Tenten
#Linux #Web #IDOR
Tenten is an medium-rated Linux machine from HackTheBox created by ch4p. In the current post, my IP is 10.10.14.3, and the target’s IP is 10.10.10.10
This machine is quite interesting at the beginning, but as you progress, it has several sections that are counterintuitive. Firstly, you have to do reconnaissance to obtain the keywords and the WordPress plugins that the website has. With that information, you have to write a script to brute-force the website and obtain the key file, which of course is encrypted. Here, Steghide and John are used. Once achieved, you can access the machine; the privilege escalation is comical.
Recon
> ping -c 1 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=63 time=158 ms
--- 10.10.10.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 157.963/157.963/157.963/0.000 msThe machine is alive, and by the TTL (close but no more than 64), it is possible to think that the target is a Linux Machine.
nmap -p- -sS --min-rate=5000 -Pn -n -oN AllPorts 10.10.10.10Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-12 13:40 -03
Nmap scan report for 10.10.10.10
Host is up (0.15s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpThere are two open ports. First the port 22 with ssh, if you search about "OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 launchpad", we can see that the target is an "Ubuntu Xenial". And about the port 80, the web page, if you search "Apache httpd 2.4.18 launchpad", it confirms that is an Ubuntu Xenial.
Both are the same, so there is a significant reduced chance to find a Docker Container here.
The port 80 have a redirect, add the IP to the /etc/hosts and launch another nmap scan.
Port 80
Wordpress 4.7.3, kept that in mind.
From the post, we have one user [+] Takis, try if works at the default login page to validate.
By following the page Job Listing > Pen Tester > Apply Now, it is possible to notice the URL is rather suspicious, including IDs. Let's fuzz it.
By exploring each available site, the number 13 is the correct one, with an extremely explicit title, HackerAccessGranted.
Now, we have the vulnerable site, but before trying anything, to save time, it's necessary to fuzz for plugins.
http://tenten.htb/wp-content/plugins
Perfect, there is a response.
[+] akismet, hello.php and job-manager.
Exploitation
See the content of the "Cross-Site Scripting" exploit, it's the version 4.1.0, it should be that.
Ok, nothing to see here, it's weird. search for "Wordpress Plugin Job Manager exploit"
"Allow attackers to perform otherwise restricted actions and subsequently enumerate and access the uploaded CV files by performing a bruteforce attack on the WordPress upload directory structure." So we can create an script to explore the upload folder by using the Wordpress structure.
This part of the machine is weird, the previously found name is the correct one, is a kind of non intuitive, but if you want to reflect this in a real life situation, you can use a wordlist or Cewl to get a wordlist from the most common words of the website, increasing the chances of finding something.
Now download the file.
Reverse Shell - Decrypting
This is another non-intuitive part, here we have to explore the file thought decryption methods.
Perfect, for some reason the Id_rsa is inside...
Aaaand it's encrypted... nice. Here you can use john or another tool.
[+] superpassword
Finally, we have the password, now try to login as takis
Privileges Escalation
Group lxd, this one has a lot of vulnerabilities.
Or you can continue your recon and find something really interesting.
Or you can change to root by using... that simple bash command.
Done
Last updated