Backdoor is a HTB machine. HTB is an excellent platform that hosts machines belonging to multiple OSes. ... Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.
We begin our hunting….
Step1: We start with port scanning using nmap. We got result as port 22 and 80 are open and after full port scan we find another port 1337
Step2: Now we are going for hidden directory scanning in order to get into the site. We found some directories named wp-admin, wp-content, wp-includes.
When we go through these directories we found that a plugin named e-book is used
Step3: With the help of searchsploit we check for any possible vulnerability in plugin e-book and found one.
we just download and read the file 39575.txt
So we found the file that has directory traversal vulnerability and set the payload. With the help of burp suit we listed /etc/passwd, but nothing useful was fou
Step4: So next we brute force the PID in the /proc/ directory, so /proc/[PID]/cmdline in Linux is basically representing a currently running process. Now we create a file with port number 1 to 1500. Using ffuf tool we just scan to find port with less repeated size.
Step5: Using burp suit analyzed these data to find any useful bit of information. We found that server is running on a gdbserver
Step6: Using MSF console we search for gdbserver and found a possible exploit. So we used that exploit and set target ’1’ and chosen a payload, here we selected payload 5.
Step7: Now we need to set LPORT, LHOST, RPORT, and RHOSTS before attack
Step8: We just ‘run’ the attack and got the meterpreter shell. We get inside the server as user and cat the userflag.
To convert from meterpreter shell to a normal shell, first we need to run shell command followed by
Python3 -c “import pty;pty.spawn(‘/bin/bash’)”
Step9: For privilege escalation, we just run a script name linpeas.sh to find the vulnerabilities in the server. After running the script we find that a process named screen is running.
Step10: After a little research we find that screen can exploited just by a simple command
Screen -X root/root
Pwned.!!
Comments