Bob 1.0.1 Vulnhub Walkthrough

1. Service Enumeration

nmap -O -A -sT -sV -p- -T5 192.168.1.21 -vvv
80/tcp    open  http    syn-ack Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
25468/tcp open ssh syn-ack OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt2rmQKSTx+fbTOy3a0DG0GI5KOP+x81YHI31kH8V+gXu+BhrvzTtvQbg/KUaxkxNXirQKm3v23b/BNGLm2EmG28T8H1kisT5LhmfJ+w1X/Y7xnXiTYxwxKWF8NHMsQGIKWB8bCPK+2LvG3MdF6cKniSIiT8C8N66F6yTPQyuW9z68pK7Zj4wm0nrkvQ9Mr++Kj4A4WIhxaYd0+hPnSUNIGLr+XC7mRVUtDSvfP0RqguibeQ2yoB974ZTF0uU0Zpq7BK8/loAl4nFu/6vwLU7BjYm3BlU3fvjDNlSwqbsjwgn/kTfySxZ/WiifZW3U1WLLdY4CQZ++nR2odDNy8YQb
| 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIntdI8IcX2n63A3tEIasPt0W0Lg31IAVGyzesYMblJsc1zM1jmaJ9d6w6PpZKa+7Ow/5yXX2DOF03pAHXP1S5A=
| 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmbgZpOuy0D5idStSgBUVb4JjRuAdv/7XF5dGDJgUqE
MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8

2. Web Enumeration

root@kali:~# nikto -h 192.168.1.21
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.21
+ Target Hostname: 192.168.1.21
+ Target Port: 80
+ Start Time: 2018-05-26 03:50:55 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x591 0x5669af30ee8f1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/dev_shell.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/lat_memo.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/passwords.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7539 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2018-05-26 03:52:41 (GMT-4) (106 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Memo sent at GMT+10:00 2:37:42 by User: Bob 
Hey guys IT here don't forget to check your emails regarding the recent security breach. There is a web shell running on the server with no protection but it should be safe as I have ported over the filter from the old windows server to our new linux one. Your email will have the link to the shell.
-Bob
Really who made this file at least get a hash of your password to display, hackers can't do anything with a hash, this is probably why we had a security breach in the first place. Comeon people this is basic 101 security! I have moved the file off the server. Don't make me have to clean up the mess everytime someone does something as stupid as this. We will have a meeting about this and other stuff I found on the server. >:( 
-Bob

3. Establish a foothold

python -c 'import pty; pty.spawn("/bin/bash")'

4. Privilege Escalation

Bob’s Home Directory

Elliot’s Home Directory

  • elliot:theadminisdumb
  • jc:Qwerty
  • seb:T1tanium_Pa$$word_Hack3rs_Fear_M3

Seb’s Home Directory

gpg --batch --passphrase HARPOCRATES -d login.txt.gpg

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Leetcode 66: Plus One

Semantic HTML

TryHackme — MindGames Walkthrough

Wildcard matching — Dynamic Programming is easy

Authorization Options in Postman…

IOEX Biweekly Report: Nov 2nd — Nov 15th

How Koble is transitioning from MVP to enterprise-scale

10-Laser Behaviour Scripting

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
FalconSpy

FalconSpy

More from Medium

“That SweetPot of Data Net-tar” My first Honey Pot Walkthrough Part 1

Encode Msfvenom PowerShell payload with base64

This is part 2 of the reverse engineering ippsRSA library to induce faults.

Securing SD-WAN with Zero Trust Network Segmentation