Spectra on HTB Write-Up

Spectra on HTB Write-Up

Spectra was a relatively easy box, so here's a brief write-up on what I did to root the machine.  I have a habit of checking pages before I run nmap so I visited the page first and found the following:

Before I went any farther on the links I decided to add the address with sudo nano /etc/hosts and put spectra.htb spectra in the hosts file and hit Ctrl +x to save.

Then I finally ran an nmap:

└─$ nmap -sC -sV
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-25 18:11 CDT
Nmap scan report for
Host is up (0.047s latency).
Not shown: 997 closed ports
22/tcp   open  ssh     OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey: 
|_  4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp   open  http    nginx 1.17.4
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open  mysql   MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.48 seconds

We see ports 22, 80 and 3306 are open, which gives us an idea of what's going on with this machine. The SQL peaked my interest, but I decided to check on the links first:

The first thing I found was a "Hello world!" post on a brand new Wordpress website, which is the default after a brand new installation. Going further down the page brings you to a login link, so I went ahead and clicked it:

Nice. From here I ran gobuster to search for more interesting directories:

└─$ gobuster dir -u -w /usr/share/wordlists/dirb/common.txt                                                          1 ⨯
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2021/06/25 18:13:39 Starting gobuster in directory enumeration mode
/index.html           (Status: 200) [Size: 283]
/main                 (Status: 301) [Size: 169] [-->]
/testing              (Status: 301) [Size: 169] [-->                                               ===============================================================
2021/06/25 18:14:01 Finished

The /testing directory is something that immediately catches my eye because there may be something interesting there.

I started going through file links and found that wp-config.php.save had an interesting source page:

This was beautiful because I had just found some creds from a page source.  I went ahead and tested the password with the administrator login, because I didn't have much else to go on (I got lucky) and it worked!

I was then in the Wordpress admin page and clicked around the dashboard link to get an idea of what version I was working with:

I had an idea, but to double check, I hit the Wordpress logo and then About Wordpress link:

Perfect. Now I could check through searchsploit and a few other resources to see if there was an exploit for this version of Wordpress, which there was. In Metasploit, using the wp_admin phrase I found something.  

From here I went and did use exploit/unix/webapp/wp_admin_shell_upload and show options in msfconsole to get more information:

I set username administrator then set password xxxxxx set the rhost to the page itself, set targeturi /main and lhost/lport to my personal IP/port and hit run grabbing meterpreter and type shell to get started:

I do a quick whoami to find out I'm the user nginx. It looks like there isn't a user flag here however, so I check around and find that cat /etc/passwd reveals an account called katie:

Eventually, perusing the box, I came across autologin.conf.orig which gives a hint in the comments about reading a password from a file in /etc/autologin:

Going to /etc/autologin I found the password file, did a cat password to list it, and grabbed creds to katie's account.  Now all I had to do was ssh into the machine, run sudo -l and see if there was a way to privesc this sucker:

We can see that /sbin/initctl returns from sudo -l which is good news, so I went into /sbin, looked around and Googled a bit about initctl.  I found a few sites and some stuff on the man page, which lists the start/stop/restart and emit commands. Cool.

Next, I went into /etc/init, stopped test.conf then edited it with a simple script to root the machine: script chmod +s /bin/bash end script. From there I restarted test.conf and grabbed root with /bin/bash -p to finish off the machine.