In thiswalkthrough, the researcher is trying tofind a Remote Code Execution (RCE) exploitin a blog page that is running on Backdrop CMS.
The CMS version is 1.27.1 and the RCE requires authenticated access toexecute the exploit.
Fortunately, they find a git repositoryon the webpage which they are able to download the content of using git-dumper.
Inside this repository, they find a Database Passwordwhich they try on the login page but does not work.
They find the domain of the webpage earlier which could bethe backstage CMS and they try exploringthis possibility but they need to log in to theCMS to proceed further.
After trying different usernames and combinations,they find the tiffany@dog.htbusername and try it with the Database password they found earlier and this time they succeed in logging in.
They then use the authenticated RCE to obtaina shell as the www-data user and later on escalate privileges to the john Cusack user.