Bulldog 1 ctf Walkthrough

Bulldog 1 Walkthrough
The name of the Virtual machine is “Bulldog 1” that we are going to crack.  It is a Boot2Root VM that we are going to solve. This is a web-based VM. Our main goal is to escalate the privileges to root and capture the flag.
You can download it from a 
Penetration Methodology:
1. Network Scanning (Nmap, netdiscover).
2. Directory Brute-force (dirbuster).
3. Decrypt the data using www.crackstation.net 
4. Finding vulnerabilities in dev page.
5. Get into the shell for privilege escalation.
6. Switch user (su) and submit the stolen password.
7. Take root access and capture t

 First we have to find out the open ports using namp command.

Command used: nmap -A 192.168.0.5  or arp-scan -l 
It gives the ip addresses of machines presented in your system.
In above we found some open ports are open ssh and http .
In this we found that a wgi server was running so we entered ip address in website


Then I dig further this machine using dirb command then I found there is an a admin login page, robots.txt and web shell in the website .

Command used: dirb http://192.168.0.5
So I tried to open the robots.txt, Admin login and dev .


Then I decided to inspect elements http://192.168.0.5/dev then I found some hashes with email ids . so I decided to de hash those hashes.
The I copied these hashes and paste in the https://crackstation.net/
So I found two hashes values usernames are nick and sarah so I have tried to login in admin page using this creditianls. Then I got access the admin page but I didn’t get full privileges so I went to the dev page then I found a webshell.
Then I go to the dev and I found webshell and opened it displays like some terminal in Linux system and in it below it has only worked by few commands as listed below so I decided try the the commands to do the enumeration.
run some commands to enumerate the data .
Commands used:
 ls
 ls & date
After sometime I found a some important information

Command used: Cat /etc/password
In above picture I found django as a user name. Then I searched for a password .

Command used: ls && strings /home/bulldogadmin/.hiddenadmindirectory/customPermissionApp
Then I found some thing while observing 2,3,4,5 last lines of the above image and I decoded it and I found the password was SUPERultimatePASSWORDyouCANTget


Then I tried to login using ssh in kali using open port 23 which I got from the nmap scan.
Then also I am not accessing some files. So I decided to change the root so I gave “sudo su -”
Then it asked me a password so I gave same password which I gave to the django then I accessed the root .Then I found congrats.txt

Comments

Post a Comment

Popular posts from this blog

Hackademic challenge 1 - 5

Image
  Hackademic Ch 1 - 5   The OWASP Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.Currently, there are 10 web application security scenarios available.   Link: http://hackademic.teilar.gr/index.html   Challenge : 1 What to find: Our agents (hackers) informed us that there reasonable suspicion that the site of this  Logistics Company  is a blind for a human organs' smuggling organisation. This organisation attracts its victims through advertisments for jobs with very high salaries. They choose those ones who do not have many relatives, they assasinate them and then sell their organs to very rich clients, at very high prices. These employees are registered in the secret files of the company as "special clients"! One of our agents has b...
Read more

Raven1 CTF Walkthrough

Image
Raven1 CTF Walkthrough In this article we will see a walkthrough of the Raven: 1 virtual machine. Raven1 :Details Download Raven1 : https://www.vulnhub.com/entry/raven-1,256/ VM Description: Raven is a Beginner/Intermediate boot2root machine. There are four flags to find and two intended ways of getting root. Built with VMware and tested on Virtual Box. Set up to use NAT networking. Penetration Methodology: l  Ne twork Scanning :arp-scan and nmap. l  Directory Brute-force (dirbuster). l  Brute-force attack (hydra). l  Wordpress scan for user enumeration. l  SSH login. l  Mysql Database. L et’s try to find the IP of this machine using  arp-scan or netdiscover . Below, we can see our results: the IP address is found as 192.168. 0.122 . Commands used : arp-scan -l or netdiscover L et’s run Nmap scans on the target server to get more information about it. Command used : nmap -A 192.168.0.122  I h...
Read more

Raven 2 Ctf walkthrough

Image
  Raven 2 CTF Walkthrough   In this article we will see a walkthrough of the Raven: 2 virtual machine. Raven2 :Details Download Raven2 : https://www.vulnhub.com/entry/raven-2,269/ VM Description: Raven 2 is an intermediate level boot2root VM. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in. Can you still breach Raven? Penetration Methodology: l  Network Scanning :arp-scan and nmap. l  Directory Brute-force (dirbuster). l  Exploiting RCE in PHP version < 5.2. 18 on Exploit-db l  Reading database password from the wp-config file. l  Searchsploit for MYSQL . l  Exploiting UDF file dynamic library vulnerability for MYSQL using exploit -db. l  MYSQL Database. l  Privilege Escalation . l  Getting Root Access . Let’s try to find the IP of this machine using arp-scan or netdiscover. Below, we can see our results: th...
Read more