Spectra (Easy)

Hackthebox Spectra Walkthrough

Enumeration

Nmap

nmap -sC -sV 10.10.10.229

Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-25 01:13 EDT
Nmap scan report for spectra.htb (10.10.10.229)
Host is up (0.25s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey: 
|_  4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp   open  http    nginx 1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open  mysql?
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 287.64 seconds

Discovery

We can see port 80 is open. Let's navigate to that

We see 2 links. One leads to a Wordpress webpage and another one is testing which prompt us Error Establishing Database Connection.

Note: We need to add domain name to the /etc/hosts file, since using the IP to access will give us plaintext with no CSS when navigating to the wordpress file.

http://spectra.htb/main/

spectra.htb/testing/index.php

After poking around, we found out that inside the testing directory we found some interesting files which is wp-config.php.save

Wordpress Config File

After click inside the wp-config.php.save, and open source file, we got tons of configuration information ! One of the useful information which is the database information.

Take the password and login to the wordpress admin dashboard.

We can proceed with getting a reverse shell either using Metasploit or using plugins editor to edit the php file and call the reverse shell.

Reverse Shell

After we get the reverse shell, this is a low level shell and we need to escalate the shell to user shell which is user Katie.

Soon enough we went to /opt directories and we saw some directories.

Files inside /opt

After cat out the autologin.conf.orig, we can see there are some codes.

Code for autlogin.conf.orig

What we want to pay attention is the /etc/autologin directory.

Katie's Password

Walla, got a password, proceed to ssh to user Katie since su is not allowed :(

Privilege Escalation

First thing we try sudo -l command and wow we got this.

Proceed to Google priv esc /sbin/initctl and lead us to this Medium article.

What we can do first is to list out all the files that we can inject some codes in it by using command

sudo /sbin/initctl list

We can see at the end of the line of the output list, we saw test2 file, which is obvious enough to let us inject some codes in it.

Output of command above

We can navigate to /etc/init

and edit the test2.conf file

Original file for test2.conf

We can edit the file as follows:

Injected Script

Then we can run the command

sudo /sbin/initctl start test2

Test2 process is running

We can continue supply the command

/bin/bash -p

Got Root!

Congrats!