Hello everyone , in this post I will be sharing my writeup for HTB-Backdoor which was a easy rated linux box, starting with nmap scan we can 3 ports out of which port 80 and 1337 were of our interest, the web server was running wordpress using a default template, enumerating the plugins we came to know that it was using ebook download plugin which was vulnerable to LFI that allowed to us to view the running processes which showed that gdb server was running on port 1337 that gave us remote code execution, having a shell as user, screen binary was being ran as a root user, creating a de attached session which allowed us to re attach the session as the root user.
NMAP
nmap -p- -sC -sV 10.10.11.125 --min-rate 5000 -vPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
| http-methods:
|_ Supported Methods: HEAD
1337/tcp open waste? syn-ack ttl 63
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
PORT 80 (HTTP)
From the scan we saw that there’s a web server apache server running on port 80
At the bottom , we can see that this is a wordpresss site
We can try to login with default creds like admin:admin
It gives an error that password for admin user is invalid but it didn't said that username is invalid so we could try to brute force the password later. I tired to run an nmap scan for wordpress plugins but there wasn't any thing interesting
nmap -p 80 --script http-wordpress-enum --script-args search-limit=2000 10.10.11.125 -vvv
I ran wpscan and used aggressive plugins scan but it was taking so long for it to complete instead I manually tried to enumerate plugins by going to /wp-content/plugins
The readme file shows that it’s using version 1.1
And this version is vulnerable to LFi
10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
This will download wp-config.php file which has the database credentials
We can also download /etc/passwd file
But we can’t do things like log poisoning as we are only able to download the file not view them directly , remember from our nmap scan we saw that there was a port 1337 but on connecting on the port we don’t get any response
Foothold
In order to find what’s running on that port we need can find it by reading /proc/sched_debug , which shows all the processes that are running on the system
On reading that file we can see that gdbserver is running and there's a remote code execution exploit available on metasploit
I got another reverse shell as I wanted to stabilize the shell and the meterpreter shell isn’t stable when we spawn bash
So this enabled us to stabilize our shell , now to escalate our privileges, I checked sudo -l to see if I can run something as root , tried the password that we found from wordpress config file but it didn't work
Checked contab but there wasn’t any cronjobs running, logging in to database we can see that there’s an admin user’s password for wordpress
Privilege Escalation
I checked the running processes and found that a command was being ran to create a de attached screen session
We can create a de attach session using -dmS session_name and we can reattach the session with -r session_name but this wasn't working , since screen has SUID bit
We can actually access the screen session as root through screen -r root/
