[Hack The Box][Machine][Easy] - 🐧 Backdoor
This is my writeup for the Backdoor machine on the Hackthebox plateform.
Let’s start with an nmap scan to enumerate the different ports that are open.
- Port 22 (SSH)
- Port 80 (HTTP)
- Port 1337 (?)
WEBSITE
If you go to the website, you quickly realize that there is a Wordpress (CMS) running on it.
We can verify this by looking at the source code of the page. The static files are located in the wp-includes directory and there is also the wp-content directory; wordpress specific folders. We can find a domain name : http://backdoor.htb that we add to our hosts file (/etc/hosts) in order to be able to resolve this name.
The wpscan tool doesn’t tell us much except for a user called admin (default user). The brute force of his password to access the dashboard does not work and no fallible plugins are installed on the wordpress.
GDB SERVER
We have very little information about this port. Nmap could not determine which service is running on it. Netcat just tells us that it establishes a TCP connection. A Google search on this port tells us that there is potentially an active gdbserver.
The https://www.exploit-db.com/ website contains an exploit for version 9.2 of gdbserver.
Offensive Security's Exploit Database Archive
_GNU gdbserver 9.2 - Remote Command Execution (RCE).. remote exploit for Linux platform_www.exploit-db.com
After downloading the POC, we generate a reverse-shell with msfvenom then we launch the exploit. We get a connection on our listener.
PRIVESC
We run the linPEAS script on the remote machine and it tells us a privilege elevation vector thanks to the screen program. Indeed, the latter is launched by the root user on his session. We can thus join his session and obtain a root shell !
