About This Challenge
- Name: Tommy Boy: 1
- Date release: 27 Jul 2016
- Author: Brian Johnson
- Series: Tommy Boy
- Web page: http://7ms.us/tommyboy
HOLY SCHNIKES! Tommy Boy needs your help!
The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.
Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. – who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit!
You’ll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business 😦
The primary objective is to restore a backup copy of the homepage to Callahan Auto’s server. However, to consider the box fully pwned, you’ll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.
Since my last challenge (MrRobot) I decided to help advance my skills I would try and automate some of my enumeration. I figure this would save me some time and effort. During my OSCP studies I’ve run a lot of these commands extensively and can use all of the switches without having to reference –help. I figured at this point it would benefit me to automate them. The script is written in bash for my own learning. I’m used to scripting in batch (Windows) and for the most part the bash scripting is similar. Once I get the script worked out and how I want it, my next learning curve will be to move that process to python!
You’re welcome to use my script for your own learning purposes, or to get a starting point. Know that it’s very basic and I did put in effort to make it look nice when ran. The script does the following:
- Prompts for a name, in this case TommyBoy.
- This creates a ~/challenge_vms/TommyBoy directory to store all scans and logs in.
- Scans the network using arp-scan and returns only the IP of available hosts.
- Prompts you for the target VM, in my case of the TommyBoy VM – 192.168.85.4.
- It then does a quick nmap scan to give me something to look at while the rest of the info is gathered.
- Next a Nikto scan is run only if nmap found HTTP services.
- Then nmap runs again, this time with -sV -A and -p- switches.
- -sV = service versions
- -A = detailed info about each port
- -p- = all host ports
- All scans are saved in ~/challenge_vms/TommyBoy/IP_scantype
- Example : nmap is saved as ~/challenge_vms/TommyBoy/nmap_192.168.85.4
As I learn more I’m sure this will grow, I’ve viewed some other scripts and some even go as far as to attempt DNS zone transfers and brute force while the attacker continues manual enum.
The script can be grabbed here: Seclyn/Kali_scripts.git
Or from your Kali machine:
OK! Moving on.
I kick off my recon_v2.sh script. This initially shows me a quick nmap scan telling me services are running as follows:
While the scan continues on, I take a look around the website to see what we can find. The homepage tells us there is a system error and to find Nick for assistance, we take note of Nick as it could be used for a login later.
Not much to the site, so I take a look at the source code to confirm. Inside the source code we appear to have a conversation between employees happening via comments ( ← →) One of the comments tells us the password was hidden in a folder when you got hit over the head and provides a youtube link: https://www.youtube.com/watch?v=VUxOd4CszJ8
Next let’s look at port 8008 (http://192.168.85.4:8008) which returns a note from Nick:
I carry on making note that Nick sounds like a tool. If I’ve learned anything, whenever a site is present (especially in CTF games) check the robots.txt, so I do just that. Some interesting directories in robots, and one appears to be our first flag!
Before I venture on to the other directories, I grab the first flag.
Now that 1 of 5 is done, let’s see what the rest of the dirs hold for us.
The first called 6packsofb…soda has a picture of Tommy from the movie:
I take a look at the other directories listed in robots.txt and they all contain different pictures from the movie. To verify they’re just there for fun easter eggs, I take a look at the exif data via exiftool. None of the exif data appears to contain any flags, so I go back to see what my scans found. Looking at the deep nmap scan we now have more info.
A couple of things that jump out under the deep scan is the dirs we already looked at located in robots. And with all port scan found a ProFTP server running!
I try to connect via FTP and the connection is refused. Before I do anything further there I’m going to review my Nikto logs. It looks like quite a few directories are available via the webpage, but visiting each, they appear to be blank.
I now proceed to spend countless hours trying everything! I several times even attempt (per the YouTube hint) http://192.168.85.4/prehistoricforest and I just get a database error. I SHOULD HAVE KNOWN AT THIS POINT THERE WAS AN ISSUE. But I always assume with challenge VMs that it’s all by design or quick setup to make a challenge. Sooooooooo fast forward to 3 hours and a lunch break later. I’M STUMPED. I can’t find anything.
So feeling down and out, I look at a fellow hacker tutorial. They found the first flag as I did, and they watched the YouTube video. The writer says “Well that’s a good hint, let’s look for a web folder called “prehistoricforest” and I laughed, goodluck I said. Been there, done that. He types the address, hits enter.
He get’s a web page. In disbelief I blow up the image and it’s EXACTLY as I had typed it. I try again I get a database error! I reboot the VM, reload the page, and we have a website! Oh well, I now feel better, I’ve read nothing I didn’t know, and just needed to reboot the VM. Put this in my memory bank, but it sucks because in a real situation I most likely wouldn’t be able to reboot the target machine -_-
Anyways. Here we are, hours wasted, but confidence restored.
We’re now looking at a blog, which already looks all too familiar.
I scroll to the bottom the page and sure enough there it is!
Because of this I already know we will be firing up wpscan shortly to enumerate, enumerate, enumerate. But moving on I notice a blog post with a password box. Above that is a post by Tom Jr. asking what the password is again. A response from Richard calling him numbnuts says to check out the /richard folder on the server.
I replace the http://192.168.85.4/prehistoricforest with http://192.168.85.4/richard as suggested by the blog post. There we’re greated with a photo called “shockedrichard.jpg.” I wget that and run exiftool which returns the following:
ExifTool Version Number : 9.74
File Name : shockedrichard.jpg
Directory : .
File Size : 163 kB
File Modification Date/Time : 2016:07:07 15:17:24-04:00
File Access Date/Time : 2016:08:15 13:20:14-04:00
File Inode Change Date/Time : 2016:08:11 16:49:47-04:00
File Permissions : rw-r–r–
File Type : JPEG
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Exif Byte Order : Little-endian (Intel, II)
Software : Google
Copyright : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
Exif Version : 0220
User Comment : ce154b5a8e59c89732bc25d6a2e6b90b
Exif Image Width : 1600
Exif Image Height : 1029
XMP Toolkit : Image::ExifTool 9.97
Rights : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
Creator Tool : Google
Profile CMM Type : Lino
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 1998:02:09 06:49:00
Profile File Signature : acsp
Primary Platform : Microsoft Corporation
CMM Flags : Not Embedded, Independent
Device Manufacturer : IEC
Device Model : sRGB
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Media-Relative Colorimetric
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : HP
Profile ID : 0
Profile Copyright : Copyright (c) 1998 Hewlett-Packard Company
Profile Description : sRGB IEC61966-2.1
Media White Point : 0.95045 1 1.08905
Media Black Point : 0 0 0
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Device Mfg Desc : IEC http://www.iec.ch
Device Model Desc : IEC 61966-2.1 Default RGB colour space – sRGB
Viewing Cond Desc : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant : 19.6445 20.3718 16.8089
Viewing Cond Surround : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type : D50
Luminance : 76.03647 80 87.12462
Measurement Observer : CIE 1931
Measurement Backing : 0 0 0
Measurement Geometry : Unknown
Measurement Flare : 0.999%
Measurement Illuminant : D65
Technology : Cathode Ray Tube Display
Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract)
Current IPTC Digest : adfc7551120fa16884c295b6d397931f
Envelope Record Version : 4
Coded Character Set : UTF8
Application Record Version : 4
Copyright Notice : Copyright © 1995 Paramount Pictures Corporation. Credit: 1995 Paramount Pictures / Courtesy: Pyxurz.
IPTC Digest : adfc7551120fa16884c295b6d397931f
Image Width : 1600
Image Height : 1029
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1600×1029
What jumps out as me is the user comment : ce154b5a8e59c89732bc25d6a2e6b90b
At first I didn’t know what to do with this. I tried using it as the password, and had no luck. Then I realized, this could be a hash. I google search “ce154b5a8e59c89732bc25d6a2e6b90b” which returns “CrackStation.com.” I load it up, enter the captcha, and wallah! We have the result of “spanky.”
I use this password on the blog post, and we have access! We’re now shown a blog post by the previous IT guy “Nick Burns.” He tells us some useful information such as he has created a index.html backup called callahan.bak which we can restore simply by renaming. He also says we have to do it from big Tom’s account and that.
- Tom’s account isn’t called Big Tom, but he can’t remember.
- And that Tom could never remember his password.
We also learn that Nick was kind enough to save some useful documents in his home folder, and that we can only connect via FTP to access them. He also says his password is very VERY easy to guess.
From here I assume it’s related to the movie, so I Google “Tommy Boy Nick Burns” while nothing movie related comes up, I see a familiar video of the SNL skit called “Nick Burns Your Company’s IT Guy>” You can watch here.
I try the password he gives Jennifer Aniston, and I tried you’re welcome and some variations but nothing. Then I realized, EASY to guess. I’m a sysadmin, what do my users do. I first connect to ftp://192.168.85.4:65534 (remember 65534 was the port for FTP our scan found). I use the username “nickburns” as the blog post tells us, and then I try the password, “password” and that doesn’t work. Next I try “nickburns” and “nickburns” and we’re in!
Here we have a “readme.txt” file, so I go to open it, and it cannot conect! I assume it’s me, or the “game.” I continue reading the blog post, and there we have it. Nick Burns tells us the server goes up at the start of the hour, and then goes down and up every 15 minutes. I refresh and lose my connection, so now it’s a waiting game.
Our FTP is back up and we can connect! I quick ftp, and get readme.txt. After the file downloads, I exit, and cat the file. We have another motivational note from Nick the horrible IT guy.
To my replacement:
If you’re reading this, you have the unfortunate job of taking over IT responsibilities
from me here at Callahan Auto. HAHAHAHAHAAH! SUCKER! This is the worst job ever! You’ll be
surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn’t know a fax machine
from a flame thrower!
Anyway I’m not completely without mercy. There’s a subfolder called “NickIzL33t” on this server
somewhere. I used it as my personal dropbox on the company’s dime for years. Heh. LOL.
I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want
to look at on your phone later, consider that folder my gift to you.
Oh by the way, Big Tom’s a moron and always forgets his passwords and so I made an encrypted
.zip of his passwords and put them in the “NickIzL33t” folder as well. But guess what?
He always forgets THAT password as well. Luckily I’m a nice guy and left him a hint sheet.
Good luck, schmuck!
Luckily for us during our information gathering we know where this page is located. We go back to the http://192.168.85.4:8008 page where we have Nick’s message that “only him and Steve Jobs are allowed to look at his stuff.” I edit the address and add “NickIzL33t” to the address (http://192.168.85.4:8008/NickIzL33t).
We’re greated with a similar message, and the source holds no clues. I assume with the Steve jobs talk again, it has to be related, afp?
I try connecting to 8008 using afp_mount and that does nothing. I realize I must be approaching this from the wrong angle. I fire up Burpsuite to see what data is being sent. One thing that jumps out at me is it’s sending my browser type (Mozilla Firefox in my case). I must need to edit that! I search “change user agent string kali” and I’m given a tool called ua-tester which doesn’t help me but I learned something new. The 2nd link is for a firefox add-on, found here.
With the tool installed it virtually lets you change your OS, browser, and you can even choose mobile OS’. I try OS X, with Safari, and I have the same issue. Next I try switching my user agent to iOS. I refresh the page, and we have a new note from Nick stating the following:
In the process of trying to figure out the URL I had decided to revisit the blog and see if there was any clues. I ended up finding something else, the 2nd flag!!!! Under the initial blog post by Tom Sr, there’s a comment from “Michelle Michelle” with the 2nd flag. Guess I need to make sure to visit all blog posts in the future 😉
Now that that’s out of the way I did run dirbuster against the URL, and realized my errors. Dirbuster would run and eventually stop saying 20 errors had occurred, I did not realize I could just “un-pause” and continue. So I did this, and it took about an hour of watching and unpausing. (Side note: it appears at this time you cannot disabled dirbuster from pausing after 20 errors. All you can do is use less threads and or decrease requests per second). Also, I needed to add my iOS user agent to the dirbuster parameters so it would test as an iOS device!
While it was still running I noticed an interesting URL.
I browsed to that page and was provided the following.
A hint, the flag, and Tom’s password backups. First I grab le flag!
Next I grab the ZIP file which is password protected. I take a look at the hint, and we’re given parameters for the password. I assume we will need to use something such as Crunch to make a password list and bruteforce the zip.
I get started with crunch, I’ve only used it SMALL SMALL small amounts before. I realize I need to learn a bit more today 😉 . I spent some time reading over the man pages and an excellent tutorial found here. One thing that was different which I got from the man pages, is that in the tutorial, the author says ‘ is how to denote an upper case value, when in fact it’s actually , (comma).
I kick of the generation and sit back!
A quick Google search for cracking zip files returns fcrackzip. Another quick read of the help page shows some easy parameters.
fcrackzip –v –D –u –p pw_list.txt t0msp4ssw0rdz.zip
And what I can only assume is by design, fcrack retrieves the password within seconds.
I unzip the file, and cat the “password.txt” which gives us the following hints:
We know the username is “tom” thanks to using the user enumeration feature of wpscan.
I try a bunch of different Queen songs in different cases. However; no luck. I built a quick text files with a few songs and different layouts. Nothing. While I messed with this I ran a brute force with wpscan against the wordpress login.
Sure enough, we’re in!
Maybe I’m missing something, but I think that was all a run around to make us think?
We know from the passwords.txt that he wrote a draft to save his password, I click on Drafts in WordPress and we have his ess ess ache (SSH) read the blog to see, password.
I fire up an SSH connection from Kali, use the password “fatguyinalittlecoat1938!!” And we have SSH!
A quick ls and we have our fourth flag and the path to the last!
Next I work on restoring the backup of the site. I do a find of the index.html, which returns nothing. Could be a permission issue? I navigate to /var/www/html and cat index.html. We can see the current site and the error text. I cp over the backup and refresh the browser.
The site is back online, we can call it quits now right? Nope! Gotta get that last flag. I’m on the server and I notice an interesting directory off of /var/www. It leads to Nickl33ts directory.
When there I noticed an upload.html. I browse to the page to see what’s up.
I immediately know we need to upload a PHP script to get that reverse shell. I navigate and grap the script from PenTest monkey. I upload the script!!!!!!!!!!!! And failed, it needs to be an image. I rename the file to .gif, and add gif98 to the start of the text and upload. I catch it with burpsuite, alter the extension back to PHP and!!!!!!!!! Nothing.
Then I try uploading the file as a jpg, I use my SSH session and rename the file from reverse_shell.jpg to reverse_shell.php. Start a netcat listener, navigate to the file . . . . . .
We have shell and are running as the www user. I cat the file in the root and we have the final flag! But it looks like there’s one more challenge.
YOU DID IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OH RICHARD DON’T RUN AWAY FROM YOUR FEELINGS!!!!!!!!
Flag data: Buttcrack
Ok, so NOW what you do is take the flag data from each flag and blob it into one big chunk.
So for example, if flag 1 data was “hi” and flag 2 data was “there” and flag 3 data was “you”
you would create this blob:
Do this for ALL the flags sequentially, and this password will open the loot.zip in Big Tom’s
folder and you can call the box PWNED.”
I gather up my flag data and see what we have. B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack
I unzip the loot to see what we get.
Results: Overall this was a really fun challenge! Thanks to 7MinSec for putting this together. While I wasn’t a huge Tommy Boy fan, this was still fun none the less. It was also a good learning experience as usual. It’d be cool to have additional movie themed challenges such as this.