kedaegan.github.io

Spectra

Enumeration

Ports and Services

Software Installed:

Gobuster Scan Results:

WPScan Results:

Webpage (add pectra.htb to hosts file)

URL: http://spectra.htb/

URL: http://spectra.htb/main/

URL: http://spectra.htb/testing/index.php

/testing/ has directory:

The config.php.save:

Mysql is denied by ip from external.

Checking for password re-use:
Username for WP site is administrator:


Username: administrator
Password: devteam01

Initial Foothold

Once logged in as admin I modified the 404.php in the twenty seventeen theme with a php reverse shell:

Visited page while listening:
URL: http://spectra.htb/main/wp-content/themes/twentyseventeen/404.php

Located autologin.conf.orig in /opt:

# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description   "Automatic login at boot"
author        "chromium-os-dev@chromium.org"
# After boot-complete starts, the login prompt is visible and is accepting
# input.
start on started boot-complete
script
  passwd=
  # Read password from file. The file may optionally end with a newline.
  for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
    if [ -e "${dir}/passwd" ]; then
      passwd="$(cat "${dir}/passwd")"
      break
    fi
  done
  if [ -z "${passwd}" ]; then
    exit 0
  fi
  # Inject keys into the login prompt.
  #
  # For this to work, you must have already created an account on the device.
  # Otherwise, no login prompt appears at boot and the injected keys do the
  # wrong thing.
  /usr/local/sbin/inject-keys.py -s "${passwd}" -k enter

**It says there is a passwd in /etc/autologin:

/etc/passwd shows katie is only user with a login shell.
SSH as Katie using found password

User.txt Proof Screenshot**

User.txt Contents
e89d27fe195e9114ffa72ba8913a6130

##
Privilege Escalation

User katie has sudo for /sbin/initctl

Reading through: https://isharaabeythissa.medium.com/sudo-privileges-at- initctl-privileges-escalation-technique-ishara-abeythissa-c9d44ccadcb9

Service list
CMD: sudo /sbin/initctl list

Modified /etc/init/test1.conf and made bin/bash suid

Started test1 service which should make the /bin/bash executable:

RootScreenshot Here:


Root.txt Contents:
d44519713b889d5e1f9e536d0c6df2fc