TenTen 10.10.10.10
TenTen 10.10.10.10
TenTen 10.10.10.10
WordPress enumeration:
command:
sudo wpscan --url http://10.10.10.10 --enumerate u
Users Found: takis
WordPress:
///notice on the wordpress site youre able to navigate the rest of the website and view other
applications by changing the # in the url:http://tenten.htb/index.php/jobs/apply/13/
/// we know that WP stores all uploaded content in /wp-content/uploads
/// notice that when we change the # in the URL to 13 we see a "HackerAccessGranted"
application
///navigate to the following URL: http://tenten.htb/wp-
content/uploads/2017/04/HackerAccessGranted.jpg > save image to kali
Steghide:
///trying to find any hidden information embedded in the image
command: steghide extract -sf HackerAccessGranted.jpg
SSH:
command: ssh -i id_rsa takis@10.10.10.10
///if the command is not working you may need to change the id_rsa file permissions
command: sudo chmod 600 id_rsa
///Enter the cracked password & you're in HackerAccessGranted!! cat
PrivEsc:
sudo -l
///see that a directory does not need a password
///See that were root and now you can look around for the other flag!!
Flags:
User: ddcc806a63fdd7792ff886b26648cdaf
Root: f6e949cb495eec767a1ec62e93827aeb
Based on your notes, here's a draft for a professional and understandable post-penetration
testing report for HackTheBox's host 10.10.10.10 .
---
## Executive Summary
This report documents the findings of a penetration test conducted against the host
`10.10.10.10`, belonging to HackTheBox. The objective of this test was to identify
vulnerabilities, assess the impact and risk of these vulnerabilities, and recommend
actions to mitigate identified security issues.
## Test Methodology
- **Network Scanning**: Using `nmap` for identifying open ports and services.
- **Application Enumeration**: Specifically targeting WordPress installations to
identify users and potential vulnerabilities.
- **Content Discovery**: Exploring application behavior to discover hidden or
sensitive information.
- **Cryptanalysis**: Employing `steghide` and `JohnTheRipper` to uncover and crack
encrypted data.
- **Access Exploitation**: Utilizing discovered credentials to gain unauthorized
access via SSH.
- **Privilege Escalation**: Analyzing system configurations to escalate privileges.
## Key Findings
- A user named `takis` was discovered, indicating a potential vector for further
attacks.
### 4. Cryptanalysis
- The encrypted SSH private key was successfully decrypted using `JohnTheRipper`,
revealing the password "superpassword".
- Utilizing the decrypted SSH key and discovered password, unauthorized access was
gained to the system as the user `takis`.
## Risk Assessment
## Recommendations
1. **Update and Patch**: Ensure the operating system and all applications,
especially the SSH and Apache services, are up-to-date with the latest security
patches.
2. **Password Policy**: Implement a strong password policy to prevent the use of
weak passwords.
3. **Encrypt Sensitive Data**: Use strong encryption for sensitive data and secure
the decryption keys.
4. **Regular Security Audits**: Conduct regular security audits and penetration
tests to identify and mitigate new vulnerabilities.
5. **Access Controls**: Review and tighten file and directory permissions to adhere
to the principle of least privilege.
## Conclusion
The penetration test revealed several significant vulnerabilities within the host
`10.10.10.10` that could potentially be exploited to gain unauthorized access and
escalate privileges. Immediate action is recommended to address these issues and
protect the system from potential threats. Regular security assessments are advised
to maintain a robust security posture.