Welcome back to another machine from Vulnhub called Bob 1.

### Solution

As always we have to get the IP address of the vulnerable machine. Here we can see that it’s sitting on 10.0.2.4 address, with 2 open ports - ftp and http.

So we can just go straight to the http service, but in the same time, I decided to run more complex nmap scan that will cover all ports.

But to the website.

After viewing some of the sub pages, I’ve noticed a comment in the source code.

In order to enumerate as much as possible, I decided to also note down content from the contact page.

And login page.

While looking at some of these notes, the previously started nmap scan has just ended. Let’s take a look at the results.

As you can see, it discovered quite a few things in the webpage, together with a new open port - 25468 running ssh service. Let’s note that down and move forward.

As the scan showed us that there is robots.txt file, we can take a look at it.

Now we can look at each of these pages. Firstly - passwords.

Memo web page.

And finally a dev shell page, containing another comment.

I quickly noticed that there was no possibility to run any commands. But after a few moments there it was, a possibility to run echo command.

After that I checked eval command and to my amusement, it works!

Do you see .hint file? Let’s view it.

Now we’re certain that the best option would be to create a reverse shell using netcat.

Great, we have it! Let’s play around and see what files we can find interesting. Firstly, I decide to take a look at the source code of the shell.

Then I went straight into the user home directories. Let’s see them.

Great, we have the passwords! Now let’s look for more clues.

There’s a lot of these files, but I don’t think they’ll be any useful. Let’s keep looking.

Hmm, that’s interesing. But at this moment, I decided to use previously obtain passwords and log in using ssh.

Why we can’t use cat command. Luckily less is not blocked.

As I remember something about Bob’s strange wallpaper policy, I decided to look for such and check for any hidden information.

We can copy it using scp.

But that was false alarm as nothing was there. And that’s when I decided to go back to Bob. In the Documents directory that was something else that I missed during the first time.

Seems like James was the only sane member of this group :D

What’s that!? Let’s leave this for later and copy previously noticed login.txt.gpg file.

But of course we’re going to need a pasword in order to decrypt the login. That’s when I started looking at all my previous notes but none of the guesses worked. And here comes the notes.sh and the first letters of each sentence - HARPOCRATES. That’s the password.

Now, we can login into Bob’s account.

And of course, as he’s admin, we can change our privilages into the root.

Keep learning and stay safe! ~ W3ndige