Open in app

Sign in

Write

Sign in

HackTheBox-Spectra

ARZ101
4 min readJun 27, 2021

--

Hello everyone , in this post I will be sharing my walkthrough for HTB’s spectra machine , which was an easy level machine which had wordpress site being hosted along with a directory called “testing” through which we found a backup for wordpress database config file where we found creds which allowed us to login to wordpress as an admin ,after getting a shell from wordpress we found user’s password in /opt directory and escalating to user we had sudo rights to run initctl which is used to run a job or serivce on the machine allowing us to become root

NMAP

PORT     STATE SERVICE          VERSION                                   
22/tcp   open  ssh              OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_  4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp   open  http             nginx 1.17.4                                   
|_http-server-header: nginx/1.17.4                 
|_http-title: Site doesn't have a title (text/html).                 
3306/tcp open  mysql            MySQL (unauthorized)
8081/tcp open  blackice-icecap?                                              
| fingerprint-strings:                                               
|   FourOhFourRequest:                            
|     HTTP/1.1 200 OK                                                     
|     Content-Type: text/plain                                            
|     Date: Thu, 04 Mar 2021 16:38:15 GMT
|     Connection: close                               
|     Hello World                               
|   GetRequest:                      
|     HTTP/1.1 200 OK                
|     Content-Type: text/plain                                            
|     Date: Thu, 04 Mar 2021 16:38:14 GMT                                 
|     Connection: close              
|     Hello World                    
|   HTTPOptions:                     
|     HTTP/1.1 200 OK                
|     Content-Type: text/plain                                            
|     Date: Thu, 04 Mar 2021 16:38:25 GMT                                 
|     Connection: close              
|_    Hello World

PORT 80 (HTTP)

Clicking on Test or Softwaer Issue Tracker would be leading us to http://spectra.htb so let's add this to /etc/hosts

Going to wp-config.php.save we can find credentials to the database

But when connecting to them it just doesn’t allow

Wpscan

So we can’t connect to mysql so we have a wordpress site let’s run wpscan on it

So we have a wordpress user administrator

Using the password devteam01 we logged in with administrator

We can edit the 404.php template in the active theme

Using a metasploit payload

Add ssh public key in /home/nginx/.ssh/authorized_keys

Going in /opt directory

We find a passwd file

ssh as katie

On doing sudo -l we'll see what we can run as root

And we can run initctl which is used for running services, these services are stored in /etc/init

We can see the services we can edit

Here this service is running a nodejs file which is nodetest.js

This is what we see when we visit port 8081 on the web browser we can edit this file by a node js reverse shell

After editing set a netcat listener

Ctf
Hackthebox
Pentesting
Linux

--

--

ARZ101
ARZ101

Written by ARZ101

730 Followers
46 Following

Smol Pentester| OSCP | gib AD | UwU

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams