HackTheBox — Spectra Walkthrough

Spectra is a BOOT2ROOT CTF challenge which checks your skills on exploiting user mistakes , WordPress exploitation and basic privilege escalation.

First of all, fire-up your pentesting machine and connect to HackTheBox network via openvpn. Let us begin with the traditional nmap scan.

nmap scan results

We can see that ports 80 and 22 are open, which means there is a web application involved. Before exploring the web application, edit the /etc/hosts file of your machine with nano text editor, adding the Spectra IP and machine name as follows.

Editing /etc/hosts file

Then go to the website by providing the IP as follows.

spectra.htb web application

We can see that there are two links.

spectra.htb/main” consists some information and there is a login panel. We can assume that there is a user called “administrator” by looking at the following.

spectra.htb/main

If we can find the password of “administrator”, we may be able to login as admin of the website.

Login panel of spectra.htb/main

The other link; “spectra.htb/testing” consists of many files which we can look into. After some time, I found an interesting file; “wp-config.php.save” which consists of usernames and passwords. Admin may have forgotten to remove this file.

wp-config.php.save file in spectra.htb/testing

We can curl into the location of the above file in order to view the usernames and passwords.

curl to url

As you can see in the following, we can come across a username and a password.

username / password

However, this username “devtest” doesn’t work. So, use the earlier found username “administrator” instead. You will be able to login successfully.

After some enumeration, I found out that the WordPress version is out-to-date. I could find a public exploit which is available in metasploit as follows.

msf module

Then, set the exploit options as following.

msf module options

Remember to use your tun0(VPN) IP as lhost and rhost as the Spectra IP. You must specify username and password too.

When hitting exploit, you will be prompted a meterpreter shell as follows.

exploit succeeded

So, we got a reverse shell of the web application “nginx”. Then get rid of the meterpreter shell by executing “shell” command. However still we are not a user of this system. When enumerating, I came across that there is a user called “katie” apart from “root” and “nginx”. I saw it when viewing the “/etc/passwd” file.

cat /etc/passwd

When enumerating furthermore, I came across a file called “autologin.conf.orig” which is located at “/opt” directory.

View autologin.conf.orig file

When reading the above file, we can find out that there is a password file at “/etc/autologin”. So, go ahead and view it.

View katie’s password

As now we have the password of user “katie”, we can SSH to katie. Then we can obtain the user flag effortlessly as follows.

Getting the user flag

Now we have to work towards root. When executing “sudo -l”, we can come across that this user can execute “/sbin/initctl” as root. I just Googled about it and came across its functionality.

sudo -l

You have to first stop the service “test” as follows.

Stopping test service

Then go to the test configuration file which is located at “/etc/init”, and open it with a text editor as follows.

Then, remove the content inside it and replace it with the following content.

edit test.conf

Then restart the “test” which we stopped earlier, and execute the command “/bin/bash -p” in order to get the root shell, as follows.

Getting the root shell

Finally, we can obtain the root flag, after changing some directories as follows.

root flag

This comes to the end of the Spectra CTF. I hope you learnt something.

Connect me via LinkedIn https://www.linkedin.com/in/ravishanka-silva-a632351a0

HAPPY HACKING!!!

Cybersecurity enthusiast | Undergraduate | CTF player | Writer 💻😎