Thursday, January 3, 2019



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Bobby.

- Bobby vulnerable machine, according to the author's description, is the result of applying the executable bobby.exe with the application Vulninjector over an .iso image of Windows XP SP3.

- bobby.exe can be found here:,42/

- VulnInjector will create an automated ‘vulnerable’ installation of a Windows target to practise penetration testing on:

- The Windows XP SP3 .iso image with the corresponding Product Key must be provided by the user.

- Once downloaded bobby.exe and applied Vulninjector the result is a bobby.iso image that can be used to build this VirtualBox vulnerable machine:


- Bobby is described to have the static IP, let's confirm it with netdiscover:

- Scanning ports with Nmap, it seems that only port 21 (FTP) and port 80 (HTTP) are open:

- Launching nikto over the target:

- nikto yields information about two interesting points:

  • the existence of localstart.asp 
  • the web server is able to run .asp applications

- Dirbusting the web server:

- Connecting to the server:

- Viewing the source:

- There is a message about Bobby, Robert, Bob, ...:

- Trying localstart.asp we have a login form:

- cewl spiders for us the web page and outputs strings to bobby_wordlists:


- John The Ripper enables word mangling rules for bobby_wordlist, outputting to candidates_wordlist:

- Now, Hydra in combination with candidates_wordlist can be used against the FTP server.

Hydra finds valid credentials for the FTP server:


- Once we have valid credentials Bob:Matrix let's try to connect to the FTP server:

- Listing contents:

- After exploring the first 4 folders for a while and not finding nothing interesting let's go to the web server root directory wwwroot:

 - Getting and reading hint.html:

- Now, because there is access to the web server root directory it is possible to upload there any type of file using the FTP server, for instance a backdoor exploit.

- Creating an exploit with Msfvenom:

- Let's notice that the exploit has the .asp extension:

- Uploading exploit.asp to the the wwwroot folder:

- Setting a Netcat listener on port 1234:

- Running exploit.asp with the browser:

- As a consequence a remote shell is achieved:


- Reading the flag secret.txt: