Read my writeup to Backdoor machine on:
TL;DR
User: By running wpscan
we found LFI vulnerability on Ebook
PHP plugin, Using that we can get the file /proc/sched_debug
which contains running tasks and PIDs, Using the LFI we can enumerate the /proc/{PID}/cmdline
for each PID, By reading the cmdline
of PID 817
we found that port 1337 contains gdbserver
with RCE vulnerability, using that we get a reverse shell as user
.
Root: Found root
screen, Attaching to the root session by running screen -x root/root
.