In this post, i would like to share a walkthrough of the Spectra Machine.

This room has been considered difficulty rated as an EASY machine

Information Gathering on Spectra

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

There are a lot of ports open for this machine

Firstly, we need to add the IP Address to the /etc/hosts file

Let’s open the browser and straight into the website interface.

There’s two link that we can try later.

Based on my experience, the website interface looks like to be WordPress. Normally, wp-admin is the location of the default login page for WordPress.

Gaining Access on Spectra mamcchine

However, I don’t have the credentials for the username and password

Another link lead us to an index directory which contain all file that normally use by WordPress

When we open the wp-config.php file, we are presented with the error “Error establishing a database connetion”

Let’s move one directory backwards and see what’s stored inside. We cannot see anything on the interface.

Let’s test our luck by checking the source code of the interface.

Inside the source code, there’s username and password that might be useful

Let’s try the username and password that we found on the login page of WordPress

The credentials that we gains is not totally correct. We get error “Unknown username” which mean that only the username is incorrect over here.

Let’s execute wpscan command such as wpsan –url spectra.htb/main -e u to get the username of the login.

We have been notified that administrator is valid in the machine.

Enumerate the WordPress dashboard

Let’s try login in using the credentials mention above.

We manage to login to WordPress Dashboard as shown above.

Normally, i will use reverse shell on Appearance > Theme Editor > 404.php

We can copy-paste the PHP reverse shell on the 404.php by changing IP Address and Port

While looking into nc listener back, we still not get back the reverse shell connection

We will try on different theme which i will be using Twenty Seventeen

We can go to the url such as spectra.htb/main/wp-content/themes/twentyseventeen/404.php

I managed to get back the reverse shell connection to us

Normally, there should be something fishy hidden on /opt directory and we notice that autologin.conf.orig look suspicious

While we read the source code carefully, we notice that /etc/autologin directory that worth to look into.

Oh wow! There is a file called passwd saved in the directory

Oh wow! We get the password for something which i still ensure the purpose of the password here. We should be looking for the username and the purpose of the password

Let’s read the file such as /etc/passwd which we might find any user that we can use

We did find the username Katie that stored in the machine. We will be going back to nmap result output whether any port opens for credentials to be used.

Maintaining Access

I found out that ssh service port is open. So, let’s ssh the machine using credentials such as katie and SummerHereWeCome!!

We are logged in the machine via ssh. We should be able to read the user flag by using the command “cat user.txt”

I got the user flag and slap it inside the HTB website.

Escalate to Root Privileges Access

Let’s see any SUID that we can use to escalate to root


There’s initctl service that we can use. We should be researching the service to see what the service can do and cannot do.

After some research on the machine, let’s open /etc/init that we can use

There’s a lot of file that we can see here.

The file that caught my attention is shown above. Let’s see what is written in the test.conf

The screenshot above is the original source code that you will be able to see

We need to stop and start the initcctl by execute sudo /sbin/initctl stop test (stop) and sudo /sbin/initctl start test ( start)

Let’s tweet the source code a little bit between the script and end script

Let’s run the /bin/bash -p but nothing happen. We will have to re-execute back the step above

If all the step above is successfully, we will see something like the screenshot above.

After we manage to run /bin/bash -p, we can verify on the current location by running id command. We can be considered inside root privileges access when you see euid=0(root) egid=0(root) groups=0(root)

Let’s read the root user kat stored at /root/ directory as usual


Happy Learning Guys!