Spectra (Easy)
Hackthebox Spectra Walkthrough
Enumeration
Nmap
Discovery
We can see port 80 is open. Let's navigate to that
We see 2 links. One leads to a Wordpress webpage and another one is testing which prompt us Error Establishing Database Connection.
Note: We need to add domain name to the /etc/hosts file, since using the IP to access will give us plaintext with no CSS when navigating to the wordpress file.
After poking around, we found out that inside the testing directory we found some interesting files which is wp-config.php.save
After click inside the wp-config.php.save, and open source file, we got tons of configuration information ! One of the useful information which is the database information.
Take the password and login to the wordpress admin dashboard.
We can proceed with getting a reverse shell either using Metasploit or using plugins editor to edit the php file and call the reverse shell.
Reverse Shell
After we get the reverse shell, this is a low level shell and we need to escalate the shell to user shell which is user Katie.
Soon enough we went to /opt directories and we saw some directories.
After cat out the autologin.conf.orig, we can see there are some codes.
What we want to pay attention is the /etc/autologin directory.
Walla, got a password, proceed to ssh to user Katie since su is not allowed :(
Privilege Escalation
First thing we try sudo -l command and wow we got this.
What we can do first is to list out all the files that we can inject some codes in it by using command
We can see at the end of the line of the output list, we saw test2 file, which is obvious enough to let us inject some codes in it.
We can navigate to /etc/init
and edit the test2.conf file
We can edit the file as follows:
Then we can run the command
We can continue supply the command
Got Root!
Congrats!
Last updated
Was this helpful?
