Skip to main content

Hack The Box Tenten

Testing Methodologies

We can start the enumeration with a nmap scan.

The output shows that there are two ports 22(SSH) and 80(HTTP)
By visiting http we have a WordPress website

By running wpscan we can enumerate usernames and installed plugins

By running wpscan seems like there is a vulnerable plugin called Job Manager and there is a user called takis
 By  checking the job posts we can apply for a job.

By changing the apply parameter we can look for other job postings by using BurpSuite Intruder we can look for any valid jobs

By starting intruder we get a valid job title at id 13
Visiting job application 13 there is an image 
After further enumerating WordPress it seems like there is nothing interesting other than this image.
By using steghide we can see if there is anything embedded in the image
Looks like there is a file hidden in the image a RSA private key
Upon extraction there was no passphrase required but the key has been encrypted so we cant use it to login because a password should be provided to get authenticated to the server,
We can use john to decode the key and retrieve the password.

Using john we were able to get the password now we can login to the server through SSH
Now the privesc part which was easy
 By using this command we can list out all the process which can be run as root and seems like we can execute this program as root without providing a password
By giving a argument to the program the argument is passed to system function which gets executed so we can pass bash which when executed we get a new shell as root.