HTB — Backdoor Walkthrough

Step 1 — Port Scanning / Reconnaissance

I used Rust Scan to scan for open ports, I like it more than nmap because it’s quicker. Ports 22 (SSH), 80 (HTTP) and port 1337 is open. I visited the website on port 80 but, I didn’t find anything useful, so I started researching Port 1337.

Step 2 — Research

After some research, I discovered that this port is used by GDB, which also has known exploits. There is a blog post on hacktricks about this vulnerability here. Anyway, further research indicated the exploit was preloaded into the msf console.

Step 3— Exploitation

The exploit we used was the gdb server execution. Do not forget to change your payload to x64 from x86 or the exploit will not work. After setting everything up, I ran the exploit and as you can see, I was able to establish a meterpreter session and find the user flag easily. Now we have to figure out how to get to root.

Step 4— Privilege Escalation

Examining the processes from my meterpreter session lead me down a rabbit hole about a process called screen. Further research from this process indicated that you could attach yourself to the session if it was already running (further reading).

Within screen, we have to look at the -x option. With -x option, we can get into the existing session that is already running.

I ran my exploit and opened a shell environment. I used the basic import py trick to turn my session into a user shell. Once thats done, we can set the Terminal emulator to Linux by using export TERM=xterm. Then we use the -x to attach ourself to the session which is running in root by entering -x root/root.

Success!