AdSense

Thursday, January 3, 2019

Bobby


BOBBY

 - Layout for this exercise:


1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine Bobby.

 - Bobby vulnerable machine, according to the author's description, is the result of applying the executable bobby.exe with the application Vulninjector over an .iso image of Windows XP SP3.

 - bobby.exe can be found here:

 https://www.vulnhub.com/entry/bobby-1,42/
- VulnInjector will create an automated ‘vulnerable’ installation of a Windows target to practise penetration testing on:

 https://blog.vulnhub.com/introducing-vulninjector
- The Windows XP SP3 .iso image with the corresponding Product Key must be provided by the user.

 - Once downloaded bobby.exe and applied Vulninjector the result is a bobby.iso image that can be used to build this VirtualBox vulnerable machine:
2 - ENUMERATION

 - Bobby is described to have the static IP 192.168.1.11, let's confirm it with netdiscover:




- Scanning ports with Nmap, it seems that only port 21 (FTP) and port 80 (HTTP) are open:

















- Launching nikto over the target:



- nikto yields information about two interesting points:

  • the existence of localstart.asp 
  • the web server is able to run .asp applications


- Dirbusting the web server:



- Connecting to the server:


- Viewing the source:



- There is a message about Bobby, Robert, Bob, ...:


- Trying localstart.asp we have a login form:



- cewl spiders for us the web page and outputs strings to bobby_wordlists:






3 - PASSWORD ATTACK

 - John The Ripper enables word mangling rules for bobby_wordlist, outputting to candidates_wordlist:


- Now, Hydra in combination with candidates_wordlist can be used against the FTP server.

 Hydra finds valid credentials for the FTP server:



4 - EXPLOITATION

 - Once we have valid credentials Bob:Matrix let's try to connect to the FTP server:



- Listing contents:



- After exploring the first 4 folders for a while and not finding nothing interesting let's go to the web server root directory wwwroot:


 - Getting and reading hint.html:






- Now, because there is access to the web server root directory it is possible to upload there any type of file using the FTP server, for instance a backdoor exploit.
- Creating an exploit with Msfvenom:


- Let's notice that the exploit has the .asp extension:




- Uploading exploit.asp to the the wwwroot folder:


- Setting a Netcat listener on port 1234:
- Running exploit.asp with the browser:


- As a consequence a remote shell is achieved:



5 - CAPTURING THE FLAG

 - Reading the flag secret.txt:







Posted by at
Labels: