Whitelist: Bulldog 1

BULLDOG 1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Bulldog1.

- Bulldog1 can be downloaded from here:

https://www.vulnhub.com/entry/bulldog-1,211/

- Once downloaded and extracted with VirtualBox:

2 - ENUMERATION

- Confirming Bulldog1's IP:

- Scanning with Nmap:

- Connecting to the web server:

- Reading the Public Notice, it smells to Dirty Cow exploit ... let's see ...::

- Dirbusting, it seems that there are basically two interesting folders: admin and /dev/shell:

- Same result with dirsearch.py:

- Nikto yields same result:

- gobuster also discovers robots.txt:

- Going to /dev:

- Viewing the source we find a bunch of users and password hashes:

- Clicking Web-Shell it seems that we need to authenticate before accessing the webshell:

3 - CRACKING HASHSES

- Storing these credentials in the text file team.txt:

- Identifying the type of hashes:

- Let's try to decrypt these hashes, at least some of them:

https://hashkiller.co.uk/sha1-decrypter.aspx

4 - EXPLOITATION

- Trying nick:bulldog and sarah:bulldoglover to get an SSH connection there is no success:

- However, nick:bulldog or sarah:bulldoglover are valid for authentication at the server:

- Once authenticated the Web-Shell is available:

- Because there is a limited set of 6 available commands, we would need to bypass that filter for instance using backticks, && or any other way.

4.1 - Getting a remote shell

- The first way of using Web-Shell is to upload a shellcode to Bulldog1 to eventually achieve a remote shell.

- For that purpose let's use repeatedly echo command (allowed by Web-Shell) with backtick command substitution:

https://www.gnu.org/software/bash/manual/html_node/Command-Substitution.html

- For instance:

- Other way would be using echo with normal quotes plus |sh:

- Let's create the exploit myshell with msfvenom:

- Giving execution permissions, though they are actually needed at the victim side :)

- Transferring myshell from Kali to Bulldog1:

- The transfer is successful:

- Giving execution permissions:

- Setting a listener with ncat:

- Running remotely myshell:

- The exploitation is successful:

- Improving the shell:

4.2 - Finding valid credentials with Web-Shell

- Another way of using Web-Shell is to perform an intensive listing of contents inside Bulldog1's filesystem until discovering any valid credentials.

- Trying some commands to learn how the Web-Shell works:

- Reading /etc/passwd we learn the existence of additional users like bulldogadmin and django:

- Actually we are at django's home folder:

- However, forbidden commands cannot be used directly:

- Listing the home folder:

- Unfortunately there is no result for sudo_as_admin_successful:

- One trick that can be used to bypass the 6 commands filter (aside for using backticks like in 4.1) is to link forbidden commands with the && operator.

- Going to .hiddenadmindirectory there are two files:

- Reading note:

- Also we learn that customPermissionApp is an executable file:

- Applying strings over customPermissionApp:

- Assembling the 4 highlighted strings it seems we could have a password, maybe one of these:

- Would it be valid for getting an SSH session? Let's try Hydra with users that we know:

- So yes, the password SUPERultimatePASSWORDyouCANTget is valid for user django.

- Let's open an SSH session with those credentials:

5 - PRIVILEGE ESCALATION

- Let's explore two ways of getting a root shell:

5.1 - Cron jobs

- There was an interesting notice at the /dev page of the web server about an AV system run every minute, what could be interpreted as a cron job:

- Let's check it out:

- Every 1 minute AVApplication.py is run with root privileges:

- Eventually we find a Python script that is blank at the moment:

- Using the Python reverse shell from here:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

- Setting a Netcat listener at port 5555: