HackTheBox — Backdoor

5 min readApr 23, 2022


Hello everyone , in this post I will be sharing my writeup for HTB-Backdoor which was a easy rated linux box, starting with nmap scan we can 3 ports out of which port 80 and 1337 were of our interest, the web server was running wordpress using a default template, enumerating the plugins we came to know that it was using ebook download plugin which was vulnerable to LFI that allowed to us to view the running processes which showed that gdb server was running on port 1337 that gave us remote code execution, having a shell as user, screen binary was being ran as a root user, creating a de attached session which allowed us to re attach the session as the root user.


nmap -p- -sC -sV --min-rate 5000 -vPORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
| http-methods:
|_ Supported Methods: HEAD
1337/tcp open waste? syn-ack ttl 63
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


From the scan we saw that there’s a web server apache server running on port 80

At the bottom , we can see that this is a wordpresss site

We can try to login with default creds like admin:admin

It gives an error that password for admin user is invalid but it didn't said that username is invalid so we could try to brute force the password later. I tired to run an nmap scan for wordpress plugins but there wasn't any thing interesting

nmap -p 80 --script http-wordpress-enum --script-args search-limit=2000 -vvv

I ran wpscan and used aggressive plugins scan but it was taking so long for it to complete instead I manually tried to enumerate plugins by going to /wp-content/plugins

The readme file shows that it’s using version 1.1

And this version is vulnerable to LFi

This will download wp-config.php file which has the database credentials

We can also download /etc/passwd file

But we can’t do things like log poisoning as we are only able to download the file not view them directly , remember from our nmap scan we saw that there was a port 1337 but on connecting on the port we don’t get any response


In order to find what’s running on that port we need can find it by reading /proc/sched_debug , which shows all the processes that are running on the system

On reading that file we can see that gdbserver is running and there's a remote code execution exploit available on metasploit

I got another reverse shell as I wanted to stabilize the shell and the meterpreter shell isn’t stable when we spawn bash

So this enabled us to stabilize our shell , now to escalate our privileges, I checked sudo -l to see if I can run something as root , tried the password that we found from wordpress config file but it didn't work

Checked contab but there wasn’t any cronjobs running, logging in to database we can see that there’s an admin user’s password for wordpress

Privilege Escalation

I checked the running processes and found that a command was being ran to create a de attached screen session

We can create a de attach session using -dmS session_name and we can reattach the session with -r session_name but this wasn't working , since screen has SUID bit

We can actually access the screen session as root through screen -r root/





Smol Pentester| OSCP | CTF Player | UwU