HTB Backdoor WIP writeup

This machine is proving to be difficult

1. Add to /etc/hosts

2. nmap to see points of entry

3. Let’s see if we can bruteforce SSH using Hydra

4. While Hydra runs, let’s see what technology is being used on the website

5. Let’s wpscan and see what comes up

wpscan enumerating users

Found an admin user

6. wpscan vulnerable plugins (aggressive detection w/ free API key)

akismet plugin is vulnerable. Directory Traversal also in ebook download

7. Use DuckDuckGo, Exploit DB, or your search engine of choice to find “ebook download directory traversal exploit db” (Exploit db tends to have nice proofs of concept)

Nice proof of concept we can test

8. Test the proof of concept from Exploit db

Replace everything after .125 with the proof of concept (10.10.11.125<proof of concept>)

9. Sad hydra noises

10. Cat the wp-config.php file for plain text credentials

These don’t work unfortunately

11. Let’s also try to get the /etc/passwd file (why not?)

You’ll know you have the right file when the download size goes from 100 byes to 1.x KB

12. ??? Not sure where to go from here so let’s nmap again with all ports (-p-), sometimes HTB likes to hide things or put UDP ports in

1337 you say?