In this post, i would like to share walkthrough on Tenet Machine.

This room has been considered difficulty rated as a Medium machine

Information Gathering on Tenet Machine

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Let’s fire gobuster and see anything useful that we can use later on.

From the result, we know that machine is using wordpress cms

While scrolling down, I notice that there’s a post related to migration where the comment has mention sator and backup.

Let’s open the browser with the url sator.tenet.htb/sator.php.bak

On the backup file, we found out that the machine is vulnerable to php serialize

Gaining Access

The php code like above can be use to create our own php encoded

Once that is been completed, we can execute the curl command to upload the code into the server.

We can run the shell by replacing sator.tenet.htb/<file that you save in php serialize process. Before that, we need to run our netcat listener.

We have successfully get our reverse shell back to us.

It will direct us to an directory like /var/www/html

We can access the wordpress directory and read the wp-config.php that stored in the directory.

Oh wow! There’s a username and password that we can use for credentials purpose.Let’s try ssh using the credentials that we found.

We have successfully login into the machine using neil’s credential via ssh service.

From the SSH service that we able to access, we can go to /home/neil directory to read the user flag

Escalate to Root Privileges

Let’s execute the sudo -l so that we can find any SUID process that we can use on this activity. We found that we can use the that located at /usr/local/bin

On the code that we found in can readable like the screenshot above.

For this step, i have difficulty in getting it correct. As a result, i have ask around and luckily i got some good advice from H0jen and Blob on how to proceed this.

For this phase, there’s two type of code that we can use.

Step 1

while true; do echo "ssh-rsa  <something>" | tee "/tmp/ssh-"*; done

Step 2

while [ 1  -eq 1 ]
         for file in /tmp/ssh-*
         echo "ssh <something>" > "$file"

*Something can be replaced with ssh private key on each attacker’s machine

It is advised to execute it on /dev/shm and run any step above that fit you so much. However, it does take patient and time to get everything work!

After that, we can ssh to the machine using the command ssh -i id_rsa root@tenet.htb

As usual, we go to /root/ directory and retrieve the root flag


Happy Learning Guys!

Leave a Reply

Your email address will not be published. Required fields are marked *