Writeup - Backdoor (HTB)
This is a writeup for the Backdoor machine from the HackTheBox site.
First, let's start with a scan of our target with the following command:
nmap -sV 10.10.11.125
Three TCP ports are discovered:
- 22/tcp : SSH port (OpenSSH 8.2p1)
- 80/tcp : web server (Apache 2.4.41)
- 1337/tcp : ?????
We have a site on port 80 and port 1337 that hosts an unknown service at the moment; let's see what the site looks like.
After inspecting the page, I notice that it is a site based on the CMS Wordpress, let's do a scan with "WPScan" to try to identify flaws:
Nothing special, let's try to do an aggressive detection of the plugins. For this I use the following command:
wpscan --url http://backdoor.htb --plugin-detection aggressive
There are two plugins: akismet and ebook-download. After some research I find that ebook-download in version 1.1 is exploitable (CVE-.
So we create a script to automate the process scan, if the page returns a message with a size greater than 82 bytes, then the process exists.
import requests for i in range(0,1000): url = "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc> answer=requests.get(url) lg=len(answer.text) if(leng>82): if '1337' in resp.text: print("%d %s ",lg, answer.text)
After running the script, we find 2 services:
These processes are gdbserver running on our mystery port: 1337. So we can now look for exploits related to this process.
Je trouve rapidement le script suivant qui permet d'exécuter du code à distance via le service GDB :
After generating a payload with msfvenom, I run the script :
I now have a shell on the remote machine, I can get the first flag.
First I try to find the SUID files. For that I use the following command:
find / -perm -u=s -type f 2>/dev/null
There are a lot of usual commands. But among the list there is "screen". It is a command that allows to manage several terminals at the same time. I look then if a process runs with this command:
And indeed there is a process running. But not just any process, a root shell with the options -dmS :
- -d : detache de screen when started
- -m : ignore the $STY environment variable, creation of a new session is enforced
- -S : When creating a new session, this option can be used to specify a meaningful name
So we know that a screen named root has been created with the user root. If we manage to connect to the screen, we will have access to a root shell.
To connect to the detached screen we need to use the following command:
screen -x [name]/[user]
But before connecting we will have to define the variable $TERM, to do this I use the following command:
I can now connect to the root screen with the following command:
screen -x root/root
I now have access to a root shell and can retrieve the last flag.
To patch this host I think it would be necessary to perform a number of actions:
- Update Wordpress plugin
- Update GDB server
- Do not run screen as root with the -m variable