Tenten 10.10.10.10 Write Up
Machine Created by
ch4p
Machine is retired
Linux OS
Enumeration:
Nmap
WPScan
Exploitation:
StegHide
Steps:
Enumeration and Exploitation:
1. At first we run nmap and nmap showing that the WordPress CMS is used and ssh port is open.
2. So, we use wpscan and it return several vuln. We will find that Job Manager plugin is vuln
CVE 2015-6668, where a IDOR vuln is present. So, when we exploit it, we can see a file named HackerAccesGranted. We just download the file and use steghide to extract hidden file within it. We can use blank password to extract. Inside it, there is a hidden ssh key file.
Image file location:
http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg
command:
steghide extract -sf HackerAccessGranted.jpg
3. We decrypt and find the password in it with john and a python script.
command:
wget https://raw.githubusercontent.com/stricture/hashstack-server-plugin-jtr/master/scrapers/sshng2john.py
python sshng2john.py id_rsa > id_rsa.encrypted
john id_rsa.encrypted --wordlist=/usr/share/wordlists/rockyou.txt
4. Now we can login to ssh with the key and the password and username used as enumerated from WordPress scan.
command:
ssh -i id_rsa takis@10.10.10.10
5. After finding user.txt, we will go for system rooting.
6. When we type
sudo -l, it gives result that we can root using '/bin/fuckin'. So, we root using that file.
command:
sudo fuckin cat /root/root.txt
Hint:
Reference:
https://forum.hackthebox.eu/discussion/32/tenten-write-up-by-hkh4cks
https://teck-noobs.blogspot.in/2017/07/htb-tenten-walkthrough.html
Video:
https://www.youtube.com/watch?v=A4U3xiRWfsU
CRONOS 10.10.10.13 Write Up
