Vulnhub – Tommy Boy

tommy.png

About This Challenge

 

Description

=================

HOLY SCHNIKES! Tommy Boy needs your help!

The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.

Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. – who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit!

You’ll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business 😦

Primay Objective

=================

The primary objective is to restore a backup copy of the homepage to Callahan Auto’s server. However, to consider the box fully pwned, you’ll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.

 

—————————————————————————————————————————-

Enumeration:

Since my last challenge (MrRobot) I decided to help advance my skills I would try and automate some of my enumeration. I figure this would save me some time and effort. During my OSCP studies I’ve run a lot of these commands extensively and can use all of the switches without having to reference –help. I figured at this point it would benefit me to automate them. The script is written in bash for my own learning. I’m used to scripting in batch (Windows) and for the most part the bash scripting is similar. Once I get the script worked out and how I want it, my next learning curve will be to move that process to python!

You’re welcome to use my script for your own learning purposes, or to get a starting point. Know that it’s very basic and I did put in effort to make it look nice when ran. The script does the following:

  1. Prompts for a name, in this case TommyBoy.
    1. This creates a ~/challenge_vms/TommyBoy directory to store all scans and logs in.
  2. Scans the network using arp-scan and returns only the IP of available hosts.
  3. Prompts you for the target VM, in my case of the TommyBoy VM – 192.168.85.4.
  4. It then does a quick nmap scan to give me something to look at while the rest of the info is gathered.
  5. Next a Nikto scan is run only if nmap found HTTP services.
  6. Then nmap runs again, this time with -sV -A and -p- switches.
    1. -sV = service versions
    2. -A = detailed info about each port
    3. -p- = all host ports
  7. All scans are saved in ~/challenge_vms/TommyBoy/IP_scantype
    1. Example : nmap is saved as ~/challenge_vms/TommyBoy/nmap_192.168.85.4

 

As I learn more I’m sure this will grow, I’ve viewed some other scripts and some even go as far as to attempt DNS zone transfers and brute force while the attacker continues manual enum.

The script can be grabbed here: Seclyn/Kali_scripts.git

Or from your Kali machine:

Git clone https://github.com/seclyn/kali_scripts.git

OK! Moving on.

===============

I kick off my recon_v2.sh script. This initially shows me a quick nmap scan telling me services are running as follows:

tommy

While the scan continues on, I take a look around the website to see what we can find. The homepage tells us there is a system error and to find Nick for assistance, we take note of Nick as it could be used for a login later.

tommy
Not much to the site, so I take a look at the source code to confirm. Inside the source code we appear to have a conversation between employees happening via comments ( ← →) One of the comments tells us the password was hidden in a folder when you got hit over the head and provides a youtube link: https://www.youtube.com/watch?v=VUxOd4CszJ8

Next let’s look at port 8008 (http://192.168.85.4:8008) which returns a note from Nick:

tommy.png
I carry on making note that Nick sounds like a tool. If I’ve learned anything, whenever a site is present (especially in CTF games) check the robots.txt, so I do just that. Some interesting directories in robots, and one appears to be our first flag!

tommy

Before I venture on to the other directories, I grab the first flag.

tommy

Now that 1 of 5 is done, let’s see what the rest of the dirs hold for us.

The first called 6packsofb…soda has a picture of Tommy from the movie:

tommy.png

I take a look at the other directories listed in robots.txt and they all contain different pictures from the movie. To verify they’re just there for fun easter eggs, I take a look at the exif data via exiftool. None of the exif data appears to contain any flags, so I go back to see what my scans found. Looking at the deep nmap scan we now have more info.

A couple of things that jump out under the deep scan is the dirs we already looked at located in robots. And with all port scan found a ProFTP server running!

tommy.png
I try to connect via FTP and the connection is refused. Before I do anything further there I’m going to review my Nikto logs. It looks like quite a few directories are available via the webpage, but visiting each, they appear to be blank.

tommy.png

I now proceed to spend countless hours trying everything! I several times even attempt (per the YouTube hint) http://192.168.85.4/prehistoricforest and I just get a database error. I SHOULD HAVE KNOWN AT THIS POINT THERE WAS AN ISSUE. But I always assume with challenge VMs that it’s all by design or quick setup to make a challenge. Sooooooooo fast forward to 3 hours and a lunch break later. I’M STUMPED. I can’t find anything.

 

So feeling down and out, I look at a fellow hacker tutorial. They found the first flag as I did, and they watched the YouTube video. The writer says “Well that’s a good hint, let’s look for a web folder called “prehistoricforest” and I laughed, goodluck I said. Been there, done that. He types the address, hits enter.

He get’s a web page. In disbelief I blow up the image and it’s EXACTLY as I had typed it. I try again I get a database error! I reboot the VM, reload the page, and we have a website! Oh well, I now feel better, I’ve read nothing I didn’t know, and just needed to reboot the VM. Put this in my memory bank, but it sucks because in a real situation I most likely wouldn’t be able to reboot the target machine -_-

Anyways. Here we are, hours wasted, but confidence restored.

We’re now looking at a blog, which already looks all too familiar.

tommy.png
I scroll to the bottom the page and sure enough there it is!

tommy.png

Because of this I already know we will be firing up wpscan shortly to enumerate, enumerate, enumerate. But moving on I notice a blog post with a password box. Above that is a post by Tom Jr. asking what the password is again. A response from Richard calling him numbnuts says to check out the /richard folder on the server.

I replace the http://192.168.85.4/prehistoricforest with http://192.168.85.4/richard as suggested by the blog post. There we’re greated with a photo called “shockedrichard.jpg.” I wget that and run exiftool which returns the following:

tommy.png

ExifTool Version Number         : 9.74

File Name                       : shockedrichard.jpg

Directory                       : .

File Size                       : 163 kB

File Modification Date/Time     : 2016:07:07 15:17:24-04:00

File Access Date/Time           : 2016:08:15 13:20:14-04:00

File Inode Change Date/Time     : 2016:08:11 16:49:47-04:00

File Permissions                : rw-r–r–

File Type                       : JPEG

MIME Type                       : image/jpeg

JFIF Version                    : 1.01

Resolution Unit                 : None

X Resolution                    : 1

Y Resolution                    : 1

Exif Byte Order                 : Little-endian (Intel, II)

Software                        : Google

Copyright                       : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.

Exif Version                    : 0220

User Comment                    : ce154b5a8e59c89732bc25d6a2e6b90b

Exif Image Width                : 1600

Exif Image Height               : 1029

XMP Toolkit                     : Image::ExifTool 9.97

Rights                          : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.

Creator Tool                    : Google

Profile CMM Type                : Lino

Profile Version                 : 2.1.0

Profile Class                   : Display Device Profile

Color Space Data                : RGB

Profile Connection Space        : XYZ

Profile Date Time               : 1998:02:09 06:49:00

Profile File Signature          : acsp

Primary Platform                : Microsoft Corporation

CMM Flags                       : Not Embedded, Independent

Device Manufacturer             : IEC

Device Model                    : sRGB

Device Attributes               : Reflective, Glossy, Positive, Color

Rendering Intent                : Media-Relative Colorimetric

Connection Space Illuminant     : 0.9642 1 0.82491

Profile Creator                 : HP

Profile ID                      : 0

Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company

Profile Description             : sRGB IEC61966-2.1

Media White Point               : 0.95045 1 1.08905

Media Black Point               : 0 0 0

Red Matrix Column               : 0.43607 0.22249 0.01392

Green Matrix Column             : 0.38515 0.71687 0.09708

Blue Matrix Column              : 0.14307 0.06061 0.7141

Device Mfg Desc                 : IEC http://www.iec.ch

Device Model Desc               : IEC 61966-2.1 Default RGB colour space – sRGB

Viewing Cond Desc               : Reference Viewing Condition in IEC61966-2.1

Viewing Cond Illuminant         : 19.6445 20.3718 16.8089

Viewing Cond Surround           : 3.92889 4.07439 3.36179

Viewing Cond Illuminant Type    : D50

Luminance                       : 76.03647 80 87.12462

Measurement Observer            : CIE 1931

Measurement Backing             : 0 0 0

Measurement Geometry            : Unknown

Measurement Flare               : 0.999%

Measurement Illuminant          : D65

Technology                      : Cathode Ray Tube Display

Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)

Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)

Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)

Current IPTC Digest             : adfc7551120fa16884c295b6d397931f

Envelope Record Version         : 4

Coded Character Set             : UTF8

Application Record Version      : 4

Copyright Notice                : Copyright © 1995 Paramount Pictures Corporation. Credit:  1995 Paramount Pictures / Courtesy: Pyxurz.

IPTC Digest                     : adfc7551120fa16884c295b6d397931f

Image Width                     : 1600

Image Height                    : 1029

Encoding Process                : Baseline DCT, Huffman coding

Bits Per Sample                 : 8

Color Components                : 3

Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)

Image Size                      : 1600×1029

 

What jumps out as me is the user comment : ce154b5a8e59c89732bc25d6a2e6b90b

At first I didn’t know what to do with this. I tried using it as the password, and had no luck. Then I realized, this could be a hash. I google search “ce154b5a8e59c89732bc25d6a2e6b90b” which returns “CrackStation.com.” I load it up, enter the captcha, and wallah! We have the result of “spanky.”

tommy.png

I use this password on the blog post, and we have access! We’re now shown a blog post by the previous IT guy “Nick Burns.” He tells us some useful information such as he has created a index.html backup called callahan.bak which we can restore simply by renaming. He also says we have to do it from big Tom’s account and that.

  1. Tom’s account isn’t called Big Tom, but he can’t remember.
  2. And that Tom could never remember his password.

 

We also learn that Nick was kind enough to save some useful documents in his home folder, and that we can only connect via FTP to access them. He also says his password is very VERY easy to guess.

From here I assume it’s related to the movie, so I Google “Tommy Boy Nick Burns” while nothing movie related comes up, I see a familiar video of the SNL skit called “Nick Burns Your Company’s IT Guy>” You can watch here.

I try the password he gives Jennifer Aniston, and I tried you’re welcome and some variations but nothing. Then I realized, EASY to guess. I’m a sysadmin, what do my users do. I first connect to ftp://192.168.85.4:65534 (remember 65534 was the port for FTP our scan found). I use the username “nickburns” as the blog post tells us, and then I try the password, “password” and that doesn’t work. Next I try “nickburns” and “nickburns” and we’re in!

Here we have a “readme.txt” file, so I go to open it, and it cannot conect! I assume it’s me, or the “game.” I continue reading the blog post, and there we have it. Nick Burns tells us the server goes up at the start of the hour, and then goes down and up every 15 minutes. I refresh and lose my connection, so now it’s a waiting game.

tommy.png

Our FTP is back up and we can connect! I quick ftp, and get readme.txt. After the file downloads, I exit, and cat the file. We have another motivational note from Nick the horrible IT guy.

 

To my replacement:

If you’re reading this, you have the unfortunate job of taking over IT responsibilities

from me here at Callahan Auto.  HAHAHAHAHAAH! SUCKER!  This is the worst job ever!  You’ll be

surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn’t know a fax machine

from a flame thrower!

Anyway I’m not completely without mercy.  There’s a subfolder called “NickIzL33t” on this server

somewhere. I used it as my personal dropbox on the company’s dime for years.  Heh. LOL.

I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want

to look at on your phone later, consider that folder my gift to you.

 

Oh by the way, Big Tom’s a moron and always forgets his passwords and so I made an encrypted

.zip of his passwords and put them in the “NickIzL33t” folder as well.  But guess what?

He always forgets THAT password as well.  Luckily I’m a nice guy and left him a hint sheet.

Good luck, schmuck!

LOL.

-Nick

Luckily for us during our information gathering we know where this page is located. We go back to the http://192.168.85.4:8008 page where we have Nick’s message that “only him and Steve Jobs are allowed to look at his stuff.” I edit the address and add “NickIzL33t” to the address (http://192.168.85.4:8008/NickIzL33t).
We’re greated with a similar message, and the source holds no clues. I assume with the Steve jobs talk again, it has to be related, afp?

tommy.png

I try connecting to 8008 using afp_mount and that does nothing. I realize I must be approaching this from the wrong angle. I fire up Burpsuite to see what data is being sent. One thing that jumps out at me is it’s sending my browser type (Mozilla Firefox in my case). I must need to edit that! I search “change user agent string kali” and I’m given a tool called ua-tester which doesn’t help me but I learned something new. The 2nd link is for a firefox add-on, found here.
tommy.png

With the tool installed it virtually lets you change your OS, browser, and you can even choose mobile OS’. I try OS X, with Safari, and I have the same issue.  Next I try switching my user agent to iOS. I refresh the page, and we have a new note from Nick stating the following:
tommy.png
In the process of trying to figure out the URL I had decided to revisit the blog and see if there was any clues. I ended up finding something else, the 2nd flag!!!! Under the initial blog post by Tom Sr, there’s a comment from “Michelle Michelle” with the 2nd flag. Guess I need to make sure to visit all blog posts in the future 😉

tommy

tommy.png

Now that that’s out of the way  I did run dirbuster against the URL, and realized my errors. Dirbuster would run and eventually stop saying 20 errors had occurred, I did not realize I could just “un-pause” and continue. So I did this, and it took about an hour of watching and unpausing. (Side note: it appears at this time you cannot disabled dirbuster from pausing after 20 errors. All you can do is use less threads and or decrease requests per second). Also, I needed to add my iOS user agent to the dirbuster parameters so it would test as an iOS device!

While it was still running I noticed an interesting URL.

tommy.png
I browsed to that page and was provided the following.

tommy

A hint, the flag, and Tom’s password backups. First I grab le flag!

tommy.png

Next I grab the ZIP file which is password protected. I take a look at the hint, and we’re given parameters for the password. I assume we will need to use something such as Crunch to make a password list and bruteforce the zip.

tommy.png

I get started with crunch, I’ve only used it SMALL SMALL small amounts before. I realize I need to learn a bit more today 😉 . I spent some time reading over the man pages and an excellent tutorial found here. One thing that was different which I got from the man pages, is that in the tutorial, the author says ‘ is how to denote an upper case value, when in fact it’s actually , (comma).

I kick of the generation and sit back!

tommy.png

A quick Google search for cracking zip files returns fcrackzip.  Another quick read of the help page shows some easy parameters.

fcrackzip v D u p pw_list.txt t0msp4ssw0rdz.zip

And what I can only assume is by design, fcrack retrieves the password within seconds.

tommy.png

I unzip the file, and cat the “password.txt” which gives us the following hints:

tommy.png
We know the username is “tom” thanks to using the user enumeration feature of wpscan.

tommy.png

I try a bunch of different Queen songs in different cases. However; no luck. I built a quick text files with a few songs and different layouts. Nothing. While I messed with this I ran a brute force with wpscan against the wordpress login.

Sure enough, we’re in!

tommy.png

Maybe I’m missing something, but I think that was all a run around to make us think?

We know from the passwords.txt that he wrote a draft to save his password, I click on Drafts in WordPress and we have his ess ess ache (SSH) read the blog to see, password.

tommy.png

I fire up an SSH connection from Kali, use the password “fatguyinalittlecoat1938!!” And we have SSH!

A quick ls and we have our fourth flag and the path to the last!

tommy.png
Next I work on restoring the backup of the site. I do a find of the index.html, which returns nothing. Could be a permission issue? I navigate to /var/www/html and cat index.html. We can see the current site and the error text. I cp over the backup and refresh the browser.

tommy.png
tommy.png

The site is back online, we can call it quits now right? Nope! Gotta get that last flag. I’m on the server and I notice an interesting directory off of /var/www. It leads to Nickl33ts directory.

When there I noticed an upload.html. I browse to the page to see what’s up.

tommy.png
I immediately know we need to upload a PHP script to get that reverse shell. I navigate and grap the script from PenTest monkey. I upload the script!!!!!!!!!!!! And failed, it needs to be an image. I rename the file to .gif, and add gif98 to the start of the text and upload. I catch it with burpsuite, alter the extension back to PHP and!!!!!!!!! Nothing.

Then I try uploading the file as a jpg, I use my SSH session and rename the file from reverse_shell.jpg to reverse_shell.php. Start a netcat listener, navigate to the file . . . . . .

tommy.png

We have shell and are running as the www user. I cat the file in the root and we have the final flag! But it looks like there’s one more challenge.

“FIFTH FLAG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

YOU DID IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!

OH RICHARD DON’T RUN AWAY FROM YOUR FEELINGS!!!!!!!!

 

Flag data: Buttcrack

 

Ok, so NOW what you do is take the flag data from each flag and blob it into one big chunk.

So for example, if flag 1 data was “hi” and flag 2 data was “there” and flag 3 data was “you”

you would create this blob:

 

hithereyou

 

Do this for ALL the flags sequentially, and this password will open the loot.zip in Big Tom’s

folder and you can call the box PWNED.”

 

I gather up my flag data and see what we have. B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

 

I unzip the loot to see what we get.

tommy.png

—————————————————————————————————————————-

Results: Overall this was a really fun challenge! Thanks to 7MinSec for putting this together. While I wasn’t a huge Tommy Boy fan, this was still fun none the less. It was also a good learning experience as usual. It’d be cool to have additional movie themed challenges such as this.

Write_up_logo

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s