Tenten machine is a vulnerable machine with linux operating system among rediterd machines. We are expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of port scanning, 22/tcp ssh OpenSSH 7.2p2, 80/tcp http Apache httpd 2.4.1 ports were found to be open. Since there is no vulnerability on the ssh port, we should provide enumeration on port 80.
Since port 80 is running the http protocol, we provide enumeration through the browser.
WordPress is used as Cms. Let’s scan here with wpscan. Let’s look at plugin vulnerabilities and usernames.
Wpscan user enmueration
takis username detected
plugin enumueration with wpscan
job-manager plugin detect
The vulnerability of plugins on CMS ready sites offers an important attack vector area. Therefore, when we searched on Google whether there is an exploit on lugin or not, we came across a lot of exploits.
Exploiting this vulnerability could allow attackers to perform otherwise restricted actions and then enumerate and access uploaded CV files by performing a brute force attack on the WordPress upload directory structure. We’ve figured it out, let’s download the vulnerability here
As you can see, the exploit asks us for a website and a file.
Since we didn’t know the file, we couldn’t run the exploit.
When we did the web enumueration, we saw the Jobs Listing page.
When we look at this page, we can see the requests.
Here 8 is assigned to us, can we see who is assigned to us?
When you go to page 13 here.
We can access HackerAccessGranted.
Then let’s write it like this in the file section
Then we were told
http://tenten.htb/wp-content/uploads/2017/04/HackerAccessGranted.jpg
found his address
Here we are downloading this image and since it tells us that it will be a ct solution, something may be hidden in the image with stegonagraphy.
Give us id_rsa to open the content with Steghide
This id_rsa can be the id rsa of the user we detected in the worptedeste
Let’s try
Let’s break it with john who’s asking us for the password
With John we were able to crack the password and get the superpassword password.
Let’s try the ssh connection again
We were able to log in successfully and get our user flag, but we realized that we are not authorized as root.
Therefore we provide local enumeration.
During the enumeration phase we realized that we can run /bin/fuckin from sudo authorization.
After running /bin/fuckin we got root privileges and got our root falgiam.