Huge thanks to Brian Johnson for this fun vm
As usual we start with an nmap scan
Everytime I see a website i run dirb and nikto on it ,but the first thing i check is the robots.txt
from the robots.txt we can see
Browsing to the url http://192.168.0.102/flag-numero-uno.txt
This is the first of five flags in the Callhan Auto server. You'll need them all to unlock the final treasure and fully consider the VM pwned! Flag data: B34rcl4ws
Checking the Webpage
Checking the source code of the page reveal an interesting youtube video.
Browsing the youtube video reveal the word prehistoric forest
We can try to fetch http://192.168.0.102/prehistoricforest/
This is a wordpress server!
From enumerating manually the server we can see there is a comment that require a password that has been set by richard
Richard, what’s the password you put on that protected blog post?
Also its a wordpress so lets check if there are any vulnerabilities
So we run wpscan on it.
From enumerating we can see some users and can try to bruteforce their password.
wpscan -u 192.168.0.102/prehistoricforest/ --enumerate u [+] Identified the following 4 user/s: +----+----------+-------------------+ | Id | Login | Name | +----+----------+-------------------+ | 1 | richard | richard | | 2 | tom | Big Tom | | 3 | tommy | Tom Jr. | | 4 | michelle | Michelle Michelle | +----+----------+-------------------+
wpscan -u 192.168.0.102/prehistoricforest/ --username tom --wordlist usr/share/wordlists/rockyou.txt
We bruteforce the user tom and password is tomtom1
On the wordpress there is the FLag#2 thisisthesecondflagyayyou.txt
curl http://192.168.0.102/prehistoricforest/thisisthesecondflagyayyou.txt You've got 2 of five flags - keep it up! Flag data: Z4l1nsky
From enumerating the wordpress we can see that tom left a message to try to remember his password
Because we know the second part for his ssh password
I used these commands to generate a list of valid password because i did’nt know the password length i would need to generate all wordlist by hand.
crunch 9 9 -t '@@@1938!!' -o tommy.txt
hydra -l tom -P tommy.txt 192.168.0.102 ssh -V
While this was bruteforcing the user tom on ssh, i enumerated the wordpress more.
There was a reference to the richard directory on the website, wich had a picture of Richard
running exiftool on shockedrichard revealed
User Comment : ce154b5a8e59c89732bc25d6a2e6b90b
Quick googling for this hash revealed the password is spanky
There was a wordpress comment that needed a password to be seen. When i tried spanky the following comment was available to read.
Michelle/Tommy,This is f’d up.I am currently working to restore the company’s online ordering system, but we are having some problems getting it restored from backup. Unfortunately, only Big Tom had the passwords to log into the system. I can’t find his passwords anywhere. All I can find so far is a note from our IT guy Nick (whose last day was yesterday) saying:Hey Richy,So you asked me to do a write-up of everything I know about the Callahan server so the next moron who is hired to support you idiots can get up to speed faster.Here’s everything I know:
You guys are all hopeless sheep The Callahan Auto Web site is usually pretty stable. But if for some reason the page is ever down, you guys will probably go out of business. But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again. IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore. Warning: Big Tom always forgets his account password. Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called. Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out.
I left a few other bits of information in my home folder, which the new guy can access via FTP. Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it. Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for. And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again. Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?).
You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password. I removed my SSH access because I *DON’T* want you calling me in case of an emergency. But my creds still work on FTP. Your new fresh fish can connect using my credentials and if he/she has half a brain.
Good luck, schmucks!
Michelle/Tommy…WTF are we going to do?!?! If this site stays down, WE GO OUT OF BUSINESS!!!1!!1!!!!!!!
From previous scanning we know there is a port running on port 8008 it is the Nick’s web server.
We can now fetch http://192.168.0.102:8008/NickIzL33t/
But on this page there is nothing, but a hint ( Only me and Steve Jobs can see this content)
So i changed my useragent to something apple related ( I used a firefox addon for conveniance but i tested the user agent with burpsuite)
With this useragent i managed to fetch the webpage NickIzL33t only to tell me i would need to know the webpage ending in .html .
So i fired up dirbuster to try and fetch the .html but dirbuster always seemed to crash with the rockyou.txt wordlist.
So i used burpsuite to bruteforce the .html and i found that the hidden html is fallon1.html
we can download the hint to crack the zip file, the zipfile and the 3rd flag!.
THREE OF 5 FLAGS - you're awesome sauce. Flag data: TinyHead
From checking the source we can see there is a link to an upload image.
If we just rename our php file to .gif we can upload directly on the server and have code execution 🙂
For cracking the zip file earlier found
crunch 13 13 -t bev,%%@@^1995 -o tomwlist.txt
This will create a wordlist with that would fit the description of nick
fcrackzip -D -p ./Nick/tomwlist.txt -u t0msp4ssw0rdz.zip -v
unzipping the zip gives us a file passwords.txt containing
Sandusky Banking Site ------------------------ Username: BigTommyC Password: money TheKnot.com (wedding site) --------------------------- Username: TomC Password: wedding Callahan Auto Server ---------------------------- Username: bigtommysenior Password: fatguyinalittlecoat Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are. However, I wrote myself a draft on the company blog with that information. Callahan Company Blog ---------------------------- Username: bigtom(I think?) Password: ??? Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.
since we already know the second part of the password “1938!!” (from the wordpress post)
we can login with the user bigtommysenior and password “fatguyinalittlecoat1938!!”
ssh email@example.com (password = fatguyinalittlecoat1938!! )
Once we loggin into the ssh
cat el-flag-numero-quatro.txt YAY! Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal working status. Flag data: EditButton But...but...where's flag 5? I'll make it easy on you. It's in the root of this server at /5.txt
I quickly checked if my user had access but the file is owned by www-data and since i already uploaded a malicious php i already have a shell as www-data from the image upload bypass 🙂
cat .5.txt FIFTH FLAG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! YOU DID IT!!!!!!!!!!!!!!!!!!!!!!!!!!!! OH RICHARD DON'T RUN AWAY FROM YOUR FEELINGS!!!!!!!! Flag data: Buttcrack Ok, so NOW what you do is take the flag data from each flag and blob it into one big chunk. So for example, if flag 1 data was "hi" and flag 2 data was "there" and flag 3 data was "you" you would create this blob: hithereyou Do this for ALL the flags sequentially, and this password will open the loot.zip in Big Tom's folder and you can call the box PWNED.
So we just need to concatenate all flags 🙂
1st Flag : B34rcl4ws # From robots.txt
2nd Flag : Z4l1nsky # From WordPress
3rd Flag : TinyHead # From Nick’s web service
4th Flag : EditButton #From SSH
5th Flag : Buttcrack #From Getting a shell as www-data
So the Password for the LOOT.zip should be
unzip LOOT.ZIP Archive: LOOT.ZIP [LOOT.ZIP] THE-END.txt password: inflating: THE-END.txt bigtommysenior@CallahanAutoSrv01:~$ cat THE-END.txt YOU CAME. YOU SAW. YOU PWNED. Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year. GREAT WORK! I'd love to know that you finished this VM, and/or get your suggestions on how to make the next one better. Please shoot me a note at 7ms @ 7ms.us with subject line "Here comes the meat wagon!" Or, get in touch with me other ways: * Twitter: @7MinSec * IRC (Freenode): #vulnhub (username is braimee) Lastly, please don't forget to check out www.7ms.us and subscribe to the podcast at bit.ly/7minsec Thanks and have a blessed week! -Brian Johnson 7 Minute Security
What i learned,
1. I learned some new options in dirbuster for bruteforcing only .html and adding a user agent.
2. I learned how to use crunch efficiently to generate a custom wordlist that fits my needs
3. I learned how to use burpsuite as a bruteforcer that you completely have the control
Thank you for reading this!