Bulldog 1: CTF walkthrough
Name: Bulldog 1
Date release: 28 Aug 2017
Author: Nick Frichette
Note, this VM don’t work with VMWare workstation/Fusion, that’s why after few tries I decided to install VirtualBox (ew, disgusting).
First of all, we need to find the IP address of the VM, we can use netdiscover or arp-scan.
Now, we can scan the target in order to find which services are running inside this virtual machine.
For that, I use the well known network scanner nmap.
Two interesting service are running, an Python HTTP server (WSGIServer) maybe for a Django web application, and an SSH service (OpenSSH 7.2p2).
Now, we will focus our research in this web site.
The index of the web site don’t give use useful information, except the name of one employee.
I decided to actively enumerate the target with a tool used to brute-force URL(s) called gobuster.
The /admin/ and the /dev/ directories sound interesting.
The admin directory is a login form and after some research I didn’t found vulnerabilities, so, I moved into the second directory.
In the index of the second directory we can find an explication of the project and how the new team is structured and a web-shell, who is inconveniently, usable only for logged user.At this point, I knew I had to find credentials in order to to log in the admin panel and then use the web-shell. After few tries and without success, I knew I had missed something.Yep, I missed something called the source code.
The index of the /dev/ directory has more things than expected, SHA-1 password.
I managed to find the plain text of two password:
We log into admin panel with one of this password and then we will be able to use the web shell.
Bypassing the set of available commands
At first look we can only use six commands: ifconfig, ls, echo, pwd, cat and rm. Moreover, we can’t use semicolon.
We can’t use semicolon, but maybe if I use an ampersand that will work. And yes that works and that allow use to execute any commands we want on the targeted server.
We can remotely execute arbitrary code, it’s just a question of second before we can get a reverse shell.
We generate a malicious ELF file with msfvenom:
We send the malicious file into the targeted server:
We change the permission of the file:
Finally we can execute the reverse shell and then spawn a pseudo TTY:
We have a low privilege shell, now, our job is to find a way to gain an root access to this server.
After few minutes I found an hidden directory inside the bulldogadmin home folder:
In this directory we have two things an ASCII file and an x64 ELF binary:
The first thing that I try with this ELF file is to search for any kind of strings that I can found inside the compiled binary and fortunately for us, this ELF file contain a password:
The complet password is: SUPERultimatePASSWORDyouCANTget