CTF: Bulldog 1 walkthrough

CTF :Bulldog 1 - vulnhub CTF walkthrough
This is a walkthrough on the Bulldog 1 vulnhub CTF by Nick Frichette After powering up the VM using VirtualBox or VMWare, you have to get the target’s IP:
Getting the target's IP - Bulldog 1 - vunlhub CTF walkthrough
#arp-scan -localnet

Enumeration

To get familiar with the target services, I usually do an nmap scan on the top 1000 ports accessible:
nmap scan on target Bulldog 1 - vulnhub CTF walkthrough
# nmap -O -sT -sV –top-ports 1000 192.168.1.100
And a UDP scan:
UDP scan using unicornscan on target Bulldog 1 - vulnhub CTF walkthrough
# unicornscan -mU 192.168.1.100:a -v
A complete nmap scan didn’t show any additional ports opened. At this point I could see the OpenSSH 7.2p2 daemon vulnerable to username enumeration Ports 80 and 8080 seem to have a web server, showing the following message an a picture of a bulldog on the front page:
Thank you for visiting Bulldog Industries' website, the world's number one purveyor of high quality English Bulldog photography! Unfortunately we are suspending business operations until further notice. On the first of this month, we were made aware of a breach of our technology systems. We are currently assessing the possibility that hackers may have gotten access to customer payment information. Do not be alarmed as we will be providing simple credit monitoring for all affected customers.

For more information on this, please see our public disclosure notice found below.
The public disclosure states that there was a breach in their systems and all of their staff was fired. The message is signed by Winston Churchy (CEO) (I usually write such stuff down in my notes to have on hand for a later use in a brute-force attack, and keeping in mind that the target seems to be vulnerable to a username enumeration this might be useful at a later stage) The first thing I go for is checking for a /robots.txt file and take a look at the source code. A robots.txt file exists on both web ports, with a message that they got owned. So far this is nothing useful. Going through the various pages on both ports didn’t seem to have anything useful so I it’s time to move to

Vulnerability Scan

I used the following commands to check for any vulnerabilities:
Running nikto on target Bulldog 1 - vulnhub - CTF - walkthrough
# nikto -h http://192.168.1.100
Running dirb on target Bulldog 1 - vulnhub - CTF - walkthrough
# dirb http://192.168.1.100
and on the second web server port (8080):
# dirb http://192.168.1.100:8080 (to disclose any hidden filders)
# nikto -h http://192.168.1.100:8080
as well as an additional nmap scan using the vuln NSE script.
Running nmap NSE scan on target Bulldog 1 - vulnhub - CTF - walkthrough
# nmap –script vuln -sT -p80 192.168.1.100
A summary of the findings is as following: a /dev directory exists on both ports containning a link to a web shell, requiring some kind of authentication:
/dev/shell directory on target Bulldog 1 - vulnhub CTF walkthrough - d7x
http://192.168.1.100/dev/shell/
an /admin directory running the Django CMS:
django CMS running on target Bulldog 1 - vulnhub CTF walkthrough - d7x
http://192.168.1.100/admin/login/?next=/admin/
So after reviewing all of the above pages source code, the following snippet can be noticed at the bottom of the http://192.168.1.100/dev/ page:
Discovering password hashes on target Bulldog 1 - vulnhub - CTF walkthrough - d7x
Discovering password hashes on target Bulldog 1 – vulnhub CTF walkthrough by d7x
 
Discovering password hashes on target Bulldog 1 - vulnhub - CTF walkthrough - d7x
Discovering password hashes on target Bulldog 1 – vulnhub CTF walkthrough
This seems like a nice list of password hashes, probably to be in use within the Django CMS system located at /admin. The first thing I did is to compare both the hashes from the source on both ports to avoid skipping any useful information. They were identical so I copied them to a file called “hashes” and removed the unnecessary data using the following sed expression:
 # sed -i -e 's/.*<!--\(.*\)-->.*/\1/' hashes
hashes on target Bulldog 1 - CTF - vulnhub - walkthrough - D7x
Getting password hashes from source code and putting them in a file
and then gave this list a shot using hashcat using the rockyou.txt wordlist (this is supposedly a Django hash, so you could issue the following command to see the required hashcat mode: hashcat -h | grep Django). In this case this happens to be a raw sha1 hash however (I used hash-identifier to and provided as an input one of the hashes to find this out), so the correct hashcat mode is 100 As a result two hashes were cracked:
# hashcat -m 100 hashes /usr/share/wordlists/rockyou.txt
Cracking passwords on target Bulldog 1 - vulnhub CTF walkthrough - d7x
Cracking passwords on target Bulldog 1 – vulnhub CTF walkthrough
At this point two passwords are cracked – the one for hash ddf45997a7e18a25ad5f5cf222da64814dd060d5 belonging to nick, and the one for hash d8b8dd5e7f000b8dea26ef8428caf38c04466b3e​ belonging to sarah, supposedly for database access. So credentials go as following: Back End: nick@bulldogindustries.com <! –ddf45997a7e18a25ad5f5cf222da64814dd060d5 –> Plain-text password: bulldog Database: sarah@bulldogindustries.com <! –d8b8dd5e7f000b8dea26ef8428caf38c04466b3e –> Plain-text password: bulldoglover A successful login using username “nick” : “bulldog
login to djangu - Bulldog 1 vulnhub CTF walkthrough - d7x
A successful login on target Bulldog 1 (django admin login system) – vulnhub CTF walkthrough
As there isn’t anything useful within the admin panel, now checking back to the /dev/shell:
Web Shell on target Bulldog 1- vulnhub CTF walkthrough
Web Shell on target Bulldog 1- vulnhub CTF walkthrough
So we have a web shell with some command restrictions. Using a common command injection technique this can be easily bypassed in several ways:
  • by appending a pipe “|” to an allowed command following another command:
Executing a command via pipe on target Bulldog 1 - vulnhub CTF walkthrough
Executing a command via pipe on target Bulldog 1 – vulnhub CTF walkthrough
by using the echo command, followed by a command execution interpreter like ` or $:
Executing a command via echo $(cmd) on target Bulldog 1 - vulnhub CTF walkthrough
Executing a command via echo $(cmd) on target Bulldog 1 – vulnhub CTF walkthrough
Executing a command via echo `cmd` on target Bulldog 1 - vulnhub CTF walkthrough
Executing a command via echo `cmd` on target Bulldog 1 – vulnhub CTF walkthrough
There may be other ways as well, but these are more than sufficient to try to get the webshell to a persistent one:
nc session disconnecting on target Bulldog 1 - vulnhub CTF walkthrough - d7x
nc session disconnecting on target Bulldog 1 – vulnhub CTF walkthrough
So what happens above is the connection gets closed due to the Ubuntu firewall. However, generating an msfvenom payload and executing it on the target seems to work:
Getting a shell on target Bulldog 1 - vulnhub CTF walkthrough - d7x
Getting a shell on target Bulldog 1 – CTF walkthrough

Privilege Escalation

To escalate privileges* (remember the note on the web page about the company setting up a revolutionary AV?): *this is the easiest way, I believe there are a few more ways to do it on this box but I’ll be describing the most straight forward and obvious one below. After enumerating the cron jobs you’d notice an AVapplication.py python script configured to run as root each minute, having insecure permissions:
Privilege Escalation on target Bulldog 1 via Insecure permissions on cron - vulnhub CTF walkthrough
Insecure permissions on a file running by a root cron job each minute
As shown below the file contents could be easily altered:
Escalating Privileges on target Bulldog 1 - vulnhub CTF walkthrough
Injecting a malicious code into a file run each minute with root privileges to escalate privileges on target Bulldog 1 – vulnhub CTF walkthrough
Then you just have to spawn a listener:
Getting root on Bulldog 1 - vulnhub CTF walkthrough - d7x
Getting root on Bulldog 1: vulnhub CTF walkthrough
 

Leave a Reply

Your email address will not be published. Required fields are marked *