Hack The Box — Spectra Writeup

Part One: Enumeration

An Nmap scan picked up three open ports, showing that this is a web server with a SQL database and an SSH port. While the hosted webpage is not immediately available, adding spectra.htb to my hosts file fixes that.

Part Two: Looking For a Pivot Point

A number of the files I am able to see are not viewable, but looking through the testing directory, I find a viewable configuration file that has the credentials I am looking for.

Part Three: Using Verified WordPress Credentials

Now that I know I have Administrator access to WordPress, I have a variety of options for pivoting deeper into Spectra. In prior writeups I have inserted either Python or PHP shell code, pointed at a netcat server, into accessible files. In this particular occasion, I am going to use a great Metasploit module. Using the same credentials I used to get into WordPress Administration, I quickly gain shell access.

Part Four: Finding The User Flag

If SummerHereWeCome!! is not the superuser password, the most logical alternative is that it is an SSH password. Given the other protections Spectra has had, I did not think I would be able to get SSH access without the right id_rsa, but this assumption proves to be pessimistic.

Part Five: Pivoting Towards Root Access

The SSH access that allowed me to view the User Flag is not root access, and I cannot locate loose credentials in the system resources I am allowed to view. Running sudo -l allows me to see what katie has superuser access to, which is a system binary called initctl. This allows katie to manage user jobs. There are several of these.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store