Tenten 10.10.10.10 Write Up
Machine is retired
Linux OS
Enumeration:
NmapWPScan
Exploitation:
StegHideSteps:
Enumeration and Exploitation:
1. At first we run nmap and nmap showing that the WordPress CMS is used and ssh port is open.2. So, we use wpscan and it return several vuln. We will find that Job Manager plugin is vuln CVE 2015-6668, where a IDOR vuln is present. So, when we exploit it, we can see a file named HackerAccesGranted. We just download the file and use steghide to extract hidden file within it. We can use blank password to extract. Inside it, there is a hidden ssh key file.
Image file location:
http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
command:
steghide extract -sf HackerAccessGranted.jpg
3. We decrypt and find the password in it with john and a python script.
command:
wget https://raw.githubusercontent.com/stricture/hashstack-server-plugin-jtr/master/scrapers/sshng2john.py
python sshng2john.py id_rsa > id_rsa.encrypted
john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
4. Now we can login to ssh with the key and the password and username used as enumerated from WordPress scan.
command:
ssh -i id_rsa takis@10.10.10.10
5. After finding user.txt, we will go for system rooting.
6. When we type sudo -l, it gives result that we can root using '/bin/fuckin'. So, we root using that file.
command:
sudo fuckin cat /root/root.txt
Hint:
Reference:
https://forum.hackthebox.eu/discussion/32/tenten-write-up-by-hkh4ckshttps://teck-noobs.blogspot.in/2017/07/htb-tenten-walkthrough.html
No comments:
Post a Comment