VulnHub – Bulldog 1 Walkthrough

In this weekend, I will try to write a walkthrough to the VulnHub Bulldog 1.
You can download this CTF VM on VulnHub’s website.

First, I need to find some open port on the target machine.

I got 3 open ports on the target machine. Now let’s find out what services are running on those ports :

Open the HTTP service on port 80.

Vulnhub - Bulldog 1 port 80

When I check the HTTP service on port 8080, I got the same results with port 80.

Now, I can start doing directory enumeration on port 80 using dirsearch.

Let’s open the admin path.

VulnHub - Bulldog 1 Admin page

Let’s check the dev path.

VulnHub - Bulldog 1 Dev Path

From dev path, I found some interesting hashes and it might be the passwords for each user.

But there is an interesting link named Web-Shell. Let’s check this out first:

VulnHub - Bulldog 1 - Web-shell

Sadly, we don’t have an access to it.

Now let’s skip that page and start to crack the hashes. Perhaps we have to login into the admin page to get access to the Web-Shell page.
First, we have to identify the hash :

Now it’s time to crack the hashes using hashcat :

I will try to use those password to login into the website and use user email as username.

VulnHub - Bulldog 1 - Nick Admin Login

I managed to log in using nick username but I cannot find any good information. Since I am already logged in to the website admin, let’s check the Web-Shell once again.

Vulnhub - Bulldog 1 - Web-Shell access

After using the Web-Shell, it doesn’t allow me to execute commands other than the commands from the list that has been given.

Let’s try to bypass the restriction.

VulnHub - Bulldog 1 - Bypassing Shell Restriction

We can bypass it using piping. Let’s get into the server.

But, when I tried to use netcat, I got 500 response code from the server. Let’s try another method.

VulnHub - Bulldog 1 - Shell

Now it’s time to gather information to get higher access in the server by using this tool.

I found this list for World Writable files which is owned by root.

And here is the list of Scheduled cronjobs :

As you can see, there is one file that has a connection with the cronjobs list.

Now I can overwrite that file using python reverse connect shell. I am using this awesome tool, made by Infodox and wait for the root access. 🙂

VulnHub - BullDog 1 - Root Acess

Please Donate To Bitcoin Address: [[address]]

Donation of [[value]] BTC Received. Thank You.

Leave a Reply

Your email address will not be published. Required fields are marked *