Saturday, December 15, 2018

Bulldog 1


BULLDOG 1

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Bulldog1.

- Bulldog1 can be downloaded from here:

https://www.vulnhub.com/entry/bulldog-1,211/


- Once downloaded and extracted with VirtualBox:





2 - ENUMERATION

- Confirming Bulldog1's IP:




- Scanning with Nmap:




 - Connecting to the web server:





- Reading the Public Notice, it smells to Dirty Cow exploit ... let's see ...::





- Dirbusting, it seems that there are basically two interesting folders: admin and /dev/shell:







- Same result with dirsearch.py:






- Nikto yields same result:





- gobuster also discovers robots.txt:








- Going to /dev:







- Viewing the source we find a bunch of users and password hashes:




- Clicking Web-Shell it seems that we need to authenticate before accessing the webshell:






3 - CRACKING HASHSES

Storing these credentials in the text file team.txt:







- Identifying the type of hashes:




- Let's try to decrypt these hashes, at least some of them:

https://hashkiller.co.uk/sha1-decrypter.aspx







4 - EXPLOITATION

- Trying nick:bulldog and sarah:bulldoglover to get an SSH connection there is no success:








- However, nick:bulldog or sarah:bulldoglover are valid for authentication at the server:








- Once authenticated the Web-Shell is available:




- Because there is a limited set of 6 available commands, we would need to bypass that filter for instance using backticks, && or any other way.


4.1 - Getting a remote shell

- The first way of using Web-Shell is to upload a shellcode to Bulldog1 to eventually achieve a remote shell.

- For that purpose let's use repeatedly echo command (allowed by Web-Shell) with backtick command substitution:

https://www.gnu.org/software/bash/manual/html_node/Command-Substitution.html

- For instance:




- Other way would be using echo with normal quotes plus |sh:




- Let's create the exploit myshell with msfvenom:




- Giving execution permissions, though they are actually needed at the victim side :)




- Transferring myshell from Kali to Bulldog1:






- The transfer is successful:




Giving execution permissions:




- Setting a listener with ncat




- Running remotely myshell:




- The exploitation is successful:




- Improving the shell:



4.2 - Finding valid credentials with Web-Shell

- Another way of using Web-Shell is to perform an intensive listing of contents inside Bulldog1's filesystem until discovering any valid credentials.

- Trying some commands to learn how the Web-Shell works:





- Reading /etc/passwd we learn the existence of additional users like bulldogadmin and django:




- Actually we are at django's home folder:





- However, forbidden commands cannot be used directly:




- Listing the home folder:








- Unfortunately there is no result for sudo_as_admin_successful:




- One trick that can be used to bypass the 6 commands filter (aside for using backticks like in 4.1) is to link forbidden commands with the && operator.

- Going to .hiddenadmindirectory there are two files:




- Reading note:




- Also we learn that customPermissionApp is an executable file:




- Applying strings over customPermissionApp:





 - Assembling the 4 highlighted strings it seems we could have a password, maybe one of these:




- Would it  be valid for getting an SSH session? Let's try Hydra with users that we know:









- So yes, the password SUPERultimatePASSWORDyouCANTget is valid for user django.

- Let's open an SSH session with those credentials:






5 - PRIVILEGE ESCALATION

- Let's explore two ways of getting a root shell:

5.1 - Cron jobs

- There was an interesting notice at the /dev page of the web server about an AV system run every minute, what could be interpreted as a cron job:




- Let's check it out:




- Every 1 minute AVApplication.py is run with root privileges:




- Eventually we find a Python script that is blank at the moment:




- Using the Python reverse shell from here:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet


- Setting a Netcat listener at port 5555:





- Passing the Python reverse shell (adapted to our needs in terms of IP and port) to AVApplication.py:



- After less than 1 minute we've got a remote root shell:




5.2 - Sudoer privileges

- Checking django's sudoer privileges we learn that django is able to run all commands:




- Getting a root shell:




- Now it will be easy to capture the flag text file.



6 - CAPTURING THE FLAG 

- Listing root directory:




- django can read congrats.txt:




- Also, congrats.txt can be read directly with a root shell: