Bulldog — Vulnhub
For this week's post, I'm trying out another VM from Vulnhub. This one is titled Bulldog. Let's get stuck in!
I'll start the party by running an Nmap scan at the VM's IP address.
There's just a few services to choose from. There's a webpage at port 80 and the WSGI server on 8080. I'm tempted to go looking for exploits on those services, but I'm not done doing recon on the target. While I go and explore the webpage, I'll light off Dirb to enumerate any subdomains.
It looks like this bulldog photography business had a data breach!
 |
Oh my! They even increased the tech budget by 1 percent! Surely they must be serious!
Checking in on Dirb, I'm given a trove of juicy results.
Neato. /admin is a classic. /dev looks good too. It's a toss up which to explore first, so I decide to just go alphabetically.
Looks like a dead end for now. Moving onto /dev gives me a bit more to chew on.
Seems like a small briefing note. I get to the meat of it when I view source the /dev page.
There's a ton of good info here. Namely, all those hashes and the usernames that are attached to them. We'll just throw those into John and see what happens.
Before I do that, I want to check out what that Web-Shell link is.
I'll have to use some creds on the admin login page if I want to see what Web-Shell is.
Using Nano, I put the email contacts and corresponding hashes into a .txt file for John to iterate over and then I let him loose.
Looks like I've got a couple of hits! I try and log into SSH with the cracked hashes, but they didn't work. They must be for the admin login page. I got too excited. I decide to choose Nick's credentials for no particular reason and look over the admin page.
Looks like I've got no options other than to go check out the Web-Shell.
This is pretty cool! It's a mock Linux shell running in a browser window. It's got some limited functionality, but I can still look around the file structure.
Well, well, well... django can sudo as admin! That's good to know.
However, it isn't long until I butt up against the minor countermeasures the designer of the Web-Shell implemented.
Okay, so, semi-colons are a no-go for chaining commands. I had some limited success with pipes, but they use the previous command as input for the next. I think that'll be a little too sticky for my purposes. The next experiment I used was double ampersands and it was successful.
I feel like I'm making progress! Listing out the directories in home, I use my new found abilities to search in more depth. Soon, I find an interesting directory in /home/bulldogadmin/.hiddenadmindirectory.
Inside the directory there's a "note" file and a "customPermissionApp" file.
When I cat out the note it gives me some excellent clues. I need to check out this custom app. Also, Whatever I find there will be most likely useful under the django username—who also so happens to be able to sudo as admin. I can see where this is going.
I run the strings command on the customPermissionApp file and come up with a real gem:
SUPERultimatePASSWORDyouCANTget. Well, I have it Ashley. I have your superultimatepassword. I bet it's the SSH password I've been looking for. And I aim to misbehave.
First, I want to check out if django can sudo as admin or if it was all scandalous lies.
Looks like django has the power! I held aloft my magic sword and said, "by the power of Greyskull! Change root's password to something stupid!"
After changing root's password, I then switch to the root user and pop over to /root to snag the flag.
And that's that!
See You Space Cowboy...
