CTF Walkthroughs, Hack The Box

Hack The Box – Spectra Walkthrough

June 28, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an easy Linux machine that involved finding database credentials contained in a backup WordPress instance to gain initial access and exploiting the /sbin/initctl binary with Sudo permissions to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has revealed three open ports: 22 (SSH), 80 (HTTP) and 3306 (MySQL). Since Mysql access is not authorized the next step will be to start enumerating HTTP.

Enumerating HTTP

The following page is displayed when accessing the web server through a browser:

When inspecting the source code, it appears the hyperlinks refer to a spectra.htb domain and two directories, main and testing:

Adding these new entries to the /etc/hosts file:

When accessing main, this appears to be a WordPress site:

When running WPScan against the target machine with the following flags, only an administrator user is found, and no vulnerable plugins are identified:

  • –url to specify the URL for the Wordrpess application, in this case http://spectra.htb/main/
  • -e to specify the elements to enumerate, in this case, ap for all plugins, at for all themes, tt for timthumbs, cb for config backups, dbe for database exports, u for users and m for media:
  • –plugins-detection aggressive, to specify to enumerate for all known plugins

Accessing testing site – this has directory listing enabled, it appears to contain a backup of the wp-config.php file (wp-config.php.save), which usually contains database credentials:

Downloading the file and viewing its contents:

Using the database password found earlier with WPScan and the password found in the wp-config.php.save file to authenticate to WordPress:

Copying the PHP Laudanum Reverse Shell to the current working directory and changing IP address and port:

Navigating to Plugins–>New Plugin and attaching the reverse shell, then hitting “Install”:

The installation failed although the reverse shell will have been uploaded to the wp-content/uploads/ directory:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Navigating to the PHP reverse shell to execute it:

A callback was received, granting a shell as the “nginx” user:

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to the local host
  • Running “stty raw -echo” on the local host
  • Hitting “fg + ENTER” to go back to the reverse shell

Privilege Escalation

Transferring the LinPEAS enumeration script to the target machine:

Assigning execute permissions to it and running it:

It looks like the script identified a password stored in the /etc/autologin/passwd file:

Authenticating as the “katie” user with the password found above:

Executing the sudo -l command, it appears that katie can execute /bin/initctl as root on the box:

Initctl allows users to communicate and interact with the Upstart init daemon i.e. the ability to start/stop jobs/services.

It appears that in order to configure a job/service a .conf file is required:

The configuration files allows to define commands that will be executed when the job/service is run

More information on how to create and configure services can be found here. This permission could be used to escalate privileges if the current user has control over an existing configuration file used by a job or service.

Listing the existing services with the following command:

sudo /sbin/initctl list

There appears to be a “test” service. Looking at the example configuration for it:

Adding an extra line to execute the PHP reverse shell used earlier when the service starts:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Manually starting the service:

This has triggered the PHP reverse shell, therefore granting a reverse shell as root.

Conclusion

This was a great machine, not too hard but still challenging, and very real-life based. Database credentials stored in backup instances are not at all uncommon, and the ability to start/stop services and edit their configuration/content is something that is more common in Windows than in Linux, so it was nice to see it here.