Spectra is an Easy box from HTB and created by egre55. This box features a poorly configured WordPress dev environment and initctl escalation. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. Running RustScan with NMAP filters. Reviewing the results I see Port 80 open and that its running an HTML based website with two links. The Software Issue Tracker shows me spectra.htb so I add it into my host file.

Software issue tracker link shows a new domain, spectra.htb.

Upon visiting both sites I see a WordPress installation. On the test link I can see that the WordPress install does not have the database connected properly causing it to fail. I kick off a WPScan and FeroxBuster on the working WordPress environment and begin poking at the Test environment.

After trying the wp-content folder on the test environment (a default folder which holes Plugins, Themes, etc. for WordPress) I can see that indexing is available. I go up a directory and find a wp-config.save file.

I try the credentials on the primary WordPress environment but it fails. I review the WPScan results and notice that the user administrator came back. I try that alongside the recent found password and login.

WPScan showing the administrator user being identified.

After validating the login I spin up MetaSploit knowing it has a quick reverse shell for WordPress. The link for instructions are available HERE.

After setting up the exploit I kick it off and then spawn a shell:

I upgrade my shell and begin navigating the environment:

I start by navigating to the home directory which shows there is a few users on the box:

Upon navigating into katies home directory I can see that she has the user.txt file however I cannot access it. I check for SSH keys and unusual files but find nothing. After navigating around the environment and checking files created around the same time as Katies home folder I come across:

Reviewing the file I can see that a password is being stored in the /etc/autologin folder under a file called passwd. I navigate to the file and grab the password. Next I try the password against my list of users found above.

Finding the autologin.conf and the passwd file (but why?)

As katie had the user.txt file I start with her:

After establishing an ssh connection I used sudo -l to see if katie could run anything elevated on the box.

I researched /sbin/initctl priv escalation and ran through the steps below:

Showing test/test1 can be altered.

I altered the test.conf file:

Ctrl + X to save.

Rooted spectra from HTB