Summary
Spectra is a great machine in which your journey will start with WordPress vulnerabilities and a GUI dashboard. Planting a reverse shell and access SSH allows the user to compromise and upgrade their shell on the spectra host. Lastly, the Root privilege escalation comes after checking Sudo run as permissions, to exploit an active process.
Processes\Techniques
Dir busting
WP bruteforce
WP code injection
Unauthorized script injection
Tools Used
Nothing special
Enumeration
The original nmap scan showed absolutely no ports open and this might be a first for me.
Lets try a stealth scan again, which sadly provides no unique results. We are going to be enumerating blind.
Enumeration Website
Initially the website was returning blank and nothing was loading, which had me stumped until I recalled how much Hack the box loves mapping IP - Hosts as apart of the experience. With this I loaded the spectra.htb to ip mapping in /etc/hosts.
echo '10.129.144.226 > /etc/nano hosts'
The "Software Issue Tracker" takes us to the main page. The test link however brings us to "/testing/index.php/". So this looks pretty offsetting and there is an opportunity to back in to the /testing/ directory.
The directory that stands out the most is /wp-config.php.save. Browsing here shows us a blank page....but given it is a .php script appearing as a backup, lets check the source code of the page.
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'dev' );
/** MySQL database username */
define( 'DB_USER', 'devtest' );
/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );SQL
Well finding those SQL creds is fantastic. however we know from initial enumeration that we cannot gather any information on open ports and have to recourse to blind enumeration. So I tried connecting to mysql but it did not work, which suggests the server is local only.
WP-Login
As with all pentesting you can find low hanging fruit
From here we have several options.
Inject code into theme templates
inject code into a plugin
I attempted to edit and inject a PHP reverse shell into the Hello Dolly plugin, however it was not executing for me.
Attempting to add a plugin I was not able to go down this route due to an error.
Twenty Twenty: 404 Template (404.php) - Editing this template and injecting code seemed like a good idea. But I kept receiving an error as we see below.
Metasploit
Unfortunately I had to resort to metasploit as I could not find another way to pop a shell.
Module options (exploit/unix/webapp/wp_admin_shell_upload):
We use the administrator username here instead of the devtest username.
Moving Horizontally
The provided shell was rather limited and not at all interactive. This left me to enumerate from an absolute path for every query which slowed me down.
ls /opt/
VirtualBox
autologin.conf.orig
broadcom
displaylink
eeti
google
neverware
tpm1
tpm2
We see the autologin.conf.orig as standing out as not ordinary in this location. So I looked into it and there was a reference to /etc/autologin within the passwd variable.
passwd=
# Read password from file. The file may optionally end with a newline.
for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
if [ -e "${dir}/passwd" ]; then
passwd="$(cat "${dir}/passwd")"
breakThis turned over a password.
Moving to user
With this password we ought to test it against ssh with all users found in /etc/passwd.
Root
Looking at what we can run as Sudo reveals this.
Researching /sbin/initctl showed a well known privilege escalation technique. I have included the link below.
sudo -u root /sbin/initctl list
Great we have confirmed we can execute initctl commands.
Just like the guide suggests we browse to /etc/init and edit the test process with nano and add the following code in the script.
script
chmod +s /bin/bash
end scriptsudo -u root /sbin/initctl start test -bash-4.3$ whoami
-bash-4.3$ root