HtB Walkthroughs

Dog HackTheBox Easy Box Writeup

Magnus Ensted Danielsen

1 min read

Overview

Dog is an Easy-rated Linux machine on HackTheBox that covers a realistic attack chain involving a misconfigured CMS, credential reuse, and a sudo misconfiguration leading to privilege escalation. It's a great box for practicing enumeration and understanding how common web CMS vulnerabilities can be chained together.

Enumeration

Starting with an Nmap scan reveals two primary open ports: SSH (22) and HTTP (80), with several filtered ports that don't lead anywhere useful.

The web server is running Apache 2.4.41 on Ubuntu, and the HTTP headers immediately give away the CMS in use: Backdrop CMS 1, which is a fork of Drupal. Knowing the exact version (1.27.1) is crucial for the next step.

Foothold — Backdrop CMS

Backdrop CMS 1.27.1 has known vulnerabilities. A quick search reveals that this version is susceptible to authenticated remote code execution. The box also exposes its database configuration file, which leaks credentials.

With those credentials in hand and Backdrop's admin panel accessible, you can upload a malicious module to achieve a reverse shell. Using a more robust reverse shell payload (e.g., a bash or Python reverse shell rather than a basic netcat one) gives a more stable session.

Lateral Movement

Once on the box, inspecting the CMS database configuration reveals credentials stored in plaintext. The box demonstrates a very common real-world weakness: credential reuse. The database password also works for a local system user, allowing SSH access as that user for a much more stable shell.

Privilege Escalation

Running sudo -l reveals the current user can run the bee CLI tool (Backdrop's command-line utility) as root with a specific --root flag pointing to the web root:

sudo bee --root=/var/www/html/ ...

bee is the Backdrop equivalent of Drupal's drush. With sudo access to a tool that can execute PHP and interact with the CMS as root, privilege escalation to a root shell is straightforward. For example, by running a php shell

Key Takeaways

  • CMS version disclosure in HTTP headers makes fingerprinting trivial. Always suppress these in production.
  • Plaintext credentials in config files are a serious risk, especially when the web root is readable.
  • Credential reuse across services (database → OS user) is one of the most common lateral movement vectors seen in real engagements.
  • Overly permissive sudo rules especially for tools that can execute code — are a critical misconfiguration. Always scope sudo rules as tightly as possible.