I've been playing around with VirtualBox which has enabled me to load up servers that I was previously unable to get working in my 'go to' hypervisor.  With a variety of servers to practice on with varying degrees of difficulty, this has been beneficial if for no other reason than because it allows me to take 30-60 minutes, focus on an easier box, write it up, and then move on about my day.

In that amount of time, I can stay focused, with few interruptions, and follow the thread wherever it leads me.  I often find harder boxes, requiring more time, will seem much harder than reality only because I lose my concentration, lose my place, and sometimes there are large gaps in time between where I left off and where I begin again.  So much so that I often scrap all of my notes and start from the beginning.

Bottom-line -- the more variety we get, the more well-rounded we'll become. 

Continuing on with the "Command Injection" theme, we take a look at the Bulldog Industries website which claims:

"Bulldog Industries recently had its website defaced and owned by the malicious German Shepherd Hack Team. Could this mean there are more vulnerabilities to exploit? Why don't you find out? :)"

Skipping ahead, the congratulatory message states there are two ways to root this box, I found four.  I believe I know which are the two intended and when we get to that part in this post, I will point them out.

As a side note, I'd like to point out that I sort of rushed through the documentation and when I went back through to write this up, I realized I'd been careless.  Obviously, there's a difference between writing a post and writing a pentest report but clear documentation habits are a must in the latter and we should make every effort to achieve that high level of standard -- even with just a walk-through.  

While browsing around various sites the other night, I found a site that had a long list of recommendations for "command injection" test beds.  From that list, Seattle, was the most recent.  I downloaded it, moved it into Virtualbox, and started to take a whack at it.  

Having spent a decent amount of time poking around, I would recommend this to anyone looking for easy pickings as far as web vulnerabilities, cross site scripting, SQL injection, and a juicy target for full exploitation with SQLMap.  There's something for everyone!

Kicking off with an Nmap scan: