From d308d09e744641fb6068a567cc6ac8ed7d50a35c Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sat, 23 Apr 2022 21:35:43 +0500
Subject: [PATCH] Create Backdoor.md
---
HackTheBox/Backdoor.md | 108 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 108 insertions(+)
create mode 100644 HackTheBox/Backdoor.md
diff --git a/HackTheBox/Backdoor.md b/HackTheBox/Backdoor.md
new file mode 100644
index 0000000..f40d564
--- /dev/null
+++ b/HackTheBox/Backdoor.md
@@ -0,0 +1,108 @@
+# HackTheBox - Backdoor
+
+## NMAP
+
+```bash
+nmap -p- -sC -sV 10.10.11.125 --min-rate 5000 -v
+
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
+|_http-generator: WordPress 5.8.1
+| http-methods:
+|_ Supported Methods: HEAD
+1337/tcp open waste? syn-ack ttl 63
+Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+```
+
+## PORT 80 (HTTP)
+
+From the scan we saw that there's a web server apache server running on port 80
+
+
+
+At the bottom , we can see that this is a wordpresss site
+
+
+
+We can try to login with default creds like admin:admin
+
+
+
+
+
+It gives an error that password for `admin` user invalid but it didn't say that username is invalid so we could try to brute force but let's just leave it for the last. I tired to run an nmap scan for wordpress plugins but there wasn't any thing interesting
+
+` nmap -p 80 --script http-wordpress-enum --script-args search-limit=2000 10.10.11.125 -vvv`
+
+
+
+I ran `wpscan` and used aggresive plugins scan but it was taking so long for it to complete instead I manully tried to enumerate plugins by going to `/wp-content/plugins`
+
+
+
+The readme file shows that it's using version 1.1
+
+
+
+And this version is vulnerable to LFi
+
+
+
+`10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php`
+
+This will download `wp-config.php` file which has the database credentials
+
+
+
+We can also download `/etc/passwd` file
+
+`http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../etc/passwd`
+
+
+
+But we can't do things like log posining as we are only able to download the file not view them directly , remember from our nmap scan we saw that there was a port 1337 but on connecting on the port we don't get any response
+
+
+
+## Foothold
+In order to find what's running on that port we need can find it by reading ` /proc/sched_debug` , which shows all the processes that are running on the system
+
+
+
+On reading that file we can see that `gdbserver` is running and there's a remote code execution exploit available on metasploit
+
+
+
+I got another reverse shell as I wanted to stabilize the shell and the meterpreter shell isn't stable when we spawn bash
+
+
+
+So this enabled us to stabilize our shell , now to escalate our privleges I checked `sudo -l` to see if I can run something as root , tried the password that we found from wordpress config file but it didn't work
+
+
+
+Checked contab but there wasn't any cronjobs running, logging in to database we can see that there's an admin user's password for wordpress
+
+
+
+## Privilege Escalation
+
+I checked the running processes and found that a command was being ran to create a deattached `screen` session
+
+
+
+We can create a deattach session using `-dmS session_name` and we can reattach the session with `-r session_name` but this wasn't working , since screen has SUID bit
+
+
+
+We can actually access the screen session as root through `screen -r root/`
+
+
+
+
+## References
+- https://www.armourinfosec.com/wordpress-enumeration/
+- https://stackoverflow.com/questions/9953973/how-to-collect-information-of-every-single-cpu
+- https://serverfault.com/questions/336594/share-screen-session-with-users-in-the-same-group-linux