Spectra — HackTheBox Writeup

Source

This is a practical Walkthrough of “Spectra” machine from HackTheBox. Credit goes to egre55 for making this machine available to us and base points are 20 for this machine.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Synopsis

“Spectra” is marked as easy difficulty machine that features Apache which is hosting issue tracker and a WordPress website. The homepage has links to Issue Tracker and Testing Website. The former takes us to the WordPress website and the latter take us to a testing website. Due to the fact that it is a testing website it has several configuration files are exposed to public users. Using the password and username from the exposed config file, we can login into WordPress admin account, upload our custom PHP code and get a reverse shell. After initial access we find a certain configuration file which reveals the path to stored password and using that password we can login to another user. The logged in user has permission to execute a binary as root using sudo, which we can leverage in order to escalate our privileges.

Skills Required

  • Web Enumeration
  • Linux Enumeration

Skills Learned

  • Manual Privilege Escalation

Enumeration

Nmap

Nmap reveals SSH (22), HTTP (80), MYSQL (3306) and Alternate HTTP (8081). BTS, I ran gobuster, checked robots.txt file, basically did every normal enumeration to find extra details, unfortunately there’s nothing that interests us. Let’s visit the HTTP service.

homepage

The first link takes us to WordPress site and we have a single post by “administrator”, possibly a username.

wordpress

The second link takes us to a testing website which outputs a DB error.

testing

Let’s first enumerate WordPress site for any vulnerabilities in themes or plugins and usernames.

Wordpress Enumeration

Wordpress version is 5.4.2, it’s theme version is 1.2 and both are outdated. We also got confirmation on username.

BTS, I ran password cracking on WordPress login and unfortunately I couldn't able to crack the password.

Let’s check the testing website for any juicy information.

testing website

Testing website has completely exposed. If we click .save config file and view the page source we get DB information.

DB Config

We got DB password which we can try it on target machine. BTS, I tried to authenticate via MYSQL and it didn't work. So, I tried it on WordPress Login using “administrator” as username.

WP login

Once you are in WP account, access “theme editor” from “appearance” section and select “twenty seventeen” theme.

theme editor

BTS, I tried uploading custom PHP on “twenty twenty” theme but for some reason it didn’t upload through here.

Once you are in “twenty seventeen” theme editor select “404 Template” from “Theme Files”. Here we have to upload our custom PHP code to get reverse connection. You can use PentestMonkey’s PHP code for this. Change IP:Port and paste the whole code in the editor and update it.

Setup a netcat listener.

Netcat Listener

Now visit the following link to execute our PHP code.

php code
Reverse Connection

Aight, *hacker voice*, we are in. We got our initial access. Now we need to move around and find misconfigurations to escalate our privileges. This host machine is a “Chrome OS”, so I couldn't able to run “LinPeas”.

Upon manual search, we would find a configuration which reveals path to the password file.

path

As you can read and understand that this is a autologin configuration file. It’s reading a password from specific path, /etc/autologin. We can retrieve that password and login to another user account.

password

Now we can SSH into “katie” user and this user is part of another group called “developers”.

SSH

Get the user flag.

user flag

Let’s try to find any binaries if we have been granted by root user to run as root.

sudo -l

We have a system binary (initctl) which we can run as root user without the password. It is a system binary only system administrators have permission to run, as this binary allow to interact with Upstart applications which handles Jobs and Events. Read More Here.

All init configurations are in /etc/init Directory. This directory has a lot of configuration files. We have to sort it out.

init conf

As we already know “katie” user is a part of “developers” group so I am interested in only those files. If we read the content of these files then all are same.

test.conf

This current user has permission to edit these file. So we can add a bash command to run it. We need to first stop the job in order to edit/start.

stop job

So, I am going to add my SSH public key to root’s authorized key file and we can login root using SSH.

copy public key

After editing the test.conf file, start the job once again.

start job

Now we can SSH into target machine through root user and retrieve root flag.

root flag

We got all the flags required to complete this machine.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Reference

https://www.digitalocean.com/community/tutorials/the-upstart-event-system-what-it-is-and-how-to-use-it