![\"nmap](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image.png\")
<\/figure>\n\n\n\n![\"Adding](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-2.png\")
<\/figure>\n\n\n\nAbove, we also add the hostname & ip address to our \/etc\/hosts\/ file for easy browsing.<\/p>\n\n\n\n
I also ran a different NMAP scan, this time doing some further enumeration. As we can see, there appears to be a git repo hosted on the site and several things in the robots.txt file.<\/p>\n\n\n\n So, it looks like we have a web application running on port 80 and an SSH server on port 22. Let\u2019s add the IP and host name to our \/etc\/hosts file and browse the website.<\/p>\n\n\n\n Quickly browsing the site we see there is a login page, which shows to be powered by Backdrop CMS. So, let\u2019s do some digging into Backdrop CMS and see if there\u2019s any potential vulnerabilities we can exploit to get into the site.<\/p>\n\n\n\n So, after finding the login page and looking up some known vulnerabilities for Backdrop CMS, I also spent some time digging through the items in the robots.txt file.<\/p>\n\n\n\n One of the things I was also able to find outside of this was a git repository, as shown below.<\/p>\n\n\n\n So, with this repo being open, I downloaded it to my VM and spent some time digging through it for anything interesting. FYI \u2013 I created a folder called dog on my desktop to store all relevant files from this machine. Good place to put the git repo.<\/p>\n\n\n\n After spending some time, and re-downloading the git repository, I was able to find a settings.php file that contained a password.<\/p>\n\n\n\n mysql:\/\/root:BackDropJ2024DS2024@127.0.0.1\/backdrop<\/p>\n\n\n\n Of course, I tried to login to SSH with root and this password, but that did not work. So, I then dug a bit deeper and noticed on one of the JSON files there was a username. Tiffany@dog.htb<\/a>.<\/p>\n\n\n\n Perhaps this is the username & password for the login page on the website?<\/p>\n\n\n\n Bingo, logged in as Tiffany!<\/p>\n\n\n\n Now that we are in, let\u2019s see what kind of exploits Backdrop has. For this, I\u2019m going to do some searching on exploit DB.<\/p>\n\n\n\n https:\/\/www.exploit-db.com\/exploits\/52021<\/a><\/p>\n\n\n\n Went to exploit db and just searched for Backdrop and found the RCE vuln listed above. So, let\u2019s see if we can use this.<\/p>\n\n\n\n Downloaded the exploit above and ran it as shown below.<\/p>\n\n\n\n However, on the \u2018install modules\u2019 section, noting that we are not allowed to install zip files.<\/p>\n\n\n\n So, we must unpack and repack as a tar file.<\/p>\n\n\n\n Now that we have our file packaged correctly, let\u2019s upload it.<\/p>\n\n\n\n Finally! Now, we just follow what the script said to do and visit the URL where it will trigger the RCE shell.<\/p>\n\n\n\n NOTE: Do not<\/strong> navigate away from the page above. Open the exploit in a new page. I had to re-install because it didn\u2019t work when I navigated away from the success page above.<\/p>\n\n\n\n Now, we have a command prompt when we visit the URL the script noted.<\/p>\n\n\n\n Let\u2019s see if we can find any users that have\u00a0 bash access.<\/p>\n\n\n\n I ran cat \/etc\/passwd | grep bash and found a user by the name of johncusack and one by jobert.<\/p>\n\n\n\n NOTE: I had to keep re-uploading the exploit as it would sporadically stop working. This took a bit of time.<\/p>\n\n\n\n Let\u2019s try SSH with johncusack and the original password we found in the git.<\/p>\n\n\n\n Well then, I really wasn\u2019t expecting that to work. Now for the user flag!<\/p>\n\n\n\n For privilege escalation, I did a quick check of \u2018sudo -l\u2019 to see what sudo permissions this user has.<\/p>\n\n\n\n Let\u2019s have a look at this bee file.<\/p>\n\n\n\n (just kidding\u2026the box stopped responding on me and I had to restart it\u2026oof)<\/p>\n\n\n\n![\"alt](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-3.png\")
<\/figure>\n\n\n\n![\"website](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-4.png\")
<\/figure>\n\n\n\n![\"CMS](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-5.png\")
<\/figure>\n\n\n\n![\"robots.txt\"](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-6.png\")
<\/figure>\n\n\n\n![\"git](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-7.png\")
<\/figure>\n\n\n\n![\"mirroring](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-8.png\")
<\/figure>\n\n\n\n![\"Repo](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-9.png\")
<\/figure>\n\n\n\n![\"logged](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-10.png\")
<\/figure>\n\n\n\n![\"exploit](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-11.png\")
<\/figure>\n\n\n\n![\"file](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-12.png\")
<\/figure>\n\n\n\n![\"tar](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-13.png\")
<\/figure>\n\n\n\n![\"Adding](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-14.png\")
<\/figure>\n\n\n\n![\"Exe](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-15.png\")
<\/figure>\n\n\n\n![\"Users](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-16.png\")
<\/figure>\n\n\n\n![\"user](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-17.png\")
<\/figure>\n\n\n\n![\"user](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-18.png\")
<\/figure>\n\n\n\n![\"sudo](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-19.png\")
<\/figure>\n\n\n\n
![\"Bee\"](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-20.png\")
<\/figure>\n\n\n\n![\"Error](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-21.png\")
<\/figure>\n\n\n\n![\"Root](\"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/image-22.png\")
<\/figure>\n\n\n\n