Git

Sometimes nmap does half the work for you. .git on port 80 is all the hint you need. Machine info Name Dog Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap’s http-git script flags an exposed .git directory; a browser extension confirms it gitdumper.py reconstructs the repository and surfaces the Backdrop CMS settings file with database credentials: root:BackDropJ2024DS2024 The git history reveals an admin email; the DB password also works as the admin panel password Backdrop admin access allows installing a malicious module - shell as www-data sudo -l shows bee (Backdrop’s CLI) without a password; bee php-eval with sudo gives root Recon Nmap ...