HTB | Dog

machine - https://app.hackthebox.com/machines/Dog

IP - 10.10.11.58

NMAP

└─$ nmap -sT -p- --min-rate 1000 10.10.11.58 -Pn -oA nmap_ports                                            
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-03-23 13:21 IST
Nmap scan report for 10.10.11.58
Host is up (0.22s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 87.84 seconds
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-03-23 13:23 IST
Nmap scan report for 10.10.11.58
Host is up (0.24s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Backdrop CMS 1 (<https://backdropcms.org>)
|_http-title: Home | Dog
| http-git: 
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:<https://docs.backdro>...
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 17.10 seconds

Port 80

From the nmap we can see that /git is there, we can use git-dumper to dump the files

Let’s visit the website

we also have login portal

Foothold/shell

Found MySQL credentials in settings.php

when trying to login via the credential we found on the CMS login page we get error for the username

Enumerating BackDrop CMS

To find valid user name I will be using this repo

we found the BackDrop CMS version

We have found valid username tiffany

we the credential we get from settings.php we can login

backDrop CMS Exploit via shell.tar.gz upload

we have found the Exploit via searchsploit

Let’s run the script

Find the place to upload the module. This is different from the location of the POC, and only accepts files in tar tgz gz bz2 format. Just repackage it.

we were able to execute commands

We can see there are two users, Let’s reuse the password and see whearter we can SSH or not

and we are in as johncusack

found user.txt

Priv Esc

johncusack have sudo rights over (ALL : ALL) /usr/local/bin/bee

View /usr/local/bin/beethe help document and see that you can execute commands

We can use this eval to get the root shell

and we have root.txt

PreviousHTB | CypherNextHTB | Nocturnal

Last updated