30 March 2023

Pentesting Fun Stuff

following the cyber security path…

Tommy Boy: 1

7 years ago n13m4nd

Location

vulnhub.com

Description

HOLY SCHNIKES! Tommy Boy needs your help!
The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.
Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. – who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit!
You’ll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business šŸ™

Objective

The primary objective is to restore a backup copy of the homepage to Callahan Auto’s server. However, to consider the box fully pwned, you’ll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.

Enumeration

nmap -T4 -sV -p- 192.168.56.5

nmap
When I visit the webpage at port 80 the message on the page is:

Welcome to Callahan Auto!
SYSTEM ERROR!
If your’e reading this, the Callahan Auto customer ordering system is down. Please restore the backup copy immediately.
See Nick in IT for assistance.

When I look at the source code of the page there are some comments:

<!–Comment from Nick: backup copy is in Big Tom’s home folder–>
<!–Comment from Richard: can you give me access too? Big Tom’s the only one w/password–>
<!–Comment from Nick: Yeah yeah, my processor can only handle one command at a time–>
<!–Comment from Richard: please, I’ll ask nicely–>
<!–Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog–>
<!–Comment from Richard: Deal. Where’s the blog again?–>
<!–Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It’s here if you don’t remember: https://www.youtube.com/watch?v=VUxOd4CszJ8–>
<!–Comment from Richard: Ah! How could I forget? Thanks–>

The YouTube movie is a part from the movie ‘Tommy Boy’ and the location mentioned in this piece is ‘prehistoric forest’.

Flag number 1

When looking at /robots.txt I found the first flag:

This is the first of five flags in the Callhan Auto server. You’ll need them all to unlock
the final treasure and fully consider the VM pwned!
Flag data: B34rcl4ws

There are more mentions in /robots.txt and when looking inside the directories there were pictures from the movie ‘Tommy Boy’. I downloaded all the pictures and run them through Exiftool. Nothing interested was found. In the metadata of picture ‘scream.jpg’ there was a comment ‘Lavc55.1.100’, but after some Google wisdom there were too many hits on different kind of pictures to make sense. So nothing there.

dirb http://192.168.56.5

After running dirb I got a ton of directories, but none really have something interesting.
Because this challenge has a movie theme, I took all the words collected from my notes and the site and run it through dirb one more time and this time I got a hit.
hidden

Flag number 2

After looking at the content of the site some more I came across another flag.
When I check out the mentioned text file I get the message:

You’ve got 2 of five flags – keep it up!
Flag data: Z4l1nsky

WordPress

wpscan -u http://192.168.56.5/prehistoricforest/ -e u,vp,vt

wpscan
Except for the usernames, there was nothing really interesting about the scan. Going further.
In one of the posts there was some interesting information:

Hey numbnuts, look at the /richard folder on this server. Iā€™m sure that picture will jog your memory.
Since you have a small brain: see up top in the address bar thingy? Erase ā€œ/prehistoricforestā€ and put ā€œ/richardā€ there instead.

 

Another picture

When looking at that directory I get another picture. I’ll download this one as well and run it through Exiftool. This time there is an interesting comment: ce154b5a8e59c89732bc25d6a2e6b90b
After a check in hash-identifier it seems this is a md5 hash. When I check it against crackstation I get a result: spanky
I went back to the main page and used spanky as the password and it payed off. I get a text from an IT guy named Richy.

 
So you asked me to do a write-up of everything I know about the Callahan server so the next moron who is hired to support you idiots can get up to speed faster.
Hereā€™s everything I know:
You guys are all hopeless sheep :-/
The Callahan Auto Web site is usually pretty stable. But if for some reason the page is ever down, you guys will probably go out of business. But, thanks to *me* thereā€™s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again.
IMPORTANT: You have to do this under Big Tomā€™s account via SSH to perform this restore. Warning: Big Tom always forgets his account password. Warning #2: I screwed up his system account when I created it on the server, so itā€™s not called what it should be called. Eh, I canā€™t remember (donā€™t care) but just look at the list of users on the system and youā€™ll figure it out.
I left a few other bits of information in my home folder, which the new guy can access via FTP. Oh, except I should mention that the FTP server is super flaky and I havenā€™t had the time (i.e. I donā€™t give a fat crap) to fix it. Basically I couldnā€™t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for. And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again. Now itā€™s somebody elseā€™s problem (did I mention I donā€™t give a ratā€™s behind?).
You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (ā€œnickburnsā€ in case youā€™re dumb and canā€™t remember) to a very, VERY easy to guess password. I removed my SSH access because I *DONā€™T* want you calling me in case of an emergency. But my creds still work on FTP. Your new fresh fish can connect using my credentials and if he/she has half a brain.
Good luck, schmucks!

So there is another port out there I haven’t discovered with the previous nmap scan. Seeing it’s now just past the whole hour, I run another nmap scan.
nmap2
So the mystery FTP port is 65534. It looks like the version number is hidden (probably altered /etc/proftpd.conf with an addition ServerIdent Off).

FTP

I tried to log in with the username nickburns and try to guess the password. It shouldn’t be to hard to remember so I thought I would give it a try. But after several tries it got boring.
In the hope that there is something usefull mentioned on the pages from the site I used cewl to generate a list and used the list to brute force the FTP password.

hydra -l nickburns -P tommylist.txt ftp://192.168.56.5 -s 65534

hydra
When they mentioned it was simple, I didn’t realize just how simple. Oh well.
Because the FTP port opens and closes at set times, I run a script to automatically let me know when the port is open or closed.

#!/usr/bin/env python
# -*- coding: utf-8 -*-
import time
import socket;
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((‘192.168.56.5’,65534))
while True:
if result == 0:
print “Port is open”
else:
print “Port is not open”
time.sleep(30)

After logging in the FTP account I find myself just 1 text file named readme.

To my replacement:
If you’re reading this, you have the unfortunate job of taking over IT responsibilities
from me here at Callahan Auto.Ā  HAHAHAHAHAAH! SUCKER!Ā  This is the worst job ever!Ā  You’ll be
surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn’t know a fax machine
from a flame thrower!
Anyway I’m not completely without mercy.Ā  There’s a subfolder called “NickIzL33t” on this server
somewhere. I used it as my personal dropbox on the company’s dime for years.Ā  Heh. LOL.
I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want
to look at on your phone later, consider that folder my gift to you.
Oh by the way, Big Tom’s a moron and always forgets his passwords and so I made an encrypted
.zip of his passwords and put them in the “NickIzL33t” folder as well.Ā  But guess what?
He always forgets THAT password as well.Ā  Luckily I’m a nice guy and left him a hint sheet.
Good luck, schmuck!
LOL.
-Nick

I tried port 8008 and got a message telling me to scram.
8008.JPG
But there is a directory called /NickIzL33t/.
nickizl33t
Again with the Steve Jobs remark. I knew this wasn’t a coincidence. I tried to alter my cookie value to something with “Steve Jobs” in it. After multiple encoded version I tried another approach. What is as important as Steve Jobs? Apple! What was his baby? The Iphone! So I changed my user agent to match that of a Iphone.
ios.JPG
Success! Now to find that .html

Brute-forcing

I tried dirb with the addition of the correct user agent.

dirb http://192.168.56.5:8008/NickIzL33t/ -a “Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/47.0.2526.70 Mobile/13C71 Safari/601.1.46”

But this wasn’t enough. So I tried another big list. This also didn’t work. After a few more tries I decided to use the list that was mainly used with these challenges…..rockyou.txt.

dirb http://192.168.56.5:8008/NickIzL33t/ /usr/share/wordlists/rockyou.txt -a “Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/47.0.2526.70 Mobile/13C71 Safari/601.1.46”
Segmentation faultdlist…

Bummer. Too many faulty chars inside the list that create errors. I need to trim the list a bit.

sed ‘s/[^a-zA-Z0-9_:]/ /g’ rockyou.txt > rockyou_alphanumeric.txt

Let’s try it again. Still errors. Oh well…..alternatively I use Wfuzz.

wfuzz -c -z file,/usr/share/wordlists/rockyou_alphanumeric.txt –hc 404 –hl 0 -H “User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/47.0.2526.70 Mobile/13C71 Safari/601.1.46” http://192.168.56.5:8008/NickIzL33t/FUZZ.html

wfuzz.JPG
Finally. After a long wait I have another path (fallon1.html) to follow.
fallon1.JPG

Flag number 3

Let’s get the flag first.
flag3.JPG

Decryption

When I go a page back and choose the link for the hint I get:

Big Tom,
Your password vault is protected with (yep, you guessed it) a PASSWORD!
And because you were choosing stupidiculous passwords like “password123” and “brakepad” I
enforced new password requirements on you…13 characters baby! MUAHAHAHAHAH!!!
Your password is your wife’s nickname “bev” (note it’s all lowercase) plus the following:
* One uppercase character
* Two numbers
* Two lowercase characters
* One symbol
* The year Tommy Boy came out in theaters
Yeah, fat man, that’s a lot of keys to push but make sure you type them altogether in one
big chunk ok? Heh, “big chunk.” A big chunk typing big chunks. That’s funny.
LOL
-Nick

Looks like I need a specially crafted list.
The year Tommy Boy came out in theaters? After a quick search on IMDB the answers seems to be 1995. With this information I can use crunch to form a list.

crunch 13 13 -t bev,%%@@^1995 -o crunchlist.txt
Crunch will now generate the following amount of data: 812011200 bytes
774 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 58000800
crunch: 15% completed generating output
crunch: 28% completed generating output
crunch: 42% completed generating output
crunch: 54% completed generating output
crunch: 67% completed generating output
crunch: 79% completed generating output
crunch: 86% completed generating output
crunch: 89% completed generating output
crunch: 93% completed generating output
crunch: 100% completed generating output

That’s a lot of possibilities. Now it’s time for fcrackzip and load up the wordlist.

fcrackzip -v -D -u -p crunchlist.txt t0msp4ssw0rdz.zip

fcrackzip
Didn’t took that long. After unzipping the file I got the password.txt file.
password-txt

Brute-forcing again

I need to login to the Callahan Company Blog. But for that I need the password of bigtom.
The only hint is a famous Queen number. There are a lot of famous Queen songs, so I search for a site with the top 25 songs from Queen and used cewl to form a list.
I had the usernames already from a previous wpscan. The username of Big Tom is just tom. So with this infomation I ran wpscan, but this time with the brute-force option.

wpscan –url http://192.168.56.5/prehistoricforest/ –wordlist /root/Documents/CTF/TommyBoy/queen.txt –username tom

That didn’t work. Maybe I need to mangle my list a bit.

john –wordlist=queen.txt –rules –stdout > mangled-queen.txt
Press ‘q’ or Ctrl-C to abort, almost any other key for status
725p 0:00:00:00 100.00% (2016-08-03 14:31) 1542p/s Scandaling
wc queen.txt
81 269 1414 queen.txt
wc mangled-queen.txt
725 1132 7907 mangled-queen.txt

Round 2. Nothing. My list is probably not extensive enough. With cewl I build a list with all the lyrics from the top 10 songs of Queen. Ran it again through John and loaded it into wpscan. Again nothing. I had my fill with the whole queen songs and turned to my most trusted list……rockyou.txt

wpscan –url http://192.168.56.5/prehistoricforest/ –wordlist /usr/share/wordlists/rockyou.txt –username tom

wpscan2
After I logged in the wordpress account I looked for the draft with the numbers.
draft

SSH

ssh 192.168.56.5 -p 22 -l bigtommysenior
bigtommysenior@192.168.56.5’s password: fatguyinalittlecoat1938!!
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-31-generic x86_64)
* Documentation: https://help.ubuntu.com/
143 packages can be updated.
0 updates are security updates.
Last login: Thu Jul 14 13:45:57 2016
bigtommysenior@CallahanAutoSrv01:~$

Flag number 4

bigtommysenior@CallahanAutoSrv01:~$ cat el-flag-numero-quatro.txt
YAY! Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal working status.
Flag data: EditButton
But…but…where’s flag 5?
I’ll make it easy on you. It’s in the root of this server at /5.txt

Restoring backup

Before I go after the last flag, I need to restore the backup first.

cp callahanbak.bak /var/www/html/index.html

backup.JPG
Now that that’s done. Time the wrap this challenge up and collect the final flag.

Flag number 5

I didn’t need long to find flag number 5. The hint was clear……the file was just hidden.
5.JPG
Only problem is that I can’t access it. It is owned by www-data. Looking back at the wordpress account, it gives me no possibility to change settings and allow a php script to upload. The solution is to be found on the server.
When checking a list of world writeable directories there is one that is different from the rest.
world.JPG
Inside is an index.html.
uploads.JPG
But when I upload a php I get a message.
sorry.JPG
So there is a extension filter in place. That’s ok. Let’s see if a simple addition to the filename helps. That works. shell.jpg is uploaded. Now let’s get back to the server and change the extension to it’s original self.
rename
After browsing to the shell.php file I got a reverse-shell.
www-data
And there it is. Flag number 5 and the final step in this challenge.
flag5
Ok….there is another step to follow. Let’s combine the info from the flags.
B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack
loot
the-end
Awesome challenge. This one gave me really a run for my money (ok – it’s free from charge). Can’t wait to pwn the next one from 7 Minute Security!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.