Bulldog: 1

[ vulnhub  boot2root  walkthrough  ]

Goal

uid=0(root) gid=0(root) groups=0(root)

Download

https://www.vulnhub.com/entry/bulldog_1,211/

Walkthrough

Initial nmap shows ports open on 23, 80, and 8080
alt text

Nothing special on front facing site or notice page. Also nothing in the source and 8080 is the same web app
alt text
alt text

Running the site against dirb reveals admin, dev, and dev/shell directories
alt text

The admin page reveals django admin login, nothing to use yet though
alt text

The dev directory reveals usernames we might use
alt text

and the link to the shell directory
alt text

Seems we need to authenticate to django before we can use the web shell
alt text

Looking at the source of dev directory reveals hashes for all the usernames
alt text

Running kali on a virt on my windows box, so switching to windows to run hashes against hashcat. This reveals two passwords that we can try against django
alt text

And we’re in using nick:bulldog for credentials, but no privileges
alt text

Checking the shell directory, looks like we now have a restricted shell to only a few commands
alt text

However it seems we’re in as user django
alt text

Searching around we find that we can access user bulldogadmin home directory and there is a hidden directory with two files
alt text

The note file reveals that the other file is a program that can give us root
alt text

As always I overthink these things and wasted a bunch of time on other possibilities, turns out we can run commands using echo and passing them to /bin/bash through a pipe
alt text

Needed a way to get the customPermissionApp off the system so I can take a look at it, so we copy it to the static web directory in order to download
alt text
alt text
alt text

Executing the program gives instructions and actually spawns a new shell. Nothing too use to get on the box though
alt text

Throwing it at strings actually reveals what we need, a password SUPERultimatePASSWORDyouCANTget
alt text

Using the found password we’re able to SSH over port 23 as django
alt text

Simple sudo -i gives us root and the congrats.txt file
alt text

Another way to get root? The only other way I found was to copy customPermissionApp to tmp directory, make executable, and run to give root. Not sure if that was it though.
alt text

Written on October 14, 2017
Share on: