Backdoor is an Easy Linux box from HTB and created by hkabubaker17. This box features a WordPress environment with an exploitable plugin, ebook-download which is vulnerable to LFI (local file inclusion). Brute-forcing proc on the environment with ffuf and the LFI finds gdbserver running on Port 1337. We exploit gdbserver and once on the box, find screen running as root. I began this box by running a quick RustScan on the IP to grab open ports:

RustScan then runs the following nmap command:

which I then pipe into a PDF with xsltproc for easier reading. Reviewing the results I can see Ports 22/80/1337 open. I can also see by the NMAP results that Port 80 is running WordPress. Navigating to the website I am able to confirm this:

WordPress potted plant on Backdoor.htb.

This potted plant is burned in my brain from WordPress development installs. I kick of a wpscan in the background and try the default directories. I get a hit:

WordPress potted plant on Backdoor.htb.

wp-content alongside wp-includes and wp-admin are the three primary WordPress directories. wp-content includes multiple directories with the primary ones being plugins (as shown above) as well as themes, mu-plugins and uploads (used primary for media). Seeing ebook-download I research the plugin and get a hit.

I run a test and successfully get back the wp-config.php file which I grab the username and password from:

The password doesn’t work with both wordpressuser or admin (which I got from WPScan running in the background) SSH or the WordPress login.

Next I looked at what information I could get from the environment with this LFI. nmap was able to show Ubuntu running on the box so I grabbed the passwd:

I struggled for a while and remembered Port 1337 during the initial scan. Knowing the box was called Backdoor and I was coming up empty on the web server side I began looking at the OS itself. I review my PrivEsc Linux notes which included a link I did some reading on THIS which I highly recommend reading through. I figured if the backdoor was running as a service I could pull it via proc.

I tried using Burp Intruder with a Sniper payload but as I’m on community this was unbearably slow. I switched over to ffuf. First I ran a blind scatter and cleaned up the filter. I exported to CSV for easier manipulation:

I then cleaned up the list and then ran a loop to download all the files in question:

Once the files were done downloading I ran:

and found:

Finding this was an actual pain and not something I would’ve expected on an EASY machine but here we are. After Googling gdbserver I saw a MetaSploit route and a shell-code approach. I went with Exploit DB – 50539 and downloaded it to my box:

I then followed the instructions by creating a shell-code and setting up a netcat listener before running the python script:

After logging into the box I grabbed the flag which HTB said was incorrect:

I checked for an available .SSH session and when one didn’t exist I created my own:

I then logged into the box via SSH; Once on the box, escalating to root was straight forward. I downloaded LinPEAS to the box and found screen running as root with an open session. I logged in and grabbed both flags:

Rooted Backdoor from HTB.