- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Bobby.
- Bobby vulnerable machine, according to the author's description, is the result of applying the executable bobby.exe with the application Vulninjector over an .iso image of Windows XP SP3.
- bobby.exe can be found here:
- VulnInjector will create an automated ‘vulnerable’ installation of a Windows target to practise penetration testing on:
- The Windows XP SP3 .iso image with the corresponding Product Key must be provided by the user.
- Once downloaded bobby.exe and applied Vulninjector the result is a bobby.iso image that can be used to build this VirtualBox vulnerable machine:
2 - ENUMERATION
- Bobby is described to have the static IP 192.168.1.11, let's confirm it with netdiscover:
- Scanning ports with Nmap, it seems that only port 21 (FTP) and port 80 (HTTP) are open:
- Launching nikto over the target:
- nikto yields information about two interesting points:
- the existence of localstart.asp
- the web server is able to run .asp applications
- Dirbusting the web server:
- Connecting to the server:
- Viewing the source:
- There is a message about Bobby, Robert, Bob, ...:
- Trying localstart.asp we have a login form:
- cewl spiders for us the web page and outputs strings to bobby_wordlists:
3 - PASSWORD ATTACK
- John The Ripper enables word mangling rules for bobby_wordlist, outputting to candidates_wordlist:
- Now, Hydra in combination with candidates_wordlist can be used against the FTP server.
- Hydra finds valid credentials for the FTP server:
4 - EXPLOITATION
- Once we have valid credentials Bob:Matrix let's try to connect to the FTP server:
- Listing contents:
- After exploring the first 4 folders for a while and not finding nothing interesting let's go to the web server root directory wwwroot:
- Getting and reading hint.html:
- Now, because there is access to the web server root directory it is possible to upload there any type of file using the FTP server, for instance a backdoor exploit.
- Creating an exploit with Msfvenom:
- Let's notice that the exploit has the .asp extension:
- Uploading exploit.asp to the the wwwroot folder:
- Setting a Netcat listener on port 1234:
- Running exploit.asp with the browser:
- As a consequence a remote shell is achieved:
5 - CAPTURING THE FLAG
- Reading the flag secret.txt: