ūüĒéūü¶∂Enumeration/Foothold

Backdoor is an Easy Linux box from HTB and created by hkabubaker17. This box features a WordPress environment with an exploitable plugin, ebook-download which is vulnerable to LFI (local file inclusion). Brute-forcing proc on the environment with ffuf and the LFI finds gdbserver running on Port 1337. We exploit gdbserver and once on the box, find screen running as root. I began this box by running a quick RustScan on the IP to grab open ports:

Copy

RustScan then runs the following nmap command:

Copy

which I then pipe into a PDF with xsltproc for easier reading. Reviewing the results I can see Ports 22/80/1337 open. I can also see by the NMAP results that Port 80 is running WordPress. Navigating to the website I am able to confirm this:

WordPress potted plant on Backdoor.htb.

WordPress potted plant on Backdoor.htb.

This potted plant is burned in my brain from WordPress development installs. I kick of a wpscan in the background and try the default directories. I get a hit:

WordPress potted plant on Backdoor.htb.

WordPress potted plant on Backdoor.htb.

wp-content alongside wp-includes and wp-admin are the three primary WordPress directories. wp-content includes multiple directories with the primary ones being plugins (as shown above) as well as themes, mu-plugins and uploads (used primary for media). Seeing ebook-download I research the plugin and get a hit.

I run a test and successfully get back the wp-config.php file which I grab the username and password from:

The password doesn’t work with both wordpressuser or admin (which I got from WPScan running in the background)¬†SSH¬†or the WordPress login.

Next I looked at what information I could get from the environment with this LFI. nmap was able to show Ubuntu running on the box so I grabbed the passwd:

I struggled for a while and remembered Port 1337 during the initial scan. Knowing the box was called Backdoor and I was coming up empty on the web server side I began looking at the OS itself. I review my PrivEsc Linux notes which included a link I did some reading on THIS which I highly recommend reading through. I figured if the backdoor was running as a service I could pull it via proc.

I tried using Burp Intruder with a Sniper payload but as I’m on community this was unbearably slow. I switched over to¬†ffuf. First I ran a blind scatter and cleaned up the filter. I exported to¬†CSV¬†for easier manipulation:

Copy

I then cleaned up the list and then ran a loop to download all the files in question:

Copy

Once the files were done downloading I ran:

Copy

and found:

Finding this was an actual pain and not something I would’ve expected on an¬†EASY¬†machine but here we are. After Googling¬†gdbserver I saw a MetaSploit route and a shell-code approach. I went with¬†Exploit DB – 50539¬†and downloaded it to my box:

‚ö† Attack Machine – Tab 1

Copy

I then followed the instructions by creating a shell-code and setting up a netcat listener before running the python script:

Copy

‚ö† Attack Machine – Tab 2

Copy

‚ö† Attack Machine – Tab 1

Copy

After logging into the box I grabbed the flag which HTB said was incorrect:

ūüŹīUser

Copy

ūüĒĚEscalation

I checked for an available¬†.SSH¬†session and when one didn’t exist I created my own:

‚ö† Attack Machine

Copy

ūüéĮVictim Machine

Copy

‚ö† Attack Machine

Copy

I then logged into the box via SSH; Once on the box, escalating to root was straight forward. I downloaded LinPEAS to the box and found screen running as root with an open session. I logged in and grabbed both flags:

‚ö† Attack Machine

Copy

ūüéĮVictim Machine

Copy
Copy

Rooted Backdoor from HTB.

Copy

Rooted

Published On: April 23rd, 2022 / Categories: HTB, Technology / Tags: , , , , , , , /

Leave A Comment