Thursday, January 3, 2019

Bobby


BOBBY

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Bobby.

- Bobby vulnerable machine, according to the author's description, is the result of applying the executable bobby.exe with the application Vulninjector over an .iso image of Windows XP SP3.

- bobby.exe can be found here:

https://www.vulnhub.com/entry/bobby-1,42/


- VulnInjector will create an automated ‘vulnerable’ installation of a Windows target to practise penetration testing on:

https://blog.vulnhub.com/introducing-vulninjector


- The Windows XP SP3 .iso image with the corresponding Product Key must be provided by the user.

- Once downloaded bobby.exe and applied Vulninjector the result is a bobby.iso image that can be used to build this VirtualBox vulnerable machine:




2 - ENUMERATION

- Bobby is described to have the static IP 192.168.1.11, let's confirm it with netdiscover:






- Scanning ports with Nmap, it seems that only port 21 (FTP) and port 80 (HTTP) are open:






















- Launching nikto over the target:





- nikto yields information about two interesting points:

  • the existence of localstart.asp 
  • the web server is able to run .asp applications


- Dirbusting the web server:





- Connecting to the server:




- Viewing the source:





- There is a message about Bobby, Robert, Bob, ...:




- Trying localstart.asp we have a login form:





- cewl spiders for us the web page and outputs strings to bobby_wordlists:








3 - PASSWORD ATTACK

- John The Ripper enables word mangling rules for bobby_wordlist, outputting to candidates_wordlist:




- Now, Hydra in combination with candidates_wordlist can be used against the FTP server.

Hydra finds valid credentials for the FTP server:





4 - EXPLOITATION

- Once we have valid credentials Bob:Matrix let's try to connect to the FTP server:





- Listing contents:





- After exploring the first 4 folders for a while and not finding nothing interesting let's go to the web server root directory wwwroot:




 - Getting and reading hint.html:








- Now, because there is access to the web server root directory it is possible to upload there any type of file using the FTP server, for instance a backdoor exploit.


- Creating an exploit with Msfvenom:




- Let's notice that the exploit has the .asp extension:






- Uploading exploit.asp to the the wwwroot folder:




- Setting a Netcat listener on port 1234:




- Running exploit.asp with the browser:




- As a consequence a remote shell is achieved:





5 - CAPTURING THE FLAG

- Reading the flag secret.txt: