Spectra HTB Writeup
Hi everyone, this is my writeup for box “Spectra” found on HackTheBox .
Overview : Getting credentials from wp-config.php.save ,Wordpress Shell Upload, privilege escalation using initctl.
Machine IP Address : 10.10.10.229
Part 1 : Recon
1. Starting off with an Nmap Scan to get information about the open ports.
nmap -sC -sV -Pn 10.10.10.229
We get the following results from the nmap scan.
We have 3 Ports open :
Port 22 : Running OpenSSH 8.1
Port 80 : Running nginx/1.17.4
Port 3306:Running MySQL
2. Before Enumerating further let’s run a gobuster scan.
We got 2 directory listed
/main
/testing
Part 2: Enumeration
- Let’s begin our enumeration by visiting the webpage on port 80.
The Webpage provides link to 2 other pages.
For us to open to webpages we have to add them to our /etc/hosts file
10.10.10.229 spectra.htb
It is a wordpress website which means there will be a admin login page. Also we can directly see that admin is named administrator.
Visiting other link we got from the main webpage give us a error.
So I googled the error and fount a article https://www.wpbeginner.com/wp-tutorials/how-to-fix-the-error-establishing-a-database-connection-in-wordpress/ after reading the article I came to know that the Database credentials are stored in the WordPress configuration file called wp-config.php.
Now it’s time to visit the /testing endpoint. On opening the page you will find a index of the WordPress files.
Among all the listed files there are 2 files named wp-config.php and wp-config.php.save
We know that this file contains password for the database so lets get the credentials.
If we open wp-config.php we get the same Database error we got earlier but we can open the wp-config.php.save file.
You will get a blank page on opening the wp-config.php.save file but don’t get upset if you view the source code of the page you will get the credentials.
Now we have a username and password but we don’t know where to use them.
So I tried here and there for a while then I remembered we have a wordpress admin login page.
I tried various combinations to login there but the one that worked was with the username “administrator” and password we got earlier.
Now we are in the admin dashboard and we have to get a shell so I googled “shell upload wordpress” and found several ways to get a reverse shell. Refer the article mention below for help
https://www.hackingarticles.in/wordpress-reverse-shell/
Part 3 : Getting User Flag
Now we have a shell with nginx as user. So I started enumerating the box.
I found out there is a autologin.conf.orig file in /opt folder which seems interesting after reading it I found that there is file in /etc/autologin which contains the password.
There are 3 users in the box : root,nginx and katie.
Let’s try to login with this credentials in SSH with katie as user.
And BOOM!!! we have a shell as katie as user which has permission to read user flag.
Part 4 : Getting Root Flag
Now, we have our user flag so let’s try to escalate our privileges to root.
- Run sudo -l to get information about what commands can katie run as root.
2. Googling about the /sbin/inintctl I found a article which listed a way to escalate our privileges to root.
Try what’s in article and BOOM!!! you will get the root flag.
Some Interesting things I found on the way
(.………………….
I found this in the source code but I got no results following this lead.
….………………)
Thanks for reading the writeup. I hope you liked it.
Any type of feedback or suggestions are appreciated.
You can reach out to me on :
Twitter : https://twitter.com/Viren2737
LinkedIn : https://www.linkedin.com/in/viren-saroha-3391371a3/
