HackTheBox – Tenet

00:00 – Intro
01:20 – Start of nmap
03:00 – Discovering wordpress, fixing our host file
04:20 – Running wpscan to enumerate wordpress via aggressive mode
06:10 – Manually enumerating wordpress users by listing blog posts by author
08:30 – Discovering Sator.php, then using GoBuster to discover hidden backups to find Sator.php.bak
11:40 – Start of looking at the php source to see its a basic deserialization challenge.
12:40 – Building the deserialization gadget to write a file
15:15 – Uh oh. Made a typo, thankfully can find it quickly and get RCE
16:24 – Going back a step and showing a proper way to troubleshoot it
18:30 – Getting a reverse shell then examining wordpress config to get some credentials
20:15 – Testing the credentials with SSH and logging in with neil
21:00 – Discovering Neil can run enableSSH.sh with sudo, which has a race condition
23:00 – Writing a bash loop to exploit the race condition
25:20 – Exploiting the race condition more elegantly by using inotify to be notified when files are created
26:00 – Googling for an example written in C
27:00 – Going over the program
30:12 – Modifying the code to write a file upon discovering create
35:10 – Think i forgot to free th pointer, so it segfaults. Writing PleaseSubscribe to prove it worked.

source

by IppSec

linux web server