Spectra is a BOOT2ROOT CTF challenge which checks your skills on exploiting user mistakes , WordPress exploitation and basic privilege escalation.
First of all, fire-up your pentesting machine and connect to HackTheBox network via openvpn. Let us begin with the traditional nmap scan.
We can see that ports 80 and 22 are open, which means there is a web application involved. Before exploring the web application, edit the /etc/hosts file of your machine with nano text editor, adding the Spectra IP and machine name as follows.
Then go to the website by providing the IP as follows.
We can see that there are two links.
“spectra.htb/main” consists some information and there is a login panel. We can assume that there is a user called “administrator” by looking at the following.
If we can find the password of “administrator”, we may be able to login as admin of the website.
The other link; “spectra.htb/testing” consists of many files which we can look into. After some time, I found an interesting file; “wp-config.php.save” which consists of usernames and passwords. Admin may have forgotten to remove this file.
We can curl into the location of the above file in order to view the usernames and passwords.
As you can see in the following, we can come across a username and a password.
However, this username “devtest” doesn’t work. So, use the earlier found username “administrator” instead. You will be able to login successfully.
After some enumeration, I found out that the WordPress version is out-to-date. I could find a public exploit which is available in metasploit as follows.
Then, set the exploit options as following.
Remember to use your tun0(VPN) IP as lhost and rhost as the Spectra IP. You must specify username and password too.
When hitting exploit, you will be prompted a meterpreter shell as follows.
So, we got a reverse shell of the web application “nginx”. Then get rid of the meterpreter shell by executing “shell” command. However still we are not a user of this system. When enumerating, I came across that there is a user called “katie” apart from “root” and “nginx”. I saw it when viewing the “/etc/passwd” file.
When enumerating furthermore, I came across a file called “autologin.conf.orig” which is located at “/opt” directory.
When reading the above file, we can find out that there is a password file at “/etc/autologin”. So, go ahead and view it.
As now we have the password of user “katie”, we can SSH to katie. Then we can obtain the user flag effortlessly as follows.
Now we have to work towards root. When executing “sudo -l”, we can come across that this user can execute “/sbin/initctl” as root. I just Googled about it and came across its functionality.
You have to first stop the service “test” as follows.
Then go to the test configuration file which is located at “/etc/init”, and open it with a text editor as follows.
Then, remove the content inside it and replace it with the following content.
Then restart the “test” which we stopped earlier, and execute the command “/bin/bash -p” in order to get the root shell, as follows.
Finally, we can obtain the root flag, after changing some directories as follows.
This comes to the end of the Spectra CTF. I hope you learnt something.
Connect me via LinkedIn https://www.linkedin.com/in/ravishanka-silva-a632351a0