Hackthebox Spectra writeup

4.9
(7)

Introduction

It is easy machine from hackthebox. Which includes little web directory enumeration which leads to password leaks. Then with the help of msfconsole we get initial shell . After some basic enumeration gets password for a ssh user. Followed by privilege escalation by abusing sudo rights in this it was initctl.

Steps involved

1-Port Scan
2-Basic web directory enumeration
3-Password leaking
4-Getting initial shell
5-Basic enumeration 
6-Getting user flag
7-Abusing initctl for privilege escalation 

Lessons learned

1-Basic port scan
2-Web Directory enumeration
3-Using metasploit 
4-Linux enumeration
5-Exploitation of initctl for privilege escalation 

Port Scan

Hackthebox Spectra writeup

Port scanning reveals that there are 3 ports open . 22, 80 and 3306 .So as always Starting with the port 80.

But before the make sure to add the machine domain to the /etc/hosts file.

Hackthebox Spectra writeup

Basic web directory enumeration

I used curl to see the web pages as due to the heavy traffic side was very slow.

Here I got two links .More over two directories also /testing and /main.

Hackthebox Spectra writeup

Let’s see the /main link first . Looks like it’s running wordpress . But nothing special There so I checked the second .

Hackthebox Spectra writeup

Here it shows Error establishing a database connection

It means something is wrong in this directory .

By doing basic enumeration I checked for the directory /testing/. And I got some interesting files in there.

Hackthebox Spectra writeup

Password leaking

The one which attracted my eyes the most is wp-config.php.save as it had the config file with a different extension unlike others.

Hackthebox Spectra writeup

So I curled it and got username and password .

For making the process fast and clear I used grep command .

Hackthebox Spectra writeup

Getting initial shell

So We already there is a wordpress website running in the /main directory . We also know that login page for wp is wp-login or wp-admin.

I tried them and I was redirected to a login .

Where I used the leaked credentials form wp-config.php.save

But it seems that it doesn’t work.

Hackthebox Spectra writeup

So I used administrator for logging . I used administrator because it is very command user name used wordpress website or many other CMS as well.

Hackthebox Spectra writeup

And this I got the success and logged into the wordpress administrator account .Then I tried to get the reverse shell by uploading a reverse php shell in 404.php of the theme . But it didn’t worked.

Hackthebox Spectra writeup

So now it was time to search for a module on the msfconsole to get the reverse shell.

msf6 > search wp
Hackthebox Spectra writeup

Got an exploit which looked perfect for the work.

So I used the Module with the following options.

Hackthebox Spectra writeup

After running it 10-15 time . I was able to get a meterpreter shell as nginx .

Hackthebox Spectra writeup

Basic enumeration

Now we are in the machine. So the next step was doing enumeration .

And got an autologin.conf.orig file inside the /opt directory .

Hackthebox Spectra writeup

Inside the autologin.config.orig saw a line /etc/autologin which is providing the password to the script .

So I checked if I could get something from there . And luckily got the password in plain text.

Hackthebox Spectra writeup

Now though we have the password we need to search for the right user to login.

The best way is to check out the /etc/passwd list and see who has a home directory .

Hackthebox Spectra writeup

Getting User Flag

The user Katie Looks like a potential user . So I reused the password with the Katie user in SSH .

And got the SSH shell successful . And here we have our user flag.

Abusing initctl for privilege escalation

Now it was time for privilege escalation .

Whenever I Have password for a user in linux I first of all check for the Sudo permission on the user .

With Sudo -l command.

And we can run /sbin/initctl as root .

Google is our best friend so I googles and came to know How to Exploit it.

Steps

1- List the processes 
2-Stop the test process
3-Edit the /etc/init/test.conf file
4-And run it again 
sudo /sbin/initctl list 
sudo /sbin/initctl stop test
Hackthebox Spectra writeup

Now just Editing the Script We can make the /bin/bash as a SUID to get root easily.

Hackthebox Spectra writeup

And Now we need to just restart the machine and type in /bin/bash -p to get into root easily and get the root the flag

Hackthebox Spectra writeup

Thanks for reading Have a nice Day . If have any question use our chat bot See FAQ or directly send email through Chatbot.

How useful was this post?

Click on a star to rate it!

Average rating 4.9 / 5. Vote count: 7

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Comment

X
wpChatIcon
0 Shares
Tweet
Share
Share
Pin