by Oana Stoian
If you came here just for the last flag, here it is:
Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year.
That’s all folks! Thanks for reading this! 🙂
And now, if you want to know the story of TommyBoy machine, let’s start from the beginnig.
This challenge has a story, and quite an enjoyable one IMHO and this will make things more interesting and pleasant.
HOLY SCHNIKES! Tommy Boy needs your help!
The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.
Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. - who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit!
You'll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business :-(
The primary objective is to restore a backup copy of the homepage to Callahan Auto's server. However, to consider the box fully pwned, you'll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.
After classic nmap port scanning, services fingerprinting and so on we open the browser and point it to port 80 of the machine where we suppose there should be the Callahan Auto’s website:
On the source page there are a few messages (but very useful – eg. indicating that on this machine is a blog) .. I will keep all this info in my notes.
Next step in information gathering is to search for robots.txt. I had a nice surprise to find my first flag here:
Next step was to download the images found in robots.txt, analyze them with Exiftool with hope that will find some hidden metadata. No luck here! L
Returning to the information from the source page, I visited youtube: https://www.youtube.com/watch?v=VUxOd4CszJ8 for a hint to the path for the blog. I’ve tried prehistoricforest, and it worked. This was the key for the blog;
Reading the posts and comments on the blog new useful information is revealed and we have also a password protected post that must be important.
Accessing the indicated URL in the browser will get us the second flag:
From another comment on the blog, we get information that there is a folder named /richard.
Analyzing with Exiftool the .jpg file in that directory, I discovered a comment that seems to be an MD5 hash. Putting it on hashkiller the password is instantly found: spanky. This will unlock the password protected blog post.
Coming back to the blog I was able to use the password „spanky” to see the content of the protected post.
Having the information above the FTP port is easly found on tcp 65534. After some tries we found the valid password which is the same as the username: nickburns.
On the FTP server we found the following message in a file called readme.txt :
Using the information from this message correlated with open ports from nmap scan, we quickly identified the folder.
Honestly, I spent some time to figure it out how to go further, and finally Steve Jobs name ringed a bell and I thought of modifying the user agent of the browser to include the iphone string.
We started our favorite web brute forcing tool – wfuzz, and identified the name of html file which is fallon1.
wfuzz -w /usr/share/seclists/Passwords/rockyou.txt --sc 200 http://172.16.100.69:8008/NickIzL33t/FUZZ.html
This will get us to the third flag.
The other hint indicates us the password pattern of the ecrypted file.
Using crunch I generated a list of possible passwords which uses the hint file :
crunch 13 13 -t bev,%%@@^1995 -o dictionar.txt
To brute force the protected zip I used fcrack tool:
fcrackzip -v -D -p /root/tommyboy/dictionar.txt -u /root/tommyboy/t0msp4ssw0rdz.zip
The password is bevH00tr$1995
Nice… so many passwords… this will give us access to a passwords.txt file in which … you guessed it, there are other passwords and hints 🙂
Now we have a piece of bigtommysenior SSH password and we are supposed to find the rest on a draft post in the blog. For this we need to guess the password in wordpress of user tom – discovered after a quick enumeration with wpscan. Here it was interesting… the hint indicates us that the password might be a song by Queen. Grabbed an extensive list of queens songs from wikipedia :), put them in a file and started to bruteforce – but nothing… phase one. Took the list, removed spaces, started bruteforce again, still nothing…phase two. Took the list, modified case to lower, eliminate some non alphanumerical characters, started bruteforce…but no hit… phase three. Took the list, inputed it in john to obtain permutations, started bruteforce…still nada 🙂 phase four. I seriously started to question the password has something to do with a Queen’s song.
As a last resort, took 10_million_password_list_top_1000000.txt dictionary and started the “start and forget” bruteforce. After some time, when I returned to the console….incredible, we have a hit – the password is tomtom1 . It took me some time but here it is.
Armed with this information I logged on the blog and got the rest of the bigtommysenior SSH password.
Now we finally can log in through SSH and find our flag number four:
Next we restore the callahanbak.bak to /var/www/html/index.html to have the site back:
Now we are heading for the last flag… a listing in the root of the server reveals the flag’s name and permissions, which are somehow strange, because the file is owned by user www-data:
All we need is to start a webshell which will run under www-data privileges and we will be able to read the file, or get root and have all the privileges.
Remembering the http://172.16.100.69:8008/NickIzL33t/ folder and it`s function as a sort of dropbox, I have located it on the server and found out another path which has an upload function:
Uploaded some files, tried some tricks to put an PHP file on the server, but the application seems to validate the uploaded files pretty well, allowing only certain media extension files. Having ssh access to the machine is an advantage, allowing me to look at the PHP code and read other files also. Looking on .htaccess file I found an interesting “backdoor” that will allow execution of .gif files as PHP.
So, now that we know this, upload a file with PHP code but with .gif extension to the server and just read the /.5.txt file contents:
Now, all we have to do is put together all the flags as a big, big password and decrypt the LOOT.zip file to get the last flag which is shown at the beginning of this article.
Thanks to the author of the VM @7MinSec and @VulnHub team for hosting it!
1,510 total views, 1 views today