Introduction
It is easy machine from hackthebox. Which includes little web directory enumeration which leads to password leaks. Then with the help of msfconsole we get initial shell . After some basic enumeration gets password for a ssh user. Followed by privilege escalation by abusing sudo rights in this it was initctl.
Steps involved
1-Port Scan
2-Basic web directory enumeration
3-Password leaking
4-Getting initial shell
5-Basic enumeration
6-Getting user flag
7-Abusing initctl for privilege escalation
Lessons learned
1-Basic port scan
2-Web Directory enumeration
3-Using metasploit
4-Linux enumeration
5-Exploitation of initctl for privilege escalation
Port Scan
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc1-1024x442.png)
Port scanning reveals that there are 3 ports open . 22, 80 and 3306 .So as always Starting with the port 80.
But before the make sure to add the machine domain to the /etc/hosts file.
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc2-1024x470.png)
Basic web directory enumeration
I used curl to see the web pages as due to the heavy traffic side was very slow.
Here I got two links .More over two directories also /testing and /main.
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc21-1024x327.png)
Let’s see the /main link first . Looks like it’s running wordpress . But nothing special There so I checked the second .
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc3-1024x475.png)
Here it shows Error establishing a database connection
It means something is wrong in this directory .
By doing basic enumeration I checked for the directory /testing/. And I got some interesting files in there.
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc4-1024x291.png)
Password leaking
The one which attracted my eyes the most is wp-config.php.save as it had the config file with a different extension unlike others.
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sx5-1024x718.png)
So I curled it and got username and password .
For making the process fast and clear I used grep command .
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc5-1024x315.png)
Getting initial shell
So We already there is a wordpress website running in the /main directory . We also know that login page for wp is wp-login or wp-admin.
I tried them and I was redirected to a login .
Where I used the leaked credentials form wp-config.php.save
But it seems that it doesn’t work.
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc7-1024x614.png)
So I used administrator for logging . I used administrator because it is very command user name used wordpress website or many other CMS as well.
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc8-1024x601.png)
And this I got the success and logged into the wordpress administrator account .Then I tried to get the reverse shell by uploading a reverse php shell in 404.php of the theme . But it didn’t worked.
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc9-1024x503.png)
So now it was time to search for a module on the msfconsole to get the reverse shell.
msf6 > search wp
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc10-1024x360.png)
Got an exploit which looked perfect for the work.
So I used the Module with the following options.
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc11-1024x498.png)
After running it 10-15 time . I was able to get a meterpreter shell as nginx .
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc12-1024x573.png)
Basic enumeration
Now we are in the machine. So the next step was doing enumeration .
And got an autologin.conf.orig file inside the /opt directory .
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc20-1024x671.png)
Inside the autologin.config.orig saw a line /etc/autologin which is providing the password to the script .
So I checked if I could get something from there . And luckily got the password in plain text.
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc14.png)
Now though we have the password we need to search for the right user to login.
The best way is to check out the /etc/passwd list and see who has a home directory .
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc15-1024x212.png)
Getting User Flag
The user Katie Looks like a potential user . So I reused the password with the Katie user in SSH .
And got the SSH shell successful . And here we have our user flag.
![](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc19-1024x390.png)
Abusing initctl for privilege escalation
Now it was time for privilege escalation .
Whenever I Have password for a user in linux I first of all check for the Sudo permission on the user .
With Sudo -l command.
And we can run /sbin/initctl as root .
Google is our best friend so I googles and came to know How to Exploit it.
Steps
1- List the processes
2-Stop the test process
3-Edit the /etc/init/test.conf file
4-And run it again
sudo /sbin/initctl list sudo /sbin/initctl stop test
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc18.png)
Now just Editing the Script We can make the /bin/bash as a SUID to get root easily.
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc16.png)
And Now we need to just restart the machine and type in /bin/bash -p to get into root easily and get the root the flag
![Hackthebox Spectra writeup](https://www.whatinfotech.com/wp-content/uploads/2021/04/sc17.png)