Backdoor

Gaining Access

First we start with an Nmap scan as usual.

We can check out the HTTP server.

Wordpress Instance

The HTTP server was powered by Wordpress, so immediately we can run wpscan to check for common exploits. However, this didn't really reveal much for me, and I wasn't able to amke this work.

Port 1337

This was a port I had never seen before. A bit of googling revealed that this was a remote gdbserver being hosted on the website. There are many easy ways for us to upload a file and gain a reverse shell.

I was really lazy, so I got the the exploit/multi/gdb/gdb_server_exec module from MSF to do the work. In my testing after rooting, I could not make the PoC work for me. Strange.

Now we can grab the user flag easily.

Privilege Escalation

I ran linpeas as early enumeration to see what was going on. Linpeas flagged out that screen was being run by root.

screen is a software that allows for us to run multiple screens on a single terminal. Root running this means that the root user has multiple screens that are running some processes currently. The attack in this case would be to attach ourselves to this process.

In this machine's case, what it is doing is creating a folder in the S-root directory with a session ID whenever it runs. This would allow us to find the specific process that we want to attach ourselves to.

Using the screen command itself, we can do the following to gain a root shell.

screen -x root/<PID>

However, this complains about a 'missing terminal type'. What remedies this is running the following commands to spawn a TTY shell

export TERM=xterm
python3 -c 'import pty;pty.spawn("/bin/bash")'
screen -x root/<PID>

This would drop us in a root shell and we can read the flag.

PreviousArmageddonNextBank