Apologies again for the hiatus between write-ups, life got busy again and I had to do some preparation for my SANS security course next month (!!!!)
Today we’ll be pwning the BoB 1.0.1 VM from Vulnhub, created by c0rruptedb1t!
Let’s get to it =]
Host Identification and Port Mapping
First up we’ll do The Usual and find out what’s available on the network with Netdiscover and then run some port scans.
Netdiscover says –
Cool, 192.168.56.101 it is then.
NMap says –
Interesting, SSH on port 25468 (thank $DEITY for the -p- flag to nmap, eh?) and a HTTP server running on port 80, with a few spicy things available in robots.txt.
GoBuster and Nikto
GoBuster’s output was.. Terse. Not much going on here really, nothing popped out of the other wordlists either sadly.
Nikto’s output was only slightly more fruitful to be honest:
So nothing popped out of this that we didn’t already know from the robots.txt file identified from nmap!
A few interesting things pop out of manual enumeration. We establish that the site is locked down and won’t accept logins, we also find that naughty Admin Bob is trying to hide things in HTML comments. Naughty Bob!
Which base64 decodes to:
passwords.html is already mentioned in the robots.txt so we did know about it, and upon opening it it just contains a warning that people shouldn’t be putting their passwords in plaintext on the disk.. Interesting!
Nothing else interesting popped out really, apart from dev_shell.php…
Full webshell. Some commands like “ls” are filtered with a snarky “Get out, Skid!” message, but we can evade that pretty easily by popping backticks in the middle of the string.. “l“s”.
Providing an input of l“s -al gives us the following output:
Lots of interesting stuff here at first glance, but it transpires that there’s nothing really interesting going on. Looking around in home directories is much more fruitful.There are four home directories, Bob, Elliot, JC, Seb.
Elliot’s home directory contains one interesting file named “theadminisdumb.txt” which contains the following:
The admin is dumb,
In fact everyone in the IT dept is pretty bad but I can’t blame all of them the newbies Sebastian and James are quite new to managing a server so I can forgive them for that password file they made on the server. But the admin now he’s quite something. Thinks he knows more than everyone else in the dept, he always yells at Sebastian and James now they do some dumb stuff but their new and this is just a high-school server who cares, the only people that would try and hack into this are script kiddies. His wallpaper policy also is redundant, why do we need custom wallpapers that doesn’t do anything. I have been suggesting time and time again to Bob ways we could improve the security since he “cares” about it so much but he just yells at me and says I don’t know what i’m doing. Sebastian has noticed and I gave him some tips on better securing his account, I can’t say the same for his friend James who doesn’t care and made his password: Qwerty. To be honest James isn’t the worst bob is his stupid web shell has issues and I keep telling him what he needs to patch but he doesn’t care about what I have to say. it’s only a matter of time before it’s broken into so because of this I have changed my password to
I hope bob is fired after the future second breach because of his incompetence. I almost want to fix it myself but at the same time it doesn’t affect me if they get breached, I get paid, he gets fired it’s a good time
So I’m looking forward to seeing what that yields.. The only other interesting thing was a file named .old_passwordfile.html in Bob’s home directory.
This appears to contain some passwords for jc and seb. We’ll use those to try and SSH into the box for starters.
For copy and paste purposes…
SSH and Privesc
Luckily those credentials above worked, (in fact, “theadminisdumb” was also a valid password for Elliot) but none of them could do anything interesting as root according to sudo -l, so I focused my search on Bob’s home directory instead. As user seb, I navigated to “/home” and ran “python -m SimpleHTTPServer” to start up a webserver in that directory so I could easily poke around via a web browser (makes it easier to see photos etc.)
After a bit of digging in Bob’s directory I found two interesting files:
Notes.sh contained the following:
Which struck me as odd.. on a whim I tried “Cucumber”, “Harry Potter” and “HARPOCRATES” (the first letter of every line) as passwords to decrypt that GPG file. HARPOCRATES was the winner:
As we can see here, “Harry Potter” failed to decrypt, but HARPOTCRATES decrypted to a nice file containing..
Cool, now we can SSH in as bob (hopefully..)
SSHing in as bob and running “sudo -l” yields this magic line..
bob@Milburg-High:~$ sudo -l
sudo: unable to resolve host Milburg-High: Connection refused
[sudo] password for bob:
Matching Defaults entries for bob on Milburg-High:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User bob may run the following commands on Milburg-High:
(ALL : ALL) ALL
So now we can get root and cat the flag!
This was a really fun box. Lots of nice little twists and it was the first time I’ve had to mess with a GPG encrypted file, which I really enjoyed. Hope you’ve enjoyed reading this and I hope that you learned something.
Thanks for your hard work c0rruptedb1t!