Tenet was a medium difficulty Linux box by HackTheBox user egotisticalSW. Initial Enumeration on the box reveal a sator file and a backup file which show us an Deserialization attack vector using which we can write a file and get a reverse shell. After getting the box we find DB Password checking that with user we get a shell as user neil. We check for sudo -l we see we can run a enableSSH.sh without password. Checking the script we see we can grab root ssh key as the script it copying that to a tmp file(Race condition) and then deleting that.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
# Nmap 7.91 scan initiated Mon Apr 1917:02:492021as: nmap -sC -sV -oN nmap/tenet 10.10.10.223 Nmap scan report for10.10.10.223 Host is up (0.096s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA) |25685:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA) |_ 256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Apr 1917:03:022021-- 1 IP address (1 host up) scanned in 12.67 seconds
Lets start with port 80
Opening the page we see an default Apache page
Checking the page with vhost as tenet.htb
which look like a wordpress site. So I ran wpscan to see if we get ant information
checking the page we see a post Migration
1 2 3
We’re moving our data over froma flat file structure to something a bit more substantial. Please bear with us whilst we getoneof our devs onthemigration, whichshouldn’ttaketoolong.
Thank you for your patience
and also saw a comment from neil as
did you remove the sator php fileandthe backup?? the migration program is incomplete! why would you do this?!