Bulldog Command Injection

by Vince
in Blog
Hits: 596

Continuing on with the "Command Injection" theme, we take a look at the Bulldog Industries website which claims:

"Bulldog Industries recently had its website defaced and owned by the malicious German Shepherd Hack Team. Could this mean there are more vulnerabilities to exploit? Why don't you find out? :)"

Skipping ahead, the congratulatory message states there are two ways to root this box, I found four.  I believe I know which are the two intended and when we get to that part in this post, I will point them out.

As a side note, I'd like to point out that I sort of rushed through the documentation and when I went back through to write this up, I realized I'd been careless.  Obviously, there's a difference between writing a post and writing a pentest report but clear documentation habits are a must in the latter and we should make every effort to achieve that high level of standard -- even with just a walk-through.  

I should also talk in the third person ("the penetration tester discovered...") but that's not how I like to write when it's for the purpose of education.  Anyway, moving on...

We kick this off with an Nmap scan:





Firing up Nikto on port 80:




Taking a deeper look with GoBuster:




Taking a look with the browser:




Checking out the various URLs we uncovered with GoBuster:




We find a "WebSehll", we attempt to access it:





No joy.  Continuing on to /admin :




We need credential, we continue exploring:




Ouch.  Continuing on:




Circling back, I view source on /dev :




This looks promising, firing up hash-identifier to get an idea on the hash type:




Looks like SHA-1, let's move over to Hashcat:




Excellent!  We have two passwords.  Let's head back to that login and see if we can get in:





Using nick : bulldog 






We get in!  Now let's see if we can access that WebShell:




Excellent!  Attempting command execution:





Excellent!  We are able to inject commands using &&.  

Attempting to write into the file system:





Now checking to see if we actually wrote into the file system:





Nice!

This WebShell will most likely hang us up on certain characters so rather than mess around with that, let's just convert to base64 and reassemble on the system.  I've put a simple reverse shell into a file, I'm converting to base64, I will then echo that base64 string, pipe it to base64 decode, redirect that to a file, give that file execute permissions, and finally -- execute that file (shell):











Setting up our listener:




We catch our shell!  Now let's clean things up:




I believe this would be unintended root #1 :




Moving our exploit over to the system:





And when we execute, we are root!

Reading the congratulatory file:




I believe this would be unintended root #2 :




Again, moving our exploit over and executing:




Again, we achieve root!

We find this hidden directory which contains "customPermissionApp".  I believe this would be one of the two intended roots.  When we take a look with Strings, we see:





That looks like a password.  Let's try to elevate our user:




And that would be root #3.  Looking for the final root, we enumerate cron:





That looks interesting.  Let's dig into it:




This is very promising.  Taking a deeper look:





We can either exploit or overwrite this file.  What's inside? :




This is just a place holder script, I'm going to overwrite it with a Python one-liner:




Using curl, I'm going to download the shell and overwrite the existing script:




Setting up our listener:



Not long after I overwrite that script, I catch a new session.  When I check my ID... root!

For those taking the OSCP course, you have 23:45 to complete the exam.  Part of that exam process is documentation and if I were taking that exam, I would plan to wrap up the penetration test well in advance of that 23:45 in order to create rock solid documentation.  A single missing screenshot could be the difference between passing and failing.  Root everything, document the entire process, then go back through rooting everything using your notes in order to double check your documentation.  

While writing up this post, I had to go back and create a missing screenshot as well as retake another where I cropped out the command I used.  Small details but important details.