 7.6p1
- Port 80 → Apache httpd 2.4.29
Operating System Running → Ubuntu
Web
Checking the web in the browser
Running Gobuster on the web
Checking the /wordpress directory on the web, it seems to be broken
On the source code, it reveals that the DNS leads to tenet.htb, so adding it to my hosts file
Accessing the web after that or through the domain name
A well structured wordpress website appears and then checking the comments, the user neil left with a comment saying that there was a sator php file and a backup for it being removed from the web
The file was removed from the domain, but from the IP it was accessible
Now trying some of random backup file extensions with this file, the .bak extension worked and I got a download to the backup file
Checking the contents of the backup file, which was surely reasonable to be a php file backup
Analysing the code, it clearly tells that a destruct function is being used and then being passed through the unserialize function, hence, confirming the PHP deserialization vulnerability
User
Since from the code, it was confirmed that PHP Deserialization vulnerability occurs on the web
Creating my own php code to make our serialize payload to get running whoami system command on remote target
Running the php scripts gives me the serialized payload which will create a faisal.php file on remote target that php file will have the contents of system function executing whoami
Before I can use the payload on the URL, I need to URL encode the payload
Now entering the URLencoded payload on the arepo parameter as it was stated on the php code backup, it returns with a database update message
Accessing the faisal.php file which got uploaded, it is confirmed that code execution is successful
Now I will modify my PHP code for the payload to make it create a payload to get command execution through GET parameters
Running the PHP file, I get my updated payload
Now doing the same steps of URL Encoding and then putting on the vulnerable arepo parameter and command execution is confirmed
Since there wordpress website hosted on this server, I can get the DB details
After getting the user neil’s password, I try to connect through SSH
Now can get the user flag in the usual location as always
Root
Running the sudo -l command, I can see that the current user can run a bash script at /usr/local/bin directory without password with sudo
Checking the code under that script, I see that it echoes the content from /tmp/ssh-XXXXXX and then save it root’s ssh directory as authorized_keys, I can manipulate this to put my own ssh keys there
I created a simple bash script which I will run on the remote machine which will be running an infinite while loop of copying my ssh key and saving it into the /tmp/ssh-* named directory
Running my script as well as running the vulnerable sudo bash script, I get a message of the key being added successfully
Connection to root user through SSH is successful
Getting the root flag as the same location usually