Safetech Blog - Security Tips and Tricks


by Oana Stoian

Tommy Boy 1 Write-up

If you came here just for the last flag, here it is:

That’s all folks! Thanks for reading this! 🙂

Callahan auto parts

And now, if you want to know the story of TommyBoy machine, let’s start from the beginnig.

This challenge has a story, and quite an enjoyable one IMHO and this will make things more interesting and pleasant.

After classic nmap port scanning, services fingerprinting and so on we open the browser and point it to port 80 of the machine where we suppose there should be the Callahan Auto’s website:

main_site_down

On the source page there are a few messages (but very useful – eg. indicating  that on this machine is a blog) .. I will keep all this info in my notes.

Next step in information gathering is to search for robots.txt. I had a nice surprise to find my first flag here:

 

robots

flag1

Next step was to download the images found in robots.txt, analyze them with Exiftool with hope that will find some hidden metadata. No luck here! L

Returning to the information from the source page, I visited youtube: https://www.youtube.com/watch?v=VUxOd4CszJ8 for a hint to the path for the blog. I’ve tried prehistoricforest, and it worked. This was the key for the blog;

Reading the posts and comments on the blog new useful information is revealed and we have also a password protected post that must be important.

michelle_comment

 

Accessing the indicated URL in the browser will get us the second flag:

flag2

From another comment on the blog, we get information that there is a folder named /richard.

Analyzing with Exiftool the .jpg file in that directory, I discovered a comment that seems to be an MD5 hash. Putting it on hashkiller the password is instantly found: spanky. This will unlock the password protected blog post.

richard

exiftool

Coming back to the blog I was able to use the password „spanky” to see the content of the protected post.

protected_blog
Having the information above the FTP port is easly found on tcp 65534.  After some tries we found the valid password which is the same as the username: nickburns.
On the FTP server we found the following message in a file called readme.txt :

message ftp

Using the information from this message correlated with open ports from nmap scan, we quickly identified the folder.

8008

Honestly, I spent some time to figure it out how to go further, and finally Steve Jobs name ringed a bell and I thought of modifying the user agent of the browser to include the iphone string.

dummy

We started our favorite web brute forcing tool – wfuzz, and identified the name of html file which is fallon1.

wfuzz -w /usr/share/seclists/Passwords/rockyou.txt --sc 200 http://172.16.100.69:8008/NickIzL33t/FUZZ.html

falon fallon

This will get us to the third flag.

flag3

The other hint indicates us the password pattern of the ecrypted file.

Using crunch I generated a list of possible passwords which uses the hint file :

hint_zip

 

To brute force the protected zip I used fcrack tool:

The password is bevH00tr$1995
Nice… so many passwords… this will give us access to a passwords.txt file in which … you guessed it, there are other passwords and hints 🙂

passwords

Now we have a piece of bigtommysenior SSH password and we are supposed to find the rest on a draft post in the blog. For this we need to guess the password in wordpress of user tom – discovered after a quick enumeration with wpscan. Here it was interesting… the hint indicates us that the password might be a song by Queen. Grabbed an extensive list of queens songs from wikipedia :), put them in a file and started to bruteforce – but nothing… phase one. Took the list, removed spaces, started bruteforce again, still nothing…phase two. Took the list, modified case to lower, eliminate some non alphanumerical characters, started bruteforce…but no hit… phase three. Took the list, inputed it in john to obtain permutations, started bruteforce…still nada 🙂 phase four. I seriously started to question the password has something to do with a Queen’s song.

As a last resort, took  10_million_password_list_top_1000000.txt dictionary and started the “start and forget” bruteforce. After some time, when I returned to the console….incredible, we have a hit – the password is tomtom1 . It took me some time but here it is.

Armed with this information I logged on the blog and got the rest of the bigtommysenior SSH password.

ss8

Now we finally can log in through SSH and find our flag number four:

ssh_tom

Next we restore the callahanbak.bak to /var/www/html/index.html to have the site back:

site_online

Now we are heading for the last flag… a listing in the root of the server reveals the flag’s name and permissions, which are somehow strange, because the file is owned by user www-data:

5_root

All we need is to start a webshell which will run under www-data privileges and we will be able to read the file, or get root and have all the privileges.

Remembering the http://172.16.100.69:8008/NickIzL33t/ folder and it`s function as a sort of dropbox, I have located it on the server and found out another path which has an upload function:

upload_folder

Uploaded some files, tried some tricks to put an PHP file on the server, but the application seems to validate the uploaded files pretty well, allowing only certain media extension files. Having ssh access to the machine is an advantage, allowing me to look at the PHP code and read other files also. Looking on .htaccess file I found an interesting “backdoor” that will allow execution of .gif files as PHP.

htaccess

So, now that we know this, upload a file with PHP code but with .gif extension to the server and just read the /.5.txt file contents:

flag5

Now, all we have to do is put together all the flags as a big, big password and decrypt the LOOT.zip file to get the last flag which is shown at the beginning of this article.

Thanks to the author of the VM @7MinSec and @VulnHub team for hosting it!

 

1,510 total views, 1 views today





Leave a Reply

Your email address will not be published. Required fields are marked *