Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackTheBox/Backdoor.md
ARZ d308d09e74
Create Backdoor.md
2022-04-23 21:35:43 +05:00

4 KiB
Raw Blame History

HackTheBox - Backdoor

NMAP

nmap -p- -sC -sV 10.10.11.125 --min-rate 5000 -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
| http-methods: 
|_  Supported Methods: HEAD
1337/tcp open  waste?  syn-ack ttl 63
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

From the scan we saw that there's a web server apache server running on port 80

At the bottom , we can see that this is a wordpresss site

We can try to login with default creds like admin:admin

It gives an error that password for admin user invalid but it didn't say that username is invalid so we could try to brute force but let's just leave it for the last. I tired to run an nmap scan for wordpress plugins but there wasn't any thing interesting

nmap -p 80 --script http-wordpress-enum --script-args search-limit=2000 10.10.11.125 -vvv

I ran wpscan and used aggresive plugins scan but it was taking so long for it to complete instead I manully tried to enumerate plugins by going to /wp-content/plugins

The readme file shows that it's using version 1.1

And this version is vulnerable to LFi

10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

This will download wp-config.php file which has the database credentials

We can also download /etc/passwd file

http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../etc/passwd

But we can't do things like log posining as we are only able to download the file not view them directly , remember from our nmap scan we saw that there was a port 1337 but on connecting on the port we don't get any response

Foothold

In order to find what's running on that port we need can find it by reading /proc/sched_debug , which shows all the processes that are running on the system

On reading that file we can see that gdbserver is running and there's a remote code execution exploit available on metasploit

I got another reverse shell as I wanted to stabilize the shell and the meterpreter shell isn't stable when we spawn bash

So this enabled us to stabilize our shell , now to escalate our privleges I checked sudo -l to see if I can run something as root , tried the password that we found from wordpress config file but it didn't work

Checked contab but there wasn't any cronjobs running, logging in to database we can see that there's an admin user's password for wordpress

Privilege Escalation

I checked the running processes and found that a command was being ran to create a deattached screen session

We can create a deattach session using -dmS session_name and we can reattach the session with -r session_name but this wasn't working , since screen has SUID bit

We can actually access the screen session as root through screen -r root/

References