Bulldog 2: CTF walktrough
First and foremost we need the IP address of the VM. For that, as usual, we will use arp-scan.
Then, we can scan the target, in order to find open ports and running services.
According to the nmap scan, like the first one, we are going to exploit a web application.
Our entry point
I have to confess that the first 30 minutes was tough and then I realised that we have access to the client side's source code when Node JS based language are involved. That's why I decided to download and read the main script located at: http://192.168.1.35/main.8b490782e52b9899e2a7.bundle.js.
By reading it, we can find two interesting things. Note, I used the https://unminify.com/ website the un-obfuscate/minify the JS code.
First, the usable URLs:
And, how to create a new user:
So, we will create a new user and we will analyse the authentication process.
Creating a new user
According to what we found in the source code, we can easily create a new user with this following POST request:
From nothing to admin
Now, let's take a closer look at the authentication process and for that I will use BurpSuite.
First, let's catch the HTTP POST request that we are sending to the server when we submit the login form:
At this point, we can intercept the response from the server:
As we can see, a JWT token is crafted by the server and few others parameters.
We can easily decode this token with the following website: https://jwt.io/
Now, if we come back to the JS source code, we can see that in different places the auth_level variable is checked.
Moreover, the master_admin_user seems to be the highest right.
So, we just have to change our current JWT token's authentication level for 'master_admin_user' via https://jwt.io/ and to copy past in BurpSuite the new token. That's how we can gain admin privileges in the web application.
With our fresh admin privileges, now , we can navigate to the /dashboard URL. This is a basic form, but the interesting thing about this form is that the creator of the application tell us that it's for a CLI tool, which means that we can probably find a way to inject some arbitrary code.
Let's try a simple example in my local system. I can run a simple command with few flags:
But now, If I use the ; character I will chain other commands:
This is the exact same thing with this form. We will inject a ; in the password variable, followed with the system command that we want to execute.
For example, a python reverse shell.
That will give us a low privilege reverse shell.
We can find that the /etc/passwd file is writable by the any user in this system.
So, nothing really complex here,. First, we will create a simple password.
Then, we will add a new root user.
That's how, finally, we have a root access to the system.