Delivery is a Medium Apache web-server box with a unserialize PHP exploit from HTB and created by egotisticalSW. It showcases problems in unseralized PHP code and how it can be abused to gain a low-priv shell. Once I get on the box I used sudo -l to find a script adding SSH keys to the root user and use it to escalate to root.

I begin every scan using RustScan; once it completes it runs NMAP filters and exports to HTML for easy reading. The code below uses PWD (Present/Current Working Directory) as I have a startup script I run before doing any HTB box:

During the scans I noticed Port 80 was open. Visiting the website I see a default Apache page. Immediately I edit my host file to add tenet.htb as it is the name of the box and depending on an Apache configuration a sub-site can exist within the same structure. I also made sure to have a FeroxBuster scan running against the IP which found a wordpress directory.

Default Apache page.

WordPress environment hinting to a .php file and a backup.

Navigating the WordPress environment I found a post where a commenter stated a sator php file and associated backup had been deleted. I left a WPScan and secondary FeroxBuster scan running and went back to the IP itself. I tried sator.php:

Grabbing users from text file and database updated.

Viewing the file showed me two lines. I struggled for a while until I went through all the pieces. Noting the ‘backup’ from the comment I tried searching for .bak/.backup/.zip files with FeroxBuster until I tried sator.php.bak. Finally, progress.

sator.php.bak file

Reviewing the PHP code and my understand of PHP unserialize stood out. I Google’d around and eventually was able to take the PHP script and alter it slightly to upload a popular webshell, WSO to the host. I would recommend reading THIS as it gave me an understanding of how to proceed.

My altered file uploading the WSO webshell.

After altering and uploading the web-shell I logged in and immediately went to the WP-Config file. In WordPress this file stores Database credentials as well as SALTS. I used the database creds (also the neil user) to login to the box via SSH. Once on the box I immediately thought about grabbing the WP-Users table from the database and cracking the creds of the other user. Thankfully beforehand I tried sudo -l which is my normal go to when begin priv-esc on a Linux environment.

sudo -l showing me that enableSSH.sh could be ran by the neil user.

My user was able to execute EnableSSH.sh as ALL. I reviewed the script and knew this was the escalation path. Reviewing the script it had a race condition so I created two loops and uploaded them to the server. I then logged in as neil twice via SSH and ran both scripts. I was able to get root shortly after.

Rooted Tenet box from Hack the Box.