Machine Synopsis

Tenet is a Medium difficulty machine that features an Apache web server. It contains a Wordpress blog with a few posts. One of the comments on the blog mentions the presence of a PHP file along with it's backup. It is possible after identificaiton of the backup file to review it's source code. The code in PHP file is vulnerable to an insecure deserialisation vulnerability and by successful exploiting it a foothold on the system is achieved. While enumerating the system it was found that the Wordpress configuration file can be read and thus gaining access to a set of credentials. By using them we can move laterally from user `www-data` to user `Neil`. Further system enumeration reveals that this user have root permissions to run a bash script through `sudo`. The script is writing SSH public keys to the `authorized_keys` file of the `root` user and is vulnerable to a race condition. After successful exploitation, attackers can write their own SSH keys to the `authorized_keys` file and use them to login to the system as `root`.