hackTheBox 1 — Backdoor
IP Address: 10.10.11.125
Ran nmap scans. Target is running port 22, 80, 1337. Little is know to port 1337. All i did for that port is look up google and it shows only a few information about that port. https://en.wikipedia.org/wiki/WASTE
From the results, I know that the port 80 has WordPress service running. So, I can run wpscan to enumerate that. Nmap does not seem to enumerate port 1337. Much is still unknown for Port 1337. At this point, my thinking is that i can only enumerate port 80, if port 80 does not have any breakthrough, i will need to research on port 1337.
Wpscan does not return any good information to where i can start to attack.
Enumeration for WordPress: Basically for WordPress, if we have credentials to login, we can try to change one of the page to a reverse shell PHP, or look for vulnerable plugins. Continue to use fuff/gobuster to dig further into the site. IMO using ffuf or gobuster depends on the situation.
Some things i learned is enumerate every folder, dirsearch every folder to find something. At real life penetration, directory search might not work as to some mechanism protection against directory brute. Not sure how it works also.
Found new content on the plugin directory. Going into the ebook-download lets me find the version which is 1.1. Googled it to find that it is vulnerable to LFI attacks.
Lets document some stuffs about LFI. So LFI can let me read contents stored on the server if the user running the webserver have the permissions to do so. Web services usually run by www-data if linux, and IIS will be some whatever user/service. What i can aim to read are files that i know have others read permission. I can check by using my linux machine anyways. I know for sure /var/www/html i can read which i did, wp-config is a bust since the db cred does not work and cannot be cracked.(Not so good at password cracking and hashing anyways.) Another one we can read which is super useful is the proc folder.(Its new to me at the time.)
we have most permissions to read proc stuff since normal users can use ps to read what processes are running on the background by checking out the /proc/pid/cmdline.
we can use burp intruder to check the contents out.
looking through the PID we can see 1337 is not running waste but gdbserver at /home/user accept incoming connections from all ip addresses. There are some other stuffs we see from other PID as well. This LFI way of attack is really something i learned new. Went to the HTB discussion forum and read up since I’m really stuck. LOL.
Offensive Security's Exploit Database Archive
GNU gdbserver 9.2 - Remote Command Execution (RCE).. remote exploit for Linux platform
There is an exploit on this.
I am going to end the documentation here.