Saturday, December 15, 2018

Bulldog 1


- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Bulldog1.

- Bulldog1 can be downloaded from here:,211/

- Once downloaded and extracted with VirtualBox:


- Confirming Bulldog1's IP:

- Scanning with Nmap:

 - Connecting to the web server:

- Reading the Public Notice, it smells to Dirty Cow exploit ... let's see ...::

- Dirbusting, it seems that there are basically two interesting folders: admin and /dev/shell:

- Same result with

- Nikto yields same result:

- gobuster also discovers robots.txt:

- Going to /dev:

- Viewing the source we find a bunch of users and password hashes:

- Clicking Web-Shell it seems that we need to authenticate before accessing the webshell:


Storing these credentials in the text file team.txt:

- Identifying the type of hashes:

- Let's try to decrypt these hashes, at least some of them:


- Trying nick:bulldog and sarah:bulldoglover to get an SSH connection there is no success:

- However, nick:bulldog or sarah:bulldoglover are valid for authentication at the server:

- Once authenticated the Web-Shell is available:

- Because there is a limited set of 6 available commands, we would need to bypass that filter for instance using backticks, && or any other way.

4.1 - Getting a remote shell

- The first way of using Web-Shell is to upload a shellcode to Bulldog1 to eventually achieve a remote shell.

- For that purpose let's use repeatedly echo command (allowed by Web-Shell) with backtick command substitution:

- For instance:

- Other way would be using echo with normal quotes plus |sh:

- Let's create the exploit myshell with msfvenom:

- Giving execution permissions, though they are actually needed at the victim side :)

- Transferring myshell from Kali to Bulldog1:

- The transfer is successful:

Giving execution permissions:

- Setting a listener with ncat

- Running remotely myshell:

- The exploitation is successful:

- Improving the shell:

4.2 - Finding valid credentials with Web-Shell

- Another way of using Web-Shell is to perform an intensive listing of contents inside Bulldog1's filesystem until discovering any valid credentials.

- Trying some commands to learn how the Web-Shell works:

- Reading /etc/passwd we learn the existence of additional users like bulldogadmin and django:

- Actually we are at django's home folder:

- However, forbidden commands cannot be used directly:

- Listing the home folder:

- Unfortunately there is no result for sudo_as_admin_successful:

- One trick that can be used to bypass the 6 commands filter (aside for using backticks like in 4.1) is to link forbidden commands with the && operator.

- Going to .hiddenadmindirectory there are two files:

- Reading note:

- Also we learn that customPermissionApp is an executable file:

- Applying strings over customPermissionApp:

 - Assembling the 4 highlighted strings it seems we could have a password, maybe one of these:

- Would it  be valid for getting an SSH session? Let's try Hydra with users that we know:

- So yes, the password SUPERultimatePASSWORDyouCANTget is valid for user django.

- Let's open an SSH session with those credentials:


- Let's explore two ways of getting a root shell:

5.1 - Cron jobs

- There was an interesting notice at the /dev page of the web server about an AV system run every minute, what could be interpreted as a cron job:

- Let's check it out:

- Every 1 minute is run with root privileges:

- Eventually we find a Python script that is blank at the moment:

- Using the Python reverse shell from here:

- Setting a Netcat listener at port 5555:

- Passing the Python reverse shell (adapted to our needs in terms of IP and port) to

- After less than 1 minute we've got a remote root shell:

5.2 - Sudoer privileges

- Checking django's sudoer privileges we learn that django is able to run all commands:

- Getting a root shell:

- Now it will be easy to capture the flag text file.


- Listing root directory:

- django can read congrats.txt:

- Also, congrats.txt can be read directly with a root shell: