Spectra
Spectra is an easy machine from Hack The Box.
Enumeration
The OS version for this box is unknown, so let’s see if nmap returns anything in that vein.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp open http nginx 1.17.4
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open mysql MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
No OS information, but I can see MySQL running, in addition to a web server and SSH.
The homepage doesn’t reveal much, and the “Test” link throws a “database connection” error, but reveals a “/testing” directory. Clicking through to “Software Issue Tracker” brings up the main WordPress page.
If I go to “/testing” I can see the directory listing of WordPress files.
Trying to view wp-config.php throws a database connection error, but wp-config.php.save brings up a blank page. Viewing the source of the page reveals its contents:
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'dev' );
/** MySQL database username */
define( 'DB_USER', 'devtest' );
/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
Looks like I have a MySQL database name and associated creds.
I ran WPScan to enumerate WordPress further and found a single user, administrator, who is the author of the only post on the site.
I tried to login with administrator:devteam01 to the “wp-admin” panel, and got in!
Initial Foothold
I did some searching around and found an exploit I can use. I can use this script to generate a malicious plugin, upload that to the admin panel, and, once the plugin is activated, I should get a reverse shell.
Got a shell! Time to do some digging.
I am on as the user nginx with not a whole lot of functionality. Looking at the /home directory, there are a few users I may be able to use to elevate my privileges.
I didn’t find anything of value in the SQL server, but maybe linPEAS will find something.
After transferring linPEAS from my machine to spectra and running the script, I might have found another password:
/etc/autologin/passwd
-rw-r--r-- 1 root root 19 Feb 3 16:43 /etc/autologin/passwd
SummerHereWeCome!!
autologin is using this password to log a particular user in, but I’m not sure who. I’ll create a list of users and use hydra to test that password against each of them via SSH.
katie is the lucky winner.
SSH in as katie and I’ve found a user flag.
Privilege Escalation
Now that I’m on as a “real” user, with a real terminal, I’ll run sudo -l to see what permissions katie has.
User katie may run the following commands on spectra:
(ALL) SETENV: NOPASSWD: /sbin/initctl
katie can run /sbin/initctl as root. Let’s take a look at the different jobs they might have access to.
katie is a member of the developers group:
It appears the developers group has write access to quite a few jobs. I can edit one of these and then execute initctl as root to elevate my privileges.
Open test.conf, add a line to enable the SUID on /bin/bash, and restart the job with sudo /sbin/initctl start test.
Drop into a new shell, and I am indeed root.
The /bin/bash -p allows me to spawn a new shell with the effective UID of root, as opposed to the real UID of katie.