Hack the Box Challenge: Tenten Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Tenten” which is available online for those who want to increase their skill in penetration testing and black box testing. Tenten is retried vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level, they have collection of vulnerable labs as challenges from beginners to Expert level.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.10 so let’s begin with nmap port enumeration.

From given below image, you can observe we found port 22,80 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser following page indicates that is a wordpress website which is remarkable indication for my next step.

Now we decided to use wpscan, on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins etc.

The wpscan has enumerated the usernames where we have found the login credentials as takis.           

Now we have clicked on Sign Up to register on the site. And we saw Jobs Listing as shown below.

After giving the details about the job. Click on apply now.

After clicking on apply now, the webpage opened is shown below.

As you can see from the previous image, we have made an alight change in the URL. In which we have simply changed the end number by /10/ which opened a page stating Job application as you can see below.

As you can see we have again changed the end number in the URL by 11 and this time it opened a page stating Cube.

So as to avoid wastage of time. We have simply captured the request of the page using burpsuite and sent to intruder for fuzzing.

After that inside intruder we have selected the position 8 as highlighted in below image where we want to use brute forcing through burpsuite.

We have selected the Payload type as Numbers where we have specified the number range as shown below.

As you can see the attack has begun. By selecting payload 13 which made us think there might be something different about this page and there we saw the title of the page which is HackerAccessGranted as you can see below.

As we know in wordpress there is directory structure for the uploaded files is recognized by /wp-content/uploads/%year%/%month%/%filename% then I connect HackerAccessGranted with an Image file and at last after so many attempt I execute use following URL.

Finally!! It shown a hacker image on this web page and without wasting time I downloaded this image.

Since it was an image of a hacker with message Access Granted but I was pretty sure that it is steganography and there are some chances of hidden text within this image therefore next I choose to use Steghide tool.

From given below image you can observe that it has extract .jpg image into “id_rsa”

When I try to open this file, it required password to view its content.

Formerly I download a python script from here for cracking the password of this file. Then I ran following command and got desired output.

Then we used john the ripper for cracking this ssh_login file.

“superpassword” we got as result from executing above command.

And without wasting time I execute following command for login into SSH using superpassword as password.

Great!!  I logged in successfully and check Takis’s privileged and roles using sudo -l and found he has all privileged and an indication for a directory /bin/fuckin with NOPASSWD.

First I explore current directory where I found user.txt and use cat command for reading.

Successfully completed 1st task.

Then move into /bin/fuckin where I found same file user.txt then without wasting I enrolled into root directory for finding root.txt.

Here I found user.txt and use cat command for reading.

Successfully completed 2nd task.

Solving this lab was quite captivating especially steganography for hiding ssh password is remarkable effort done by author. 

Enjoy Hacking!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *