# Tenten

## Tenten - 10.10.10.10

### Target Enumeration:

OS: Linux

IP: 10.10.10.10

User: e5c7ed3b89e73049c04c432fc8686f31

Root: f9f7291e39a9a2a011b1425c3e08f603

### Ports / Services / Software Versions Running

22/tcp open  ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)

80/tcp open  http Apache httpd 2.4.18 ((Ubuntu))

### Vulnerability Exploited:

Username enumeration via wordpress

Id\_rsa file hidden within .jpg file

Weak password on ID\_rsa file

### Privilege Escalation:

User allowed to run /bin/fuckin as sudo user to execute /bin/sh

### Exploiting the host:

Nmap

<div align="left"><img src="https://lh4.googleusercontent.com/EbExHeluNMv6Ll1Z33X4zjXYWREvAA6jXwVMp-kxjj8oCTdYEvUmEWSa8fdi8L98zgrxdp5oH8LBiVd9M2xUYPs23BeTzg5xuRkciJcKzCcZtddOsxIEJbIxdsvYHLECyufACi5C" alt=""></div>

WPScan

Brought back the user takis

<div align="left"><img src="https://lh4.googleusercontent.com/8IC6rl0x0miSS24DEU2F5xcv9jys5aHMukK0arI0fUT0dL43aeB0Ebwlq7JIy3LFmgV_QrYF2024SOwEugCjS9YuxUDOZ4iElVlYvtOaaxzZI5r-u9HSU7s8vVx4MfWEb7OJxNqX" alt=""></div>

Bruteforce while enumerating the webapp

<div align="left"><img src="https://lh6.googleusercontent.com/vklG7RI101qh9jQoVLLwVRNTmud29lqP21NFUNu6oITK1izgrpClZmBON5Ls3L4hqGRFLbZMM7Nipa5CuEwiSjHgc-4DiEUsa_ZHnL17atuNwu3EB4VcfmwJJI7lo4UsVvZBgR2F" alt=""></div>

Found a jobs listing on the webapp

<div align="left"><img src="https://lh4.googleusercontent.com/l5bTQ43JA1wdrdPuPlgRvVeB3LQPLGRD9Mt0AWTPxZb7jSIfAfrwBcR3FHQU3fHHxD0fNK4Lc805ViI0B0Y54lqwHb__IObx7tWmu2pU7LRSU_mOIMg9xb6xmS54D6AG-zx5iQlA" alt=""></div>

File upload present but not yet able to upload any files

Path is <http://10.10.10.10/index.php/jobs/apply/8/> so iterate through all to see if we can find anything else with burp intruder

Found an access granted page

<div align="left"><img src="https://lh4.googleusercontent.com/aOEa8Pp2XBos7u_Su1sq6FAO7MQnxBVESqlohIHn_jWWDYhY7pUV8TZx1UZQdeDtwO2aSSl_0B0AcKDzoaPzpY3MwMW5HKORyq6EvaS80x8ldcoO3q7qVvAfsI_sNHmBdA0LvemV" alt=""></div>

After searching further with the intruder we found the hackeraccessgranted.jpg file:

<div align="left"><img src="https://lh4.googleusercontent.com/esXvBWRio0N1SDhoGUFuHt8SizvnRc5kZ_o93HvZZ1pn5kxMbjePDG4TdPeQtgZn6bPRIrlGKbe9e4YeLIHFhClKMgXfLNiJnAGu5kKwpUaC1xNXz80_sjpVj6M8qIdUKOEpGPGF" alt=""></div>

Steghide on the image revealed an id\_rsa key

<div align="left"><img src="https://lh3.googleusercontent.com/asFDXa8jXQctbQ4AJVE7PAC9_b304giE7bEji0G7FW1e72N4b2nAO-8sy6WNv_zTWcH0srmFVWZr-JqN2pZKYSpWUAvucayujLRZu30CrI5QWh62vbcOzXoMZ6iWRJ8LaElW9rNs" alt=""></div>

We chmod the file with 400 permissions and try to login via ssh as the user takis with the key file.

This did not work so we extracted the hash from the id\_rsa file and cracked it with john

<div align="left"><img src="https://lh6.googleusercontent.com/qM6FrHEeR4BhQEHZfppsdVzHqfYLl6rnkpl0_Lc9HAPebzHl79bGfd6u1XWRMsSMdgkSS8m0u81xD5SNVRvvIc6tbM-iTFe7utypmbS2wdgm1Qk_RDN0J8ULTOx7C3JCsUWlsnVI" alt=""></div>

We now had the password “superpassword”

We use that to login via ssh and collect our user file

<div align="left"><img src="https://lh6.googleusercontent.com/Y8HVTer5G6qHfNL0b2NN76s7CCWMelQTy6PHA3cS0x5p2E0egnzsmprvzNHdOXjYpkW6WN-VKFrRfsY0HHLASl0I3vavCflS1nR_otiZQd8JAsqvM13QZjtp797a6QZOKoKCyWya" alt=""></div>

Checking local permissions we found we were allowed to run /bin/fuckin as the sudo user, we inspected the file anda found the first second and third arguments would allow us to run other shells, we then ran it with sudo /bin/fuckin /bin/sh to get a root shell.

![](https://lh3.googleusercontent.com/BX9IL26AsHj2IUnrBFD_DnCWnirMLOtGJhckpITZo3mCLXdhSJJH1YIcYlE6OrHE_JR7sxLFdn7KPw0emQIrOoBZH-VZHSYqH4CY_NrR8N1WPoW7sHsERl7x4JcMXp28ijaAyYIf)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/tenten.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.