Spectra - [HTB]

Cover Image for Spectra - [HTB]
Marmeus
Marmeus

Introduction

Spectra is an easy ChromeOS HackTheBox machine where the attacker will have to explore the wordpress testing files looking for the admin's credentials. Then, modifying one of the plugins we can get access to the machine obtaining the katie's credentials. Finally, the attacker will have to modify init files retrieving a reverse shell as root.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

Then, we continue with a deeper scan of every opened port, getting more information about each service.

In the port 80 there is an HTML web page with two links. Both, pointing to the domain spectra.htb.

Web Issue Tracking

However, if we click in one of the links appears the domain www.spectra.htb.

Spectra www domain

So, I added both links into the /etc/hosts file avoiding failures later on. Getting access to a wordpress blog (/main/) that contains a post written by the user administrator, and what it seems a testing web page (/testing/).

Worpress

Looking inside the testing directory we can see that there is a wordpress directory structure in there.

Wordpress structure

Furthermore, there is a file with the extension .save, which shouldn't exists in the first place. So, looking inside the wp-config.php.save with the Firefox view-source utility we can find the database credentials.

Explotation

The password can be used to login as administrator in the wordpress blog.

Note: Do not worry about the junky interface, we are not gonna use it much longer.

Wordpress administrator panel

Because, the wordpress Theme Editor can not help us in order to get a reverse shell, we need to use the <strong data-reactroot="">Plugin Editor</strong>. Thus we can modified the behaviour of Akismet plugin so we can get a reverse shell.

Akismet Plugin editor

For doing so, put a listening port at 4444 on your machine, click on "Plugin Editor", modify the file as follows (DO NOT FORGET TO ADD YOUR IP) and save its changes.

Then, click on Installed plugins and activate the Akismet Anti-Spam plugin, obtaining a shell as nginx.

Activating Akismet Plugin

Privilege Escalation 1

Looking inside the /opt folder there is a file named autologin.conf.orig that seems to store a password inside a file named passwd, which will be stored in the folders /mnt/stateful_partition/etc/autologin and /etc/autologin password inside.

Nonetheless, just the second path exists, so there is only one way to retrieve the password.

This password, can be used to gain access through SSH as the user katie.

Privilege Escalation 2

The user katie, which is a developer, can execute /sbin/initctl as root.

Note: initctl allows a system administrator to communicate and interact with the Upstart init daemon.

Listing all the jobs we can see several testX jobs.

The configuration for the jobs are at /etc/init.

Looking inside the file test.conf, we can see that is executing the file /srv/nodetest.js file. So, as we did in the wordpress plugin, we can modify that line to execute a python command that spawns a reverse shell.

Furthermore, we can edit it because we form part of the group developer.

In order to get a reverse shell, we need to modify the file /etc/init/test.conf as follows and execute the command sudo /sbin/initctl start test, obtaining the root flag.