TUTORIAL HTB Backdoor [Discussion]
by 0xsdq - November 20, 2021 at 08:58 PM
#1
HackTheBox

Machine: Backdoor
Rating: Easy

Ports (22.80.1337)

Initial Vuln: https://www.exploit-db.com/exploits/39575

LFI and RFI (however it renders)
Reply
#2
Weird 1337 but can't do shit with it. Tried to retrieve id_rsa from /home/user no luck so far, can't get php-reverse-shell to work even thought it can download file from my attacking box... No vhost I know of, cannot connect to wordpress with the creds found in wp-config.php. We gotta keep looking harder boiiiiis
Reply
#3
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
1337/tcp open waste
24273/tcp filtered unknown

PORT STATE SERVICE VERSION
1337/tcp closed waste
24273/tcp closed unknown
Reply
#4
(November 20, 2021 at 09:15 PM)mkassovitz Wrote: Weird 1337 but can't do shit with it. Tried to retrieve id_rsa from /home/user no luck so far, can't get php-reverse-shell to work even thought it can download file from my attacking box... No vhost I know of, cannot connect to wordpress with the creds found in wp-config.php. We gotta keep looking harder boiiiiis

I'm in the same spot. I've looked through every file I can think of. Did you get anywhere?
Reply
#5
(November 20, 2021 at 10:50 PM)smilkey Wrote:
(November 20, 2021 at 09:15 PM)mkassovitz Wrote: Weird 1337 but can't do shit with it. Tried to retrieve id_rsa from /home/user no luck so far, can't get php-reverse-shell to work even thought it can download file from my attacking box... No vhost I know of, cannot connect to wordpress with the creds found in wp-config.php. We gotta keep looking harder boiiiiis

I'm in the same spot. I've looked through every file I can think of. Did you get anywhere?


Nope still stuck. We can dump /etc/passwd and find that we have a user named user but since we are www-data we can't get the user flag or .ssh/id_rsa... I've read some articles about xmlrpc.php and tried but we can't exec anything through that. Pretty sure it's port 1337 related but can't do shit I even opened wireshark to see what happens when I connect with nc -nv ip 1337, no interesting data so far :/
Reply
#6
(November 20, 2021 at 10:56 PM)mkassovitz Wrote:
(November 20, 2021 at 10:50 PM)smilkey Wrote:
(November 20, 2021 at 09:15 PM)mkassovitz Wrote: Weird 1337 but can't do shit with it. Tried to retrieve id_rsa from /home/user no luck so far, can't get php-reverse-shell to work even thought it can download file from my attacking box... No vhost I know of, cannot connect to wordpress with the creds found in wp-config.php. We gotta keep looking harder boiiiiis

I'm in the same spot. I've looked through every file I can think of. Did you get anywhere?


Nope still stuck. We can dump /etc/passwd and find that we have a user named user but since we are www-data we can't get the user flag or .ssh/id_rsa... I've read some articles about xmlrpc.php and tried but we can't exec anything through that. Pretty sure it's port 1337 related but can't do shit I even opened wireshark to see what happens when I connect with nc -nv ip 1337, no interesting data so far :/

Were you able to get a www-data shell? I'm just dumping files in Burpsuite still
Reply
#7
No couldn't yet, I just assume we are www-data since we can't read /home/user files
Reply
#8
(November 20, 2021 at 11:12 PM)mkassovitz Wrote: No couldn't yet, I just assume we are www-data since we can't read /home/user files

Does anyone find something?
Reply
#9
Use LFI to get info on port 1337 using proc. As the PID is unknown, use python script to bruteforce PIDs, it'll jump at you when you find the right one ;)
Reply
#10
(November 21, 2021 at 12:15 AM)0xsdq Wrote: Use LFI to get info on port 1337 using proc. As the PID is unknown, use python script to bruteforce PIDs, it'll jump at you when you find the right one ;)

I try /proc/<number>/stat but I don't figure out
Reply
#11
(November 21, 2021 at 12:15 AM)0xsdq Wrote: Use LFI to get info on port 1337 using proc. As the PID is unknown, use python script to bruteforce PIDs, it'll jump at you when you find the right one ;)

Is it a high PID? I don't want to run my script unnecessarily long
Reply
#12
(November 21, 2021 at 01:32 AM)smilkey Wrote:
(November 21, 2021 at 12:15 AM)0xsdq Wrote: Use LFI to get info on port 1337 using proc. As the PID is unknown, use python script to bruteforce PIDs, it'll jump at you when you find the right one ;)

Is it a high PID? I don't want to run my script unnecessarily long

I found this cmdline for PID 954
bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done

but don't know what to do with it

(November 21, 2021 at 01:54 AM)PIIM Wrote:
(November 21, 2021 at 01:32 AM)smilkey Wrote:
(November 21, 2021 at 12:15 AM)0xsdq Wrote: Use LFI to get info on port 1337 using proc. As the PID is unknown, use python script to bruteforce PIDs, it'll jump at you when you find the right one ;)

Is it a high PID? I don't want to run my script unnecessarily long

I found this cmdline for PID 954
bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done

but don't know what to do with it

edit:
gdb>  target remote 10.129.234.214:1337

now how to debug?
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Fingerprint [Discussion] TDis7 49 3,967 3 hours ago
Last Post: harry123
TUTORIAL HTB Anubis Discussion dadamnmayne 168 56,301 Yesterday at 08:42 AM
Last Post: joeydalips
TUTORIAL HTB Hancliffe [Discussion] pheonix2021 130 30,841 Yesterday at 02:07 AM
Last Post: hacker00

 Users browsing this thread: 7 Guest(s)