Spectra - HackTheBox
Start with an Nmap scan to see what ports the machine has open.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sS -p- --open --min-rate=5000 -Pn -n 10.10.10.229 -oG allPorts
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-27 00:02 CEST
Nmap scan report for 10.10.10.229
Host is up (0.052s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds
Perform another scan to verify the service of each port.
┌─[root@parrot]─[/home/wackyhacker/Desktop]
└──╼ nmap -sC -sV -p22,80,3306 10.10.10.229 -oN targeted
Starting Nmap 7.80 ( https://nmap.org ) at 2021-06-27 00:04 CEST
Nmap scan report for spectra.htb (10.10.10.229)
Host is up (0.057s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp open http nginx 1.17.4
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open mysql MySQL (unauthorized)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.36 seconds
I started by looking at the web server as I couldn’t do much on ports 22 and 3306.
I clicked on an option and it looked like Virtual Hosting was being applied.
I also checked the source code to see if there was more than one domain.
Copy the domain and paste it into /etc/hosts so that the host points to the domain and you can see what the WEB actually has.
I was dealing with a WordPress.
Check to see if you have the login panel and if you have it.
At this point I thought I’d go back to the original website to make a better list.
At first glance, nothing relevant is seen.
But if we look at the URL it seems that there is a “directory listing” capability, I pointed to “testing” and it could indeed list system files.
There was the WordPress configuration file that usually has the access passwords, I opened it.
It seems that there is nothing, but if we look at the source code we can see its content.
I tried to authenticate with the username and password they gave me, but with no luck.
When testing with the administrator user, I am authenticated.
Now all that was missing was the intrusion, I thought about modifying the 404 error template, but it wouldn’t let me.
I changed the subject and it worked for me.
But that “reverse shell” didn’t work for me, I had to change it, I tried the Pentestmonkey one and it worked for me, I accessed “http://10.10.10.239/main/wp-content/themes/twentynineteen/404.php” and received the reverse shell on port 443, I tried the TTY to handle it more comfortably.
I tried to view the user’s flag but I didn’t have permissions, apparently I had to become the user katie.
After a little enumeration of the system I found a script in “/opt”.
I saw what it was doing and found a path that had a file called “passwd” stored, I viewed it and found a text string.
The machine had SSH enabled, so I tried authenticating and had no luck.
ESCALADA DE PRIVILEGIOS
Now I was able to view the user flag, see if I could run something as the ROOT user with the sudo -l command and had the ability to run intictl.
Initctl allows us to manage user jobs, I thought about running the binary with sudo, initctl works with the service configuration files in /etc/init, so I modified one of those services to assign it a bash with SUID privileges.
Save the file, start the service, bash was set as SUID, so I ran bash -p and got ROOT access
Leave a comment