HTB: Dog - OSCP Prep Write-up
Sometimes nmap does half the work for you. .git on port 80 is all the hint you need. Machine info Name Dog Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap’s http-git script flags an exposed .git directory; a browser extension confirms it gitdumper.py reconstructs the repository and surfaces the Backdrop CMS settings file with database credentials: root:BackDropJ2024DS2024 The git log commit message references the Backdrop URL aliases docs, which reveals the /accounts/[user:name] pattern - wfuzz enumerates valid usernames, and the DB password logs in as tiffany Backdrop 1.27.1 has a known authenticated RCE (EDB 52021); the module installer only accepts tar/tgz/gz/bz2, so the exploit’s zip output needs repackaging before upload - shell as www-data Two users on the box; the same DB credential switches to johncusack sudo -l shows bee (Backdrop’s CLI) without a password; bee php-eval with --root gives root Recon Nmap ...