# HackTheBox-Spectra
## NMAP
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp open http nginx 1.17.4
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open mysql MySQL (unauthorized)
8081/tcp open blackice-icecap?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Thu, 04 Mar 2021 16:38:15 GMT
| Connection: close
| Hello World
| GetRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Thu, 04 Mar 2021 16:38:14 GMT
| Connection: close
| Hello World
| HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Thu, 04 Mar 2021 16:38:25 GMT
| Connection: close
|_ Hello World
```
## PORT 80 (HTTP)
Clicking on `Test` or `Softwaer Issue Tracker` would be leading us to `http://spectra.htb` so let's add this to `/etc/hosts`
Going to `wp-config.php.save` we can find credentials to the database
But when connecting to them it just doesn't allow
### Wpscan
So we can't connect to mysql so we have a wordpress site let's run `wpscan` on it
So we have a wordpress user `administrator`
Using the password `devteam01` we logged in with `administrator`
We can edit the `404.php` template in the active theme
Using a metasploit payload
Add ssh public key in `/home/nginx/.ssh/authorized_keys`
Going in `/opt` directory
We find a `passwd` file
ssh as `katie`
On doing `sudo -l` we'll see what we can run as root
And we can run `initctl` which is used for running services, these services are stored in `/etc/init`
We can see the services we can edit
Here this service is running a nodejs file which is `nodetest.js`
This is what we see when we visit port 8081 on the web browser we can edit this file by a node js reverse shell
After editing set a netcat listener
