Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
Synopsis
“Spectra” is marked as easy difficulty machine that features Apache which is hosting issue tracker and a WordPress website. The homepage has links to Issue Tracker and Testing Website. The former takes us to the WordPress website and the latter take us to a testing website. Due to the fact that it is a testing website it has several configuration files are exposed to public users. Using the password and username from the exposed config file, we can login into WordPress admin account, upload our custom PHP code and get a reverse shell. After initial access we find a certain configuration file which reveals the path to stored password and using that password we can login to another user. The logged in user has permission to execute a binary as root using sudo, which we can leverage in order to escalate our privileges.
Skills Required
- Web Enumeration
- Linux Enumeration
Skills Learned
- Manual Privilege Escalation
Enumeration
Nmap reveals SSH (22), HTTP (80), MYSQL (3306) and Alternate HTTP (8081). BTS, I ran gobuster, checked robots.txt file, basically did every normal enumeration to find extra details, unfortunately there’s nothing that interests us. Let’s visit the HTTP service.
The first link takes us to WordPress site and we have a single post by “administrator”, possibly a username.
The second link takes us to a testing website which outputs a DB error.
Let’s first enumerate WordPress site for any vulnerabilities in themes or plugins and usernames.
Wordpress version is 5.4.2, it’s theme version is 1.2 and both are outdated. We also got confirmation on username.
BTS, I ran password cracking on WordPress login and unfortunately I couldn't able to crack the password.
Let’s check the testing website for any juicy information.
Testing website has completely exposed. If we click .save config file and view the page source we get DB information.
We got DB password which we can try it on target machine. BTS, I tried to authenticate via MYSQL and it didn't work. So, I tried it on WordPress Login using “administrator” as username.
Once you are in WP account, access “theme editor” from “appearance” section and select “twenty seventeen” theme.
BTS, I tried uploading custom PHP on “twenty twenty” theme but for some reason it didn’t upload through here.
Once you are in “twenty seventeen” theme editor select “404 Template” from “Theme Files”. Here we have to upload our custom PHP code to get reverse connection. You can use PentestMonkey’s PHP code for this. Change IP:Port and paste the whole code in the editor and update it.
Setup a netcat listener.
Now visit the following link to execute our PHP code.
Aight, *hacker voice*, we are in. We got our initial access. Now we need to move around and find misconfigurations to escalate our privileges. This host machine is a “Chrome OS”, so I couldn't able to run “LinPeas”.
Upon manual search, we would find a configuration which reveals path to the password file.
As you can read and understand that this is a autologin configuration file. It’s reading a password from specific path, /etc/autologin. We can retrieve that password and login to another user account.
Now we can SSH into “katie” user and this user is part of another group called “developers”.
Get the user flag.
Let’s try to find any binaries if we have been granted by root user to run as root.
We have a system binary (initctl) which we can run as root user without the password. It is a system binary only system administrators have permission to run, as this binary allow to interact with Upstart applications which handles Jobs and Events. Read More Here.
All init configurations are in /etc/init Directory. This directory has a lot of configuration files. We have to sort it out.
As we already know “katie” user is a part of “developers” group so I am interested in only those files. If we read the content of these files then all are same.
This current user has permission to edit these file. So we can add a bash command to run it. We need to first stop the job in order to edit/start.
So, I am going to add my SSH public key to root’s authorized key file and we can login root using SSH.
After editing the test.conf file, start the job once again.
Now we can SSH into target machine through root user and retrieve root flag.
We got all the flags required to complete this machine.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.
