HTB Backdoor Machine Walkthrough

This is a basic walkthrough of the easy machine on HTB.

HTB WALKTHROUGHS

Jagoda Ryszka

12/7/20212 min read

This machine is rated as a medium by users. This was the first machine I've cracked after the starting point ones. I did have help from a teacher and classmates but this is the basic walkthrough of what we have done to capture the flag.

Since this was completed on school machines I haven't got all the screenshots.
nmap -sC -sV -p- {target ip address} By running this command you will see which ports are open. Ports 22, 80 and 1337 should appear.
After a quick Google search of what port 1337 is, you will find out it can be used as a backdoor.
If you type the target IP address in the web browser you will see the website. The website is powered by WordPress.
WordPress is an open-source content management system. It allows you to build and host websites.
If you learn the basics of WordPress, and mainly its vulnerabilities, you will learn that from the URL you can access some key information.
By doing {target IP address}/wp-admin you will get to visit the login page of the website. By having the access to this you can see that the website is not fully secure.
Next on the URL, you can enter {target IP address}/wp-content/plugins which will allow you to view the plugins for the site. You can download and view the contents there. With this outdated version of WordPress, the vulnerability is that the plugin "ebookdownload" is a backdoor that allows access to all the files within the server. This means that files can be downloaded and viewed, files such as usernames and passwords.
What you can further do is within the URL type {target IP address}/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
You can then download that file to see further detail of the users and passwords. Within the command line, you can do ../ to go to the previous directory. This can be performed in the URL to go as far back within the directories as possible.
Next, in the URL if we type {target IP address}/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../../etc/passwd
You can download that file and see the content within.
After that, if you go back to the terminal and download gdb. GDB is a debugger, this can be downloaded by running the command sudo apt install
When it's all installed just type gdb and you will enter the software. From that, remote get /home/user/user.txt /home/kali/userflag.txt and it will download to your home directory. And you just downloaded the flag!
This is the basic walkthrough with some steps missed out, such as using Gobuster. But the outcome is still the same.

Get in touch