TENTEN
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Tenten, what is a retired machine from the Hack the Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Scanning with Nmap, there are just two open ports 22 and 80:
- Scanning deeper those two ports it seems that the web server is running WordPress 4.7.3:
- WPScan is a WordPress Security Scanner:
- Launching WPScan against Tenten to enumerate users we discover user takis:
- Same thing for plugins we discover Job Manager and one associated vulnerability:
- Checking the last reference:
https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/
- So this vulnerability allows to enumerate the CV filename and bruteforce the upload directory structure, where sensitive information can be found:
- The Wordpress directory structure for uploaded files is like this:
- Now, dirbusting /wp-content/uploads to discover year (from 2010 to 2019) and month (from 01 to 12) where any upload is available:
- So finally we know that April 2017 is the date when uploads are available.
- Exploring jobs, for instance the 1st one:
- Viewing the source, the job application identification name (Hello World! for 1st job) is after the tag <title>:
- Extracting all job names the 13rd one is called HackedAccessGranted:
3 - EXPLOITATION
3.1 - Exploiting WordPress
- Copying the exploit and expanding to file extensions jpeg, jpg and png:
https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/
- Giving execution permissions:
- Running the Python script exploit against Tenten:
- Finally we have found the URL where a picture HackerAccessGranted.jpg is located, what was uploaded on April 2017, as we already knew.
3.2 - Exploiting Stenography inside a picture
- Downloading the image HackerAccessGranted.jpg:
- steghide is a steganography program that is able to hide/unide data in various kinds of image and audio files:
http://steghide.sourceforge.net/
- Applying steghide over HackerAccessGranted.jpg and using blank password:
- The private key id_rsa is extracted from the .jpeg image:
3.3 - Cracking an encrypted Private Key
- However id_rsa is encrypted:
- The Python script sshng2john.py helps to adapt id_rsa to John The Ripper's format:
https://github.com/stricture/hashstack-server-plugin-jtr/blob/master/scrapers/sshng2john.py
http://grayhat.shoutwiki.com/wiki/SSH_tricks
- Applying sshng2john.py over id_rsa the result is id_rsa_hashed:
- Now, passing id_rsa_hashed to John The Ripper the password superpassword is discovered just in seconds:
- Giving reading and writing permissions to the owner for id_rsa:
3.4 - Getting a remote shell
- We already know from before that there is an user called takis:
- Connecting to Tenten with SSH by providing id_rsa plus password for user takis:
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- Privilege Escalation is easy because user takis has got some sudoer privileges:
- Reading content and searching information about file fuckin:
- Running fuckin eventually we get a root shell:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt:
