Backdoor - [HTB]
![Cover Image for Backdoor - [HTB]](/assets/images/blog/Backdoor-htb/Backdoor.png)
Introduction
Backdoor is a Linux machine where the attacker will have to find executed commands through an LFI on a WordPress plugin. Finally, for becoming root will have to attach to a screen terminal as root.
Enumeration
As always, let's start finding all opened ports in the machine with Nmap.
Then, we continue with a deeper scan of every opened port, getting more information about each service.
Looking for domains on the web page we can find the backdoor.htb.
Enumerating WordPress with WpScan we can find an installed plugin.
Exploitation
The Ebook plugin has an associated vulnerability on exploit-db, which can be exploited with the following command:
Exploitation 2
Because port 1337 is very common in CTFs, maybe there is a custom binary listening on this port.
In order to find the executed command, we can take advantage of the path traversal vulnerability iterating over the /proc/ folder.
After waiting for some time, we can see that gdbserver has a listening port on 1337.
In Metasploit, there is an associated module for the gdbserver which allows us to obtain a reverse shell as "user".
Privilege Escalation
Enumerating with linpeas we can see that the root user is executing an infinite loop with a screen session.
In order to access the active root screen, we need to execute the following command, which attaches to the current root session named "root".
However, we need to be in a proper terminal to execute the screen command, so we need to execute the following commands, becoming root.