This writeup was originally published on 1.11.2017

Hello! I found some time to break another boot2root. A usual, it’s another one from vulnhub. It’s titled “Bulldog”:

Bulldog Industries recently had its website defaced and owned by the malicious German Shepherd Hack Team. Could this mean there are more vulnerabilities to exploit? Why don’t you find out? :) This is a standard Boot-to-Root. Your only goal is to get into the root directory and see the congratulatory message, how you do it is up to you! Difficulty: Beginner/Intermediate, if you get stuck, try to figure out all the different ways you can interact with the system. That’s my only hint ;) Made by Nick Frichette (frichetten.com) Twitter: @frichette_n

So, no flags this time. We’re supposed to keep hacking until we gain root. It’s not much to hack this time, but first things first. Time for some recon:

Recon

There seems to be 3 working services on the machine: ssh on non-stadard port (23) and two HTTP servers. Quick clicking through websites suggests that both servers serve excactly same sites. Might be wrong but it didn’t matter later on. Pages didn’t give much useful info, so I fired up dirbuster. Dirbuster revealed an /admin loging page and led to an interesting, “hidden” page /dev. It not only gave some login ideas for enumeration but also hashes of their passwords:

/Dev page also links to /dev/shell page, which needs some authentication:

So, after identifing password hashes as SHA-1 I tried to reverse them. The easiest one turned out to be nick’s password as it was simply ‘bulldog’.

Attack

Using these credentials on /admin page allowed us to login, unfortunately nick can’t do virtually anything there. I had more luck on /dev/shell page. Since I was authorized as nick it allowed me to use a simple, restricted shell:

After poking around the system for a while I found an interesting program customPermissionApp:

Command:

allowed me to simply download the app to my machine. The app itself seems to spawn root shell, which of course would be useful if we found a way to run it on a victim machine. But there is more to it. String command reveals a password hiddend inside the app:

After few attempts to connect to SSH I find out that SUPERutlimatePASSWORDyouCANTget is a pass to django user. After connecting we can get root by simply calling sudo -i:

What is another way to get root Author mentions? My idea would be to use the webshell to modify the webapp to serve reverse shell, which could be used to run the customPermissionApp on a victim machine.

Summary

Bulldog turned out to be quite short and kind of easy boot2root. I hope my writeup can help someone stuck at any part of the challenge. Also, as usual kudos to machine’s Author ;)