Introduction

Difficulty: Beginner/Intermediate
Bob is my first CTF VM that I have ever made so be easy on me if it’s not perfect.
The Milburg Highschool Server has just been attacked, the IT staff have taken down their windows server and are now setting up a linux server running Debian. Could there a few weak points in the new unfinished server?
Your Goal is to get the flag in /
Hints: Remember to look for hidden info/files

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s BOB: 1.0.1 from vulnhub. I did not root this one without referring to a write-up. Read on to find out why…

Ports

This box has:

  1. SSH on 25468, and
  2. HTTP on port 80. That’s it.

HTTP

Robots.txt gives some disallowed entries including dev-shell.php; yes this box has a built in webshell. It’s got a filter that is supposed to reject ‘bad words’:

$bad_words = array(“pwd”, “ls”, “netcat”, “ssh”, “wget”, “ping”, “traceroute”, “cat”, “nc”);

But it’s easy to defeat with an uninitialized variable and possibly other methods too. So for example we can do:

cat$u /etc$u/passwd$u

and that works fine, even though cat is on the naughty list.

With this and some manual enumeration I found two sets of creds easily:

jc:Qwerty
seb:T1tanium_Pa$$word_Hack3rs_Fear_M3

And with these I could SSH in.

Privesc

The privesc is where I failed. I enumerated the box manually and with linpeas, but there were no readily apparent vulnerabilities I could find; it appeared I needed credentials.

There are a couple of other users, being bob and elliot. I found the credentials for elliot, but this user had no special privileges and I could see bob was in the sudo group. I found a bunch of files belonging to bob including one called login.txt.gpg, which was GPG symmetrically encrypted data (AES cipher). And - spoiler alert - this file contains his password. Surely this was the way forward?

I tried cracking the file with John (using gpg2john), but it didn’t work with a reasonable sized wordlist and rockyou would take forever; and I now know the password is not in rockyou anyway. I couldn’t find a password for bob anywhere else on the box.

Anyway I worked on root for this box for a while before I stopped; I figured that since I couldn’t find bob’s password or crack the cipher, there might have been some other technique I was supposed to use (but hadn’t learned) - so I checked a write up.

It turns out that the key for the cipher was (hidden) in a file called notes.sh.

root@Milburg-High:/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here# ./notes.sh 

-= Notes =-
Harry Potter is my faviorite
Are you the real me?
Right, I'm ordering pizza this is going nowhere
People just don't get me
Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh <sea santy here>
Cucumber
Rest now your eyes are sleepy
Are you gonna stop reading this yet?
Time to fix the server
Everyone is annoying
Sticky notes gotta buy em

Do you see it? No? I didn’t either. The key is the first letter of each line after -= Notes =-; i.e. HARPOCRATES.

Once this is obtained, we can decrypt the key as follows:

root@kali:/opt/vulnhub/bob# gpg --batch --passphrase HARPOCRATES -d key.gpg 
gpg: AES encrypted data
gpg: encrypted with 1 passphrase
bob:b0bcat_

And then we can su bob and sudo su and we are root; game over.

Thoughts

I had previously seen the notes.sh file and ignored it; there are a few other similar type things on the box that appear to simply be adding flavour to the story. Maybe the directory name should have been a better clue, but I wonder if I would have figured this out eventually. Actually I doubt it.

In some respects I’m pleased; I was on the right track and I wasn’t overlooking some vulnerability that would’ve gotten me root. On the other hand I’m a bit disheartened, because this was supposed to be fairly easy, but I didn’t see what was in front of me. But I honestly don’t think it was that obvious. Oh well; on to the next one.