In this post, i would like to share walkthrough on Tenet Machine.
This room has been considered difficulty rated as a Medium machine
Information Gathering on Tenet Machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Let’s fire gobuster and see anything useful that we can use later on.
From the result, we know that machine is using wordpress cms
While scrolling down, I notice that there’s a post related to migration where the comment has mention sator and backup.
Let’s open the browser with the url sator.tenet.htb/sator.php.bak
On the backup file, we found out that the machine is vulnerable to php serialize
Gaining Access
The php code like above can be use to create our own php encoded
Once that is been completed, we can execute the curl command to upload the code into the server.
We can run the shell by replacing sator.tenet.htb/<file that you save in php serialize process. Before that, we need to run our netcat listener.
We have successfully get our reverse shell back to us.
It will direct us to an directory like /var/www/html
We can access the wordpress directory and read the wp-config.php that stored in the directory.
Oh wow! There’s a username and password that we can use for credentials purpose.Let’s try ssh using the credentials that we found.
We have successfully login into the machine using neil’s credential via ssh service.
From the SSH service that we able to access, we can go to /home/neil directory to read the user flag
Escalate to Root Privileges
Let’s execute the sudo -l so that we can find any SUID process that we can use on this activity. We found that we can use the enableSSH.sh that located at /usr/local/bin
On the code that we found in enableSSH.sh can readable like the screenshot above.
For this step, i have difficulty in getting it correct. As a result, i have ask around and luckily i got some good advice from H0jen and Blob on how to proceed this.
For this phase, there’s two type of code that we can use.
Step 1
while true; do echo "ssh-rsa <something>" | tee "/tmp/ssh-"*; done
Step 2
while [ 1 -eq 1 ]
do
for file in /tmp/ssh-*
do
echo "ssh <something>" > "$file"
done;
done;
*Something can be replaced with ssh private key on each attacker’s machine
It is advised to execute it on /dev/shm and run any step above that fit you so much. However, it does take patient and time to get everything work!
After that, we can ssh to the machine using the command ssh -i id_rsa root@tenet.htb
As usual, we go to /root/ directory and retrieve the root flag
-THE END-
Happy Learning Guys!
No responses yet