HackTheBox - Dog Writeup
2025-05-07
This machine is an easy rated Linux machine. This writeup will demonstrate how I was able to obtain root access. At the time of writing, this is an ACTIVE machine. Once the machine is retired, the rest of the content of this writeup will be published.
Scanning
I start by running rustscan to quickly get a list of the ports that are open on this machine:
rustscan -g -a 10.129.20.215 --ulimit 5000
From rustscan, we will see that the following ports are returned in a list, this format is given by using the -g flag with rustscan:
22,80
The ports found by rustscan are passed to nmap using the -p flag:
nmap -p 22,80 -sC -sV -oA Nmap/rustports 10.129.20.215
The nmap scan returns the following output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-git:
| 10.129.20.215:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-title: Home | Dog
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin
| /comment/reply /filter/tips /node/add /search /user/register
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HackTheBox Publishing Policy
This machine is currently ACTIVE on HackTheBox. The rest of the content of this writeup is not being shared until the machine is retired. This is in line with the publishing guidelines from HackTheBox.