Extra Notes

Dog Linux

Executive Summary

The initial foothold was obtained through a leaked .git directory, which contained plaintext credentials. Further investigation revealed a valid username, which allowed administrative access to the system.

The target system was running Backdrop CMS 1.27.1, which is vulnerable to Authenticated Remote Command Execution (RCE). Using the compromised credentials, it was possible to exploit this vulnerability and gain remote code execution.

Privilege escalation was achieved through a misconfigured sudo permission, which allowed executing an arbitrary file named "bee" with elevated privileges. This led to full system compromise.

Challenge Information

  • Name: Dog

  • Platform: Hack The Box (HTB)

  • Category: Linux

  • Difficulty: Easy

  • Objective: Exploit Backdrop CMS to retrieve the flag.

  • Tags: Backdrop CMS , Git

  • Key Exploit: Git, Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)

Machine Information

  • IP Address: 10.10.11.58

  • Domain: dog.htb

  • Services: Backdrop CMS

Enumeration & Exploitation

Service Discovery (nmap)

A full port scan was conducted to identify open services.

nmap -sC -sV -p- 10.10.11.58

Discovered Open Ports & Services:

Port
Services
Description

22

OpenSSH 8.9p1

open-source version of the Secure Shell (SSH) tools used by administrators of Linux and other non-Windows for cross-platform management of remote systems

80

Apache httpd 2.4.52

Apache HyperText Transfer Protocol (HTTP) server program

Key Finding:

  • The machine's domain: dog.htb

  • robots.txt reveals directory listings

  • .git directory is exposed

To facilitate enumeration and exploitation, the target machine’s IP and domain were added to /etc/hosts:

echo "10.10.11.58 dog.htb" | sudo tee -a /etc/hosts

Initial Access via Leaked Git Repository

Visiting dog.htb provided hints that Backdrop CMS was being used. Additionally, scans indicated the presence of a .git directory.

Using git-dumper, the repository was downloaded:

git-dumper http://10.10.11.58/.git/ ./dump

Inside the dumped files, the settings.php file contained plaintext credentials:

settings.php
possible username

tifanny@dog.htb :: BackDropJ2024DS2024@

This credential provided full administrative access to Backdrop CMS.

Exploiting Backdrop CMS for Remote Code Execution (RCE)

Upon further investigation, it was confirmed that Backdrop CMS 1.27.1 is vulnerable to Authenticated Remote Code Execution (RCE).

Using a known exploit from Exploit-DB, a malicious payload was generated. However, during upload, it was observed that .zip files were blocked, allowing only .tar, .tgz, .gz, and .bz2 formats.

Issue: During upload, zip file are blocked, only acceptance tar, tgz, gz and bz2.

By repackaging the payload in an accepted format, the exploit was successfully uploaded. The malicious request is executed via:

The vulnerable request will look like

10.10.11.58/modules/shell/shell.php

This granted remote command execution, providing an initial shell.

Initial Access as johncusack

A reverse shell was established for better enumeration. Two valid users were discovered: jobert and johncusack.

Further analysis of Backdrop CMS configuration files revealed:

$config_directories['active'] = '/home/myusername/config/active';

$config_directories['staging'] = '/home/myusername/config/staging';

Testing the second user’s credentials successfully granted access to johncusack.

Privilege Escalation to Root via "bee" Arbitrary Execution

After logging in as johncusack, sudo permissions were examined. It was discovered that the system allowed executing a file named bee with sudo privileges and without requiring a password.

By leveraging this misconfiguration, it was possible to read and execute arbitrary files with root privileges, ultimately leading to full system compromise.

Conclusion

This machine demonstrated various security risks, including exposed sensitive files, weak authentication practices, and vulnerable third-party applications..

Key Takeaways:

  • Secure .git directories by preventing public access.

  • Sanitize user inputs to prevent Remote Code Execution (RCE).

  • Encrypt stored passwords and use strong hashing algorithms.

  • Restrict writable directories to prevent unauthorized modifications.

  • Harden sudo permissions to prevent arbitrary file execution.

  • Keep software up to date to mitigate known vulnerabilities.

This challenge highlighted web application vulnerabilities, credential cracking, and privilege escalation through misconfigured services, ultimately leading to full system compromise..

Last updated