3.8 KiB
HackTheBox-Spectra
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
|_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp open http nginx 1.17.4
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open mysql MySQL (unauthorized)
8081/tcp open blackice-icecap?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Thu, 04 Mar 2021 16:38:15 GMT
| Connection: close
| Hello World
| GetRequest:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Thu, 04 Mar 2021 16:38:14 GMT
| Connection: close
| Hello World
| HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/plain
| Date: Thu, 04 Mar 2021 16:38:25 GMT
| Connection: close
|_ Hello World
PORT 80 (HTTP)
Clicking on Test or Softwaer Issue Tracker would be leading us to http://spectra.htb so let's add this to /etc/hosts
Going to wp-config.php.save we can find credentials to the database
But when connecting to them it just doesn't allow
Wpscan
So we can't connect to mysql so we have a wordpress site let's run wpscan on it
So we have a wordpress user administrator
Using the password devteam01 we logged in with administrator
We can edit the 404.php template in the active theme
Using a metasploit payload
Add ssh public key in /home/nginx/.ssh/authorized_keys
Going in /opt directory
We find a passwd file
ssh as katie
On doing sudo -l we'll see what we can run as root
And we can run initctl which is used for running services, these services are stored in /etc/init
We can see the services we can edit
Here this service is running a nodejs file which is nodetest.js
This is what we see when we visit port 8081 on the web browser we can edit this file by a node js reverse shell
After editing set a netcat listener
