BackDoor

Enumeration

Ports and Services

Software Installed:

• WordPress version 5.2
  • ebook-download plugin

Nmap Scan Results:

Gobuster Scan Results:

ebook-download plugin

Initial Foothold

LFI: /wp-content/plugins/ebook- download/filedownload.php?ebookdownloadurl=../../../../../../../../../etc/passwd

/proc/sched_debug:

The SU process :

Used Metasploit to exploit target:

Created and upload a ssh key

User.txt Proof Screenshot

Privilege Escalation

Screen has setuid bit set:

Attached to roots screen:
screen -x root/root

RootScreenshot Here: