Delivery is a Medium Apache web-server box with a unserialize
PHP exploit from HTB and created by egotisticalSW. It showcases problems in unseralized PHP code and how it can be abused to gain a low-priv shell. Once I get on the box I used
sudo -l to find a script adding SSH keys to the root user and use it to escalate to root.
I begin every scan using RustScan; once it completes it runs NMAP filters and exports to
HTML for easy reading. The code below uses PWD (Present/Current Working Directory) as I have a startup script I run before doing any HTB box:
During the scans I noticed
Port 80 was open. Visiting the website I see a default Apache page. Immediately I edit my host file to add tenet.htb as it is the name of the box and depending on an Apache configuration a sub-site can exist within the same structure. I also made sure to have a FeroxBuster scan running against the IP which found a wordpress directory.
WordPress environment hinting to a .php file and a backup.
Navigating the WordPress environment I found a post where a commenter stated a sator php file and associated backup had been deleted. I left a WPScan and secondary FeroxBuster scan running and went back to the IP itself. I tried sator.php:
Grabbing users from text file and database updated.
Viewing the file showed me two lines. I struggled for a while until I went through all the pieces. Noting the ‘backup’ from the comment I tried searching for .bak/.backup/.zip files with FeroxBuster until I tried sator.php.bak. Finally, progress.
Reviewing the PHP code and my understand of
PHP unserialize stood out. I Google’d around and eventually was able to take the
PHP script and alter it slightly to upload a popular webshell, WSO to the host. I would recommend reading THIS as it gave me an understanding of how to proceed.
My altered file uploading the WSO webshell.
After altering and uploading the web-shell I logged in and immediately went to the
WP-Config file. In WordPress this file stores Database credentials as well as SALTS. I used the database creds (also the neil user) to login to the box via
SSH. Once on the box I immediately thought about grabbing the
WP-Users table from the database and cracking the creds of the other user. Thankfully beforehand I tried
sudo -l which is my normal go to when begin priv-esc on a Linux environment.
sudo -l showing me that
enableSSH.sh could be ran by the neil user.
My user was able to execute
EnableSSH.sh as ALL. I reviewed the script and knew this was the escalation path. Reviewing the script it had a race condition so I created two loops and uploaded them to the server. I then logged in as neil twice via SSH and ran both scripts. I was able to get root shortly after.
Rooted Tenet box from Hack the Box.