Backdoor machine writeup | HackTheBox

Karim Reda
5 min readApr 23, 2022

Today, I will show to you how can i get root access to backdoor machine at hackthebox platform.

machine link: https://app.hackthebox.com/machines/Backdoor

First of all I will do that I will do nmap scan to search for all open ports….

this command will scan for open ports in just first 1000 port.

after running it , I found open port at port 80 (it’s a http service) then I will go to it…

I opened wappalyzer tool, and I found that our target uses <<wordpress 5.8.1>> .

now, I will search for any public exploit for this version to get initial access to this target.

after some searching I didn’t find anything useful.

now, time to use wpscan to scan out website.

wpscan found that our target uses Akismet plugin that has 1 vulnerability that we can exploit it.

let’s try to exploit it…………..

when I go to plugin path, I got 403 page ,so I will go to plugins directory to see all of plugins can I see and I can get initial access from them……

I will download filedownload.php to my local machine and review it…..

but I didn’t find anything useful…..

now, I will search for exploit for this eBook plugin…

I found this exploit that will help me at my exploitation phase….

I will continue with steps to reach to interested information.

this plugin may seem to vulnerable to lfi…..

as mentioned before, this website is vulnerable to lfi and we can reach sensitive files….

I found credentials in wp-config file and I will to log in with it ,but I found it is incorrect..

now, i will try to connect with ssh with the same credentials ,but i also i found it is incorrect……….

I reached to /etc/passwd file but I didn’t find anything useful….

now, I will search for how to get RCE from LFI………

after some search , I found that we will search about query processes through /proc/[PID]/cmdline and in intruder tab send requests with PID from 1 to 1000….

I found open port at 1337 running gdbserver service at our target….

to be sure from this port, I will run nmap again to scan all first 2000 port at our target……..

yes, we found open port at 1337, let’s exploit it now….

I will search for any module for this service at metasploit to exploit it….

yes, we found a module to exploit it……

I will use this modules and set of all required options to run it……

when I run it, I got an error that told me that my used payload is incorrect because I should use x64 payload that was detected from gdb….

I will solve this problem by specifying my target at msf , then run this module again……

Wow, we did it, we succeeded to open meterpreter session and got initial access as normal user……..

now, we will spawn tty shell to got stable shell…..

now , we will to escalate our privileges to root user ……..

first thing I do in this phase , i try <<sudo -l> this command lists all sudo commands that normal user can do without any passwords ,but this wasn’t useful for me…..

now, I will use linpeas script to enumerate this system and gather valuable information that help me to access root user.

after focusing in results, I found task called screen ,but i didn’t know what it is..

and we found that this command <<screen -x root/root>> is running as root…….

you should first set terminal to xterm ,then run the following command

<<screen -x root/root>>

and you will get root access……..

Wow, we did it, 🔥❤

I hope you have enjoyable read…

thanks for reading…..

Follow me on LinkedIn: Karim Reda | LinkedIn

--

--