Official Tenet Discussion

HamilcarR · February 17, 2021, 11:05am

Overall , pretty nice box .
Foothold was a bit frustrating , too much guesswork for my taste except the exploit parts , both from the foothold and root , these were pretty funny.

So , for the nudges :

Foothold : As said before , read very well the comment that you find somewhere , it actually points to two things : s****.**p and a b****p.
The later may not be what you think it is , so , don’t go too far into a fancy rabbit hole like I did …

Exploit : read what you have obtained . If you don’t know what something does , google it.
You can learn a lot .

User : you don’t even have to enumerate , if you are curious enough about how some parts of the website work… one search can get it to you first link on google , literally.

Root : What can you do ?
Found it ?
Well… maybe you should enroll into the race

Edit : someone was actually trying to fill all the X’s , that’s some dedication , flooded all the directory haha

Looking4 · February 20, 2021, 5:20pm

Is there some another way to get root without “bruteforce racing”? May be there is a technique to slow the process down or even setting a breakpoint or smth?

psychobolt · February 20, 2021, 10:21pm

Rooted! Quite a nice box! Had some difficulties on privilege escalation but was nice to learn something new. Here my hints:

Initial foothold: just read the posts and comments and you’ll know what to enumerate.
User: do some basic enumeration
Root: understand the code, what it does and how it does it.

ALK · February 21, 2021, 11:35am

For initial foothold, some ppl here are throwing others rabbit holes by saying you should read and google about the ambiguous words, while it is completely unnecessary.
Just check the comment and directly access the referenced files.

ellj · February 23, 2021, 2:55am

Anyone I can DM on root? I am trying to win the race but I am don’t seem to be hitting my stride.

HomeSen · February 23, 2021, 7:19am

@ellj said:

Anyone I can DM on root? I am trying to win the race but I am don’t seem to be hitting my stride.

Sure. Feel free to DM me. It took me several attempts, but using wildcards you can get it quite “stable”

gtux · February 24, 2021, 12:38pm

Are we supposed to get root before we get user in this box? I got to root after the initial shell directly. And then I just did cat user.txt from root shell to get user.

Is this the right way to do this box? I just started doing these challenges in HTB and I have not come across anything like this before.

TazWake · February 24, 2021, 3:05pm

@gtux said:

Are we supposed to get root before we get user in this box?

No.

I got to root after the initial shell directly. And then I just did cat user.txt from root shell to get user.

Is this the right way to do this box?

No.

I just started doing these challenges in HTB and I have not come across anything like this before.

Its likely someone had recently compromised the box and failed to clean up after themselves. You shouldn’t be able to get root directly from a shell which can’t read the user flag.

subtilis · February 24, 2021, 5:08pm

OK I’ve had enough with trying to race for root…who can I DM? I know what to do…I just can’t implement it. Cheers

gtux · February 25, 2021, 7:07am

@TazWake said:

Its likely someone had recently compromised the box and failed to clean up after themselves. You shouldn’t be able to get root directly from a shell which can’t read the user flag.

This is weird. I reset the box and tried again. After getting shell as the first user (which cannot read user.txt), I can start the race to root directly from there.

TazWake · February 25, 2021, 9:40am

@gtux said:

@TazWake said:

Its likely someone had recently compromised the box and failed to clean up after themselves. You shouldn’t be able to get root directly from a shell which can’t read the user flag.

This is weird. I reset the box and tried again. After getting shell as the first user (which cannot read user.txt), I can start the race to root directly from there.

Fascinating. I didn’t think that account had the rights to run the script.

choupit0 · February 25, 2021, 7:31pm

Type your comment> @TazWake said:

@gtux said:

@TazWake said:

Its likely someone had recently compromised the box and failed to clean up after themselves. You shouldn’t be able to get root directly from a shell which can’t read the user flag.

This is weird. I reset the box and tried again. After getting shell as the first user (which cannot read user.txt), I can start the race to root directly from there.

Fascinating. I didn’t think that account had the rights to run the script.

-rwxr-xr-x

TazWake · February 25, 2021, 8:19pm

@choupit0 said:

Fascinating. I didn’t think that account had the rights to run the script.

-rwxr-xr-x

Awesome. I clearly overlooked that.

choupit0 · February 25, 2021, 8:29pm

Type your comment> @TazWake said:

@choupit0 said:

Fascinating. I didn’t think that account had the rights to run the script.

-rwxr-xr-x

Awesome. I clearly overlooked that.

Me too good point from @gtux I tried and it’s functionning.

chinavpn123 · March 9, 2021, 12:49pm

Rooted, but I wonder why cannot use “PATH hijack” technique to create a fake “mktemp”?
Is it only work for root SUID but not sudo in this case?

HomeSen · March 9, 2021, 4:30pm

@chinavpn123 said:

Is it only work for root SUID but not sudo in this case?

You would need to change the PATH for the sudo environment, not for the sudo call:
Not: PATH=bla sudo ...
But: sudo PATH=bla ...

But AFAIK, this was explicitly forbidden by the sudo config.

bkcipher · March 9, 2021, 5:46pm

Hi guys just started on this but stuck… I can see the wordpress blog but when I click on any link it says server not found error. I can see one user name as ‘neil’ in recent comments section but when I click on name it says error.

bkcipher · March 9, 2021, 5:48pm

@bkcipher said:
Hi guys just started on this but stuck… I can see the wordpress blog but when I click on any link it says server not found error. I can see one user name as ‘neil’ in recent comments section but when I click on name it says error.

Also the ip address changes to tenet.htb everytime I click something but server error

TazWake · March 9, 2021, 5:50pm

Type your comment> @bkcipher said:

@bkcipher said:
Hi guys just started on this but stuck… I can see the wordpress blog but when I click on any link it says server not found error. I can see one user name as ‘neil’ in recent comments section but when I click on name it says error.

Also the ip address changes to tenet.htb everytime I click something but server error

Have you updated your hosts file?

bkcipher · March 9, 2021, 6:14pm

Type your comment> @TazWake said:

Type your comment> @bkcipher said:

@bkcipher said:
Hi guys just started on this but stuck… I can see the wordpress blog but when I click on any link it says server not found error. I can see one user name as ‘neil’ in recent comments section but when I click on name it says error.

Also the ip address changes to tenet.htb everytime I click something but server error

Have you updated your hosts file?

Funny thing just came to update the same here… and saw your comment
Took some googling around. Thank you