HackTheBox: (“Tenet”) — Walkthrough

Mohamed Elmasry
6 min readJun 12, 2021

--

Hi People :D

Today we gonna solve “Tenet” machine from HackTheBox, let’s go :D

Info

Enumeration

— — — — — —

Start with Nmap

nmap -A 10.10.10.223

We have two open ports (22/80) so let’s navigate to the website on port 80

Web Enumeration

— — — — — — — —

We have an Ubuntu default page and there’s nothing important in directories.

Often this means that we need to put the machine IP into /etc/hosts file and open the website with his domain not with IP to see the real website, so let’s add it

Navigate to the website again by typing “http://tenet.htb” in the browser search bar, this time we have another website and it’s the real one

We have some articles here but the interesting one is the Migration article

In the Migration article, there’s one comment that contains a hint for what we need to do

Based on this hint, we suppose to find a file called sator.php and a backup file on this website.

I tried to navigate to sator.php from the real website (the website domain that we put in the /etc/hosts file) but it doesn’t exist ☹

Do you remember the Ubuntu default page on the machine IP? it’s another website hosted on this machine so why don’t we look at it ?.

Fortunately, the sator.php exist on machine IP (“http://10.10.10.223/sator.php”) ☺

But this file didn’t help us, it just says “Grabbing users from text file”, we need to find the source code for this script to find out what this script is doing.

If you remember the hint that we found in the Migration article, it mentioned something about a backup.

So I searched for the commonly used backup files extension to use it with sator script and found that the .bak extension is the most widely used extension for backup files

Let’s try to navigate to sator.php.bak and see if it exists.

Yup, we have a backup file and we can download it ☺

We have the sator.php source code, after inspecting this code, you can see that it uses __destruct() function with file_put_contents() function then it takes a GET parameter called arepo then it uses the unserialize() function on the arepo parameter data.

So we need to craft a serialized data in a certain way to exploit a bug in these functions

Exploitation

— — — — — —

I am not a PHP programmer so I can’t figure out what should I do, but I know who can … it’s Google !!

I wasted a lot of time searching for an exploit and finally, I found This stackexchange question.

This question is not exploitation, but it has the same scenario, and also the writer of the question put a script to exploit these functions.

Just copy this serializing script but with some modification.

We must change the class and variables names to suit our scenario, first, change the class name to DatabaseExport then change the first variable name to $user_file which we store our exploit file name in, and the second variable name to $data which we store our reverse shell command in, the final script :

This script will give us a serialized data which we will use to get a reverse shell on the machine ( you can see Here for 1-step exploit script )

Before we use this exploit payload, we need to do URL encoding to it first ( I used This Website ) because we will use it in a GET parameter

User Flag

— — — — —

It’s time to exploit XD

As we saw in the sator.php source code, we should put our exploit payload in a GET parameter called arepo to make a file and put our reverse shell inside

Cool, now start a Netcat listener and navigate to shell.php (or your different exploit file name).

Finally, we got a shell as www-data ☺

After getting the shell, improve it with:

python3 -c 'import pty; pty.spawn("/bin/bash")'export TERM=linux

Then move to /var/www/html/wordpress/, there are neil user creds in wp-config.php file (neil:Opera2112)

We can use these creds to SSH into neil user or just execute su neil command from the www-data shell.

You will find the user flag in the /home/neil/user.txt file

Root Flag

— — — — —

Execute sudo -l command from the neil shell, we can run a script called enableSSH.sh as root without password

Let’s enumerate this script to try to find a way to exploit it.

This script writes a id_rsa.pub key to a randomly generated file of format /tmp/ssh-XXXXXXXX and then copies the contents of the file to the root authorized_keys, then deletes the tmp file.

So, if we can write our own SSH key to the tmp file before it gets copied to authorized_keys, our key will get written to the root authorized_keys, and then we can SSH into the root.

First, create your SSH keys with:

ssh-keygen -t rsa

Then copy your public SSH key from the id_rsa.pub file

We want to trigger a Race-Condition bug in this script, so we have to be very very fast, and that’s almost impossible for us (as human beings XD).

So we have to do it automatically with this simple while loop:

while true; do echo "{Your_Public_SSH_Key}" | tee /tmp/ssh* > /dev/null; done

This loop infinitely puts your public SSH key into all files that start with the ssh word in the /tmp directory (using Wild Character).

Run this while loop command and open another neil shell then execute sudo /usr/local/bin/enableSSH.sh command for a number of times until you get the success message.

After you got the success message, you can SSH into root with:

ssh -i ~/.ssh/id_rsa root@10.10.10.224

You will find the root flag in the /root/root.txt file ☺

Thanks for reading and I hope you love this writeup ❤.

You can give me Respect on my HackTheBox Account (if you want :D).

Facebook TwitterLinkedIn

--

--

Mohamed Elmasry
Mohamed Elmasry

Written by Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter

No responses yet