Tommy Boy: 1

Another Vulnhub VM.

I know which subnet is vm is in. First I scanned subnet to find tommy boy’s IP and it’s open ports.

nmap -sSV — script=banner 10.0.2.0/24

2 open httpd ports in nmap results. When I browsed to port 80, I saw the following page.

Nothing on error page. When I opened the page source of it, I saw the following conversation in comments.

<! — Comment from Nick: backup copy is in Big Tom’s home folder — >
<! — Comment from Richard: can you give me access too? Big Tom’s the only one w/password — >
<! — Comment from Nick: Yeah yeah, my processor can only handle one command at a time — >
<! — Comment from Richard: please, I’ll ask nicely — >
<! — Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog — >
<! — Comment from Richard: Deal. Where’s the blog again? — >
<! — Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It’s here if you don’t remember: https://www.youtube.com/watch?v=VUxOd4CszJ8 — >
<! — Comment from Richard: Ah! How could I forget? Thanks — >

I learned that there is a blog page and I could get some sensitive data from there. To find the absolute path of the blog, I needed to watch the YouTube video. I noted the link to watch it when I had internet connection and continued look for other offline informations I could get offline.

When I browsed to port 8008:

No useful information also in page source. So I started to brute force for sub directories and files.

dirb http://10.0.2.20

At this point I had a little problem. Dirb found nearly all of the words as a directory.

Directories would not give me a clue so I looked for files in results. I saw dirb found Robots.txt file.

User-agent: *
Disallow: /6packsofb…soda
Disallow: /lukeiamyourfather
Disallow: /lookalivelowbridge
Disallow: /flag-numero-uno.txt

flag-numero-uno.txt içeriği:

This is the first of five flags in the Callhan Auto server. You’ll need them all to unlock
the final treasure and fully consider the VM pwned!
Flag data: B34rcl4ws

Continued with the directories in robots.txt.

/lookalivelowbridge

Scream.jpg:

No information on image.m as I could see. So I downloaded the image to look if something is in it.

Nothing I could see. I did all same things on other folders.

Lukeiamyourfather:

6packsofb…soda :

Could not find any information on folders and images.

Then I tried dirb on port 8008, but nothing found.

It’s time to open YouTube to find the blog directory.

Prehistoric Forest. Let’s try it.

Blog was found. At the bottom of the page I saw that page is Wordpress.

While dirb is working to find subdirectories, I scanned page with wpscan.

wpscan – url http://10.0.2.20/prehistoricforest/ – enumerate u

Wpscan found 4 users.

Dirb found wp pages, which had no use ,we already knew page was Wordpress.

I started a password brute force on found usernames with a small wordlist. Non of the users’ password was found. So I did same with rockyou wordlist on user tom and found password. It is a long list so I could not wait for all users. I chose tom because of the information about backup on comments in index page.

wpscan – url http://10.0.2.20/prehistoricforest – wordlist /usr/share/wordlists/rockyou.txt – username tom

I saw in nmap results that ssh is open. Maybe I could also login with this username and password to server. People love using same password in multiple platforms anyway. But I failed to login. So I browsed to Wordpress admin page, http://10.0.2.20/prehistoricforest/wp-admin, and login with found credentials.

When I logged in, I saw user has no admin privileges on Wordpress.

I started browse posts and drafts for possible useful information and saw a possible password entry.

When I opened it;

At least passwords were not same and we have another passwords second half from entry. After noting the password part continued to search information.

Found second flag in a comment of a Tom’s blog post.

Browsed http://10.0.2.20/prehistoricforest/thisisthesecondflagyayyou.txt to get flag.

You’ve got 2 of five flags – keep it up!
Flag data: Z4l1nsky

Another text of password in a post.

In comments of the post;

Another image file in the folder /Richards

Nothing in image as usual. Let’s look what’s in it.

The line ce15….. is interesting. So I looked once again with exif to see what it was.

It’s in comment part. So could be password. Started browsing to find protected blog post. But string did not worked on password field.

I hurried to see the post that I could not realize string looked like a hash. To find hash’s format I used hash-identifier.

It’s MD5. I saved hash to file hash.txt to brute force it with JtR.

It was sooner than I expected. Logged in and checked the post. 2 information is valuable. 1st, Tom’s ssh username is different. 2nd, ftp is open in some port.

nmap -sSV -p- 10.0.2.20
65534/tcp open. ftp. ProFTPD

Post says that there are important infos on ftp, username is nickburns and the password is too easy. If password is too easy, it could be same with the username.

And logged in successfully.

It says NickIzL33t folder is somewhere in on the server. I thought of port 8008, which I had never used.

And the guess was right.

Page source had nothing also. Dirb returned 403 to all requests so it was also useless. When I read readme file again, carefully this time, look at on your phone part seemed a hint. When it combines with Steve Jobs, I had better a iPhone to browse it. So I intercepted browser with burp to change user-agent of the requests with the following.

Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25

Well, that worked. Now I must guess the filename. Previously dirb did not work because of User-Agent string but now I can edit it.

dirb. http://10.0.2.20:8008/NickIzL33t/ -a “Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25"

It worked but only found index.html. This means I have to try bigger wordlist and this time only .html files.

dirb. http://10.0.2.20:8008/NickIzL33t/ /usr/share/wordlists/rockyou.txt -a “Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25"

BTW, this one really needed RAM so I had to give more to Kali VM.

As a result I found fallon1.html file.

When I opened A Hint link;

The third flag link;

THREE OF 5 FLAGS — you’re awesome sauce.
Flag data: TinyHead

And Big Tom’s encrypted pw backups, I saved it.

let’s generate a wordlist with the given creterias. First, thanks to IMDB, Tommy Boy is in theaters 1995. Then if we take a look at the man of crunch.

-t @,%^
. Specifies. a pattern, eg: @@god@@@@ where the only the @’s, ,’s,
. %’s, and ^’s will change.
. @ will insert lower case characters
. , will insert upper case characters
. % will insert numbers
. ^ will insert symbols

then crunch string to generate wordlist with given criteria will be:

crunch 13 13 -t bev,%%@@^1995 -o /root/Desktop/tommy_wordlist.txt

Wordlist is done. Now it’s time to crack zip file. It had been ages since I used fcrackzip so I need to take a look at the help of it.

At first I forgot to add -u parameters and it was like a fireworks show on my screen. Than with -u I started again and I was thinking. it will go on for ages. But it did not take that long.

It’s time to unzip.

SSH username and password is found. I already found the first part of the password on blog and now the username and the second part.

Let’s try with username: bigtommysenior and password fatguyinalittlecoat1938!!

There we go to 4th flag:

zip file is password protected.

no 5.txt! well, may be its hidden.

its hidden and we don’t have permission. First i thought i need root to view and I tried and I failed. But then I saw that www-data user is enough to read the file.

I needed to run command on webapp to read file. Before returning to WordPress site I took a look at the location of NickIzL33t folder, so I could find a page to exploit.

Uploads.php file was interesting. Let’s see what could we get from file.

Checks for file size and file extension. I could upload php file on upload.php.

First I created the following php file and saved as shell.php.gif

<?php
echo shell_exec(‘cat /.5.txt’);
?>

Then I opened the uploads page.

And uploaded the file.

Then I browsed to file to read /.5.txt file.

Then the password is

B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack