This post documents the complete walkthrough of Spectra, a retired vulnerable VM created by egre55, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Spectra is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535 10.10.10.229 --rate=1000
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-02-28 10:05:49 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 22/tcp on 10.10.10.229
Discovered open port 80/tcp on 10.10.10.229
Discovered open port 3306/tcp on 10.10.10.229

Hmm, nothing interesting. Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -p22,80,3306,8081 -A --reason 10.10.10.229 -oN nmap.txt
...
PORT     STATE SERVICE          REASON         VERSION
22/tcp   open  ssh              syn-ack ttl 63 OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_  4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp   open  http             syn-ack ttl 63 nginx 1.17.4
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open  mysql            syn-ack ttl 63 MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)

This is what the http service looks like.

I’d better map 10.10.10.229 to spectra.htb in /etc/hosts. This is how each of them look like.

http://spectra.htb/main/index.php

http://spectra.htb/testing/index.php

Directory Indexing

If you navigate to /testing, you’ll notice that directory indexing is turned on.

Password Leak

One of the files contain the password for what seem like the WordPress database.

Maybe this is administrator’s password to the working WordPress?

Indeed!

Foothold

Once an attacker has administrator access to your WordPress installation, you are pretty much pwned. Here’s I’m creating another user with the Administrator role.

Hello Dolly

This plugin comes pre-installed in every WordPress installation and even though it’s pretty much a useless plugin, it’s extremely useful to us in getting that prized foothold to the remote machine.

You’ll noticed that the Hello Dolly plugin is not activated but that’s good because we can edit the plugin to include some backdoor PHP code and then activate the plugin.

There’s only one file in the Hello Dolly plugin and that’s hello.php. Let’s include our backdoor PHP code like so.

Update the file and then activate the plugin. Insert the 0 parameter at the address bar and instant remote command execution.

With that, we can run a reverse shell back to us with a Perl one-liner.

There you have it.

From nginx to katie

During enumeration of nginx’s account, I notice the presence of another account: katie.

The file user.txt is in katie’s home directory.

Thank goodness for the “hint” left in /opt/autologin.conf.orig by the creator, otherwise I wouldn’t have found katie’s password in /etc/autologin/passwd.

From this, we also come to learn that this mysterious Other OS is the Chrome OS. Without further ado, I present to you katie’s password.

And here’s the user.txt.

Privilege Escalation

During enumeration of katie’s account, I notice that katie is able to sudo the following.

Good ol’ init scripts

The developers group, which katie is a member of, created a whole bunch of init scripts.

I chose test1.conf to insert a SSH public key I control to /root/.ssh/authorized_keys and call it a day.

:dancer: