Backdoor
https://app.hackthebox.com/machines/Backdoor
Nmap
Add "10.10.11.125 backdoor.htb" to /etc/hosts.
First up, checking port 1337 which nmap pick up as waste?. I was unable to pull any information from this service.
Connecting with nc did not send back any information. The same process repeated with Wireshark also showed no information from this port.
As such we will proceed to port 80 which, appears to be running Wordpress as shown below:
Standard enumeration with feroxbuster shows multiple typical WordPress PHP files.
Instead we jump over to wpscan in order to further enumerate the WordPress site. The following command was run to search all available plugins for known exploits.
wpscan soon finds the vulnerable plugin ebook-download which is running version 1.1.
Searchsploit shows a known exploit for eBook Download 1.1 for Directory Traversal.
Exploit-DB: https://www.exploit-db.com/exploits/39575
With the following shown as a PoC:
Testing this against the target system's WordPress site proves successful. We are able to read /wp-settings.php.
As shown above, this reveals the DB_Password value. I tried to use this against the admin account and the wordpressuser account and was unable to proceed through either the login page or SSH against standard accounts.
From here, further enumeration through LFI will be required. I started ZAP Proxy and sent a manual request through with the Directory Traversal PoC.
We get some interesting LFI results, however none that are of any use to us.
After much further enumeration I decided to search for running processes and their corresponding command lines. This is usually found under /proc/PID/cmdline. Where below the request will start with '1' and then, a number file through to 1000 will be generated using the 'numberzz' module in ZAP Proxy.
As shown below PID 816 shows gdbserver running on pot 1337 which we did not get any results for earlier.
Searchsploit shows this could be vulnerable to RCE.
BookHackTricks has a great page on a few ways to exploit gdbserver.
BookHackTricks: https://book.hacktricks.xyz/pentesting/pentesting-remote-gdbserver#upload-and-execute
Where a shell is caught on our listener.
Metasploit can also be used to exploit gdbserver.
use exploit/multi/gdb/gdb_server_exec
Performing enumeration with linpeas.sh we have an interesting find pop up under the running processes and crons section.
Looking at the above parameters we can see the from the screen help output below, that -dmS is used to start a screen daemon then disconnect it. In the case of above as root.
The manual for screen can be found below: https://www.gnu.org/software/screen/manual/screen.html
The linked forum post on Serverfault shows how we can identify existing screen sessions.
Serverfault: https://serverfault.com/questions/758637/owner-of-screen-session
Looking further on how to connect to other users screen sessions, this forum post from 2006 describes it well: https://ubuntuforums.org/showthread.php?t=299286
As we know the root user account is currently running a screen session we can then connect to it. We know the session name from the running processes we found from linpeas.sh.
Which gets us a root shell.
Last updated
