Bulldog 2
in VULNHUB
Bulldog 2 is an advanced challenge box,packing a combination of new and legacy attack vector. it is Designed by “Nick Frichette” . It is web application developed in angular.js to teach about application security.
Level: Advanced
Hosted on Vulnhub, Bulldog 2
Start
On boot-up leased IP address was displayed on the machine screen.
# Enumeration and Scanning
#### ** nmap ** scans were able to discover only a web application running on port 80.
nmap -sV -sC -oA scan1 192.168.0.135
nmap scan show us port 80 is open, so we can brows the ip address in the browser.
The main application was developed in AngularJS (Find in favicon of the application ) .it has Login and Register tab on the homepage.After clicking on it a notice was given on that page stating that they are not accepting registration at this time due to security concerns.
There was a login tab as well on the Homepage. It is available for sole attack surface.
dirb and gobuster
I decided to look for other files and folders on the target application. for this purpose i used the dirb tools.
dirb result is not satisfactory and also try gobuster but i returning “200 ok” to every request .So decided to browse around and view the source code.
There are some javascript bundled file and decided to look inside code of that file.I decided to start from main.8b490782e52b9899e2a7.bundle.js .
These minified files make analysis a little more difficult than usual, i decided to prettify them with Online JavaScript Beautifier (https://beautifier.io/)
After that i copy the code in Text-editor and try to analyse the code and found some interesting point in that code.Registration is close but the registration function stile in that code.and some token id
So we found the registration url (“/users/register”) and onRegisterSubmit function. and also found id_token (master_admin_user) but don’t know what is doing. So i decided to make register on that application with burp suite. Capture the login request and send it into the repeater and modify the request and send to the server and get back success message on “User Registered”
Login with New user credentials.
Using the Burp suite i was able to figure out that a JWT token was assigned to the logged in user and the privilege levels were standard_user
In the source code i found master_admin_user, So i decided to edit JWT token and put master_admin_user auth_level .I search JWT on google and found JWT decoder website and modify the token.
After modifying this token i put it into the burp suite and forwarded the request and now i have new tab called Admin 
Command injection
Admin tab has another authentication and is possibly asking for admin credentials.There is hints that Link CLI tools.So background it may be a command line tools performing the authentication. So i send request to Burp suite and modify the password with reverse shell
And make a receiver with netcat (nc) to capture the connection of the reverse shell and I got the Shell
Privilege Escalation
I found my ticket to privilege escalation during enumeration of this account.
Since we have write permissions to /etc/passwd, let’s change the root password to root.So to append a new user with id as 0(userid 0 has root privileges), we need to provide a valid password hash in second column. Crypt function in Perl can be used to create password hashes in the compatible format. Crypt function takes the password and its salt as the arguments and returns a single password hash
appending new user with password 1234 with root privilege.
Conclusion
This box was great!.It was a tricky and challenging box.Stay tuned for more CTF solutions! ‘Til then, keep trying on your own .
