(HTB) Tenten Walkthrough

Name: Tenten
IP : 10.10.10.10
OS – linux
VM Author: ch4p
Writeup Author: Teck_K2

Nmap result

In the target system only port 22 and 80 is open let's try to open it

It’s a job portal site and powered by WordPress
Let's try to find the version detail
IN the /readme.html it’s showing me the version which is 4.7

Now as we now it’s a WordPress site now we will use wpscan

It will start enumerating users
We got only 1 user

One of them is admin we will focus on him only
Now we know the username we can try to bruteforce the password
After several hours I got no result

Let’s enumerate plugins

We got 2 plugins installed

As we can see one is akismet which is up to date and the second one is job-manger which is also up to date but one version of job manager which is 0.7.25 seems outdated and insecure.

Let find out some exploit for that.
I find this link in the wpscan description

https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/

If you can’t understand what’s going on the above blog which I shared above then look at this

We will use hackbar to fuzz file/directories as you can see the url mentioned /8/ in the end that we need to fuzz

So copy that link and remove 8
http://10.10.10.10/index.php/jobs/apply/

Now click on + button which is on the left side of SQL

Now as you click that it will ask you for to enter string type 1 and hit OK
Now it will load
http://10.10.10.10/index.php/jobs/apply/2/

Now look at the Title

Click on it, it’s not that useful now click on the +
at
http://10.10.10.10/index.php/jobs/apply/3/

It’s showing

But if you focus on the URL it's now showing the id parameter =3

Now try to fuzz this maybe we could find anything useful
Our motive is to find the location where our resume has been uploaded
Again copy this in the hackbar and start from 1
While you are + keep looking at the url maybe something interesting came up

At the id=13 I saw something interesting which may be a file which is under application

Now move on
At the id=15 I got my file name which I have uploaded my file name was ten.txt

As you can see in the ulr it’s showing me the name of my file which is ten
We are doing this because we want to learn how this plugin works
Now we can google this how job manager plugin stores data and in which location
By doing some search in google I got to know that the plugin stores the data in this form
Ip/wp-content/uploads/year/month/filename.extension

So in our case the destination would be

As you can see I can see the file content which I have uploaded
In my case the id is =13 maybe in your case the id could be different keep finding until you find your file name.
Now try to access filename which we got earlier (hackeraccessgranted)
I tried with so many possible months and year and extensions then finally I found the file.

http://10.10.10.10/wp-content/uploads/2017/04/HackerAccessGranted.jpg

So let’s try to access this

It’s a jpg file that could be stegnography pic
Let’s find out.
We will use steghide to extract the data

If the tool is not preinstalled in your kali you can download it by using
#apt-get install steghide
And type # steghide extract –sf filename

Now steghide has extracted the jpg content in a file named id_rsa which is our gateway to access the SSH.

Let’s try to open this by using another tool named ss2john to check if there is any hidden password or not and yes we found the password hash in it.

# ssh2john filename

Now copy the output for ssh2john to a new text file pass or you can name it anything
So to crack this SSH password hash we will use john

As you can see John was so fast it cracked the password in just 01 sec.
We got the password for ssh login now try to login with name which we enumerate in the wpscan which is takis

# ssh –i id_rsa takis@10.10.10.10
And type the password which we got which is = superpassword
If you get some error like this