In this post, i would like to share a walkthrough of the Spectra Machine.
This room has been considered difficulty rated as an EASY machine
Information Gathering on Spectra
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
There are a lot of ports open for this machine
Firstly, we need to add the IP Address to the /etc/hosts file
Let’s open the browser and straight into the website interface.
There’s two link that we can try later.
Based on my experience, the website interface looks like to be WordPress. Normally, wp-admin is the location of the default login page for WordPress.
Gaining Access on Spectra mamcchine
However, I don’t have the credentials for the username and password
Another link lead us to an index directory which contain all file that normally use by WordPress
When we open the wp-config.php file, we are presented with the error “Error establishing a database connetion”
Let’s move one directory backwards and see what’s stored inside. We cannot see anything on the interface.
Let’s test our luck by checking the source code of the interface.
Inside the source code, there’s username and password that might be useful
Let’s try the username and password that we found on the login page of WordPress
The credentials that we gains is not totally correct. We get error “Unknown username” which mean that only the username is incorrect over here.
Let’s execute wpscan command such as wpsan –url spectra.htb/main -e u to get the username of the login.
We have been notified that administrator is valid in the machine.
Enumerate the WordPress dashboard
Let’s try login in using the credentials mention above.
We manage to login to WordPress Dashboard as shown above.
Normally, i will use reverse shell on Appearance > Theme Editor > 404.php
We can copy-paste the PHP reverse shell on the 404.php by changing IP Address and Port
While looking into nc listener back, we still not get back the reverse shell connection
We will try on different theme which i will be using Twenty Seventeen
We can go to the url such as spectra.htb/main/wp-content/themes/twentyseventeen/404.php
I managed to get back the reverse shell connection to us
Normally, there should be something fishy hidden on /opt directory and we notice that autologin.conf.orig look suspicious
While we read the source code carefully, we notice that /etc/autologin directory that worth to look into.
Oh wow! There is a file called passwd saved in the directory
Oh wow! We get the password for something which i still ensure the purpose of the password here. We should be looking for the username and the purpose of the password
Let’s read the file such as /etc/passwd which we might find any user that we can use
We did find the username Katie that stored in the machine. We will be going back to nmap result output whether any port opens for credentials to be used.
I found out that ssh service port is open. So, let’s ssh the machine using credentials such as katie and SummerHereWeCome!!
We are logged in the machine via ssh. We should be able to read the user flag by using the command “cat user.txt”
I got the user flag and slap it inside the HTB website.
Escalate to Root Privileges Access
Let’s see any SUID that we can use to escalate to root
There’s initctl service that we can use. We should be researching the service to see what the service can do and cannot do.
After some research on the machine, let’s open /etc/init that we can use
There’s a lot of file that we can see here.
The file that caught my attention is shown above. Let’s see what is written in the test.conf
The screenshot above is the original source code that you will be able to see
We need to stop and start the initcctl by execute sudo /sbin/initctl stop test (stop) and sudo /sbin/initctl start test ( start)
Let’s tweet the source code a little bit between the script and end script
Let’s run the /bin/bash -p but nothing happen. We will have to re-execute back the step above
If all the step above is successfully, we will see something like the screenshot above.
After we manage to run /bin/bash -p, we can verify on the current location by running id command. We can be considered inside root privileges access when you see euid=0(root) egid=0(root) groups=0(root)
Let’s read the root user kat stored at /root/ directory as usual
Happy Learning Guys!