Introduction.

First things first, I would like to say thank you for the creator of this vulnerable VM. It was so much fun for me.
https://7ms.us/tommyboy/
https://www.vulnhub.com/entry/tommy-boy-1,157/

tommyboy-screenshot

I apologize for not being word-perfect in English, I am not native English speaker.

Reconnaissance

Below is the information from the creator. Our main purpose is to restore website as well as collect 5 flags to claim the full pwned of VM.

HOLY SCHNIKES! Tommy Boy needs your help! 
The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.
Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. – who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit! 
You’ll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business 🙁

Scanning

let’s start with nmap to see is there have any service available for me to attack.

tommyboy-nmap

As a result of nmap’s, we’ve got the fist flag already. I’ve checked on each other items that list in disallowed items in robots.txt but nothing interest found. tommyboy-flag1

Callahan Auto’s webpage on TCP/80. Callahan Auto webpage

Another secret webpage on TCP/8008. Callahan Auto webpage 8008

I also run Nikto against both web services on TCP/80 and TCP/8008.

TCP/80 I found that there is A LOT of directory indexing but nothing important found on TCP/8008

Gaining Access

By view page source of Callahan Auto’s webpage on TCP/80. I found an information in the html comment section which is about where is the URL of company’s blog.

Callahan Auto webpage source

A hint is about this video so I tried to access to the company’s blog with randomly URI from the name of video and I found one URI work! that is “prehistoricforest” The company’s blog is running by WordPress. Callahan Auto blog

I checked all of company’s blog posts and pages, I found a post that has password protected also a second flag in this post http://192.168.111.137/prehistoricforest/index.php/2016/07/06/announcing-the-callahan-internal-company-blog/ Callahan Auto blog post flag2 tommyboy-flag2

It’s time to launch wpscan against company’s blog to check for any vulnerable theme or plugin also enumerate for all of available usernames. Callahan Auto blog wpscan

It not that much information for me, Akismet should be a fault-positive? I don’t know but I got a list of usernames and I don’t know where to go next. I decided to brute-force Big Tom’s WordPress account with rockyou dictionary, it work! I am now accessible to company’s blog with Big Tom’s credential but the problem is Big Tom’s account is not a member of WordPress administrator. Callahan Auto blog wpscan brute force

I found Big Tom’s draft post and it is a SECOND part of his SSH credential “1938!!” Callahan Auto blog big tom draft

Back to the password protected post. I need to figure it out what is the password to see this post, I found another blog post asking about this password and the only hint is one of picture in Ricard’s home directory. http://192.168.111.137/richard/ Callahan Auto blog post ask for password

Follow it to check inside Richard’s directory, I found only 1 picture in it. Callahan Auto richard home dir

This is what shockedrichard.jpg looks like. Yes! shocked me as well. How can I get the password from this picture? I hope it not a steganography. shockedrichard

Lucky on me, I’ve some basic forensic skill. EXIF should be the answer! I use exif tool in Kali to extract whatever metadata information stored in this picture. Take a carefully look at the “User Comment” section, is it a md5 hash? exif shockedrichard

Let’s try with duckduckgo instead of cracking this md5 string by myself and waste a time. what ever result from duckduckgo should be a password to see protected post, thought? hash shockedrichard

The password for protected post is “spanky” so now I am able to access to the password protected post to go on. Callahan Auto blog protected post

This protected post contain several important information.

  1. We can restore Callahan Auto’s website with a backup file in Big Tom’s home directory, file named callahanbak.bak

  2. we have to complete #1 under Big Tom’s account only but Big Tom’s always forget his credential as we can see in previously Big Tom save his second part of SSH credential in draft blog post.

  3. There have another information under Nick’s FTP but FTP server is not always online(up 15mins, down 15 mins then loop)

  4. Nick’s just reset his FTP account name “nickburns” with easy to guess password and he deleted his SSH account already.

Let try attack Nick’s FTP server. His FTP server listening on TCP/65534. I wait until FTP server online and Nick mentioned about password “it easy to guess”, The password is same as his username. nick server

Nick’s FTP server has only one text file called readme.txt so I downloaded it to follow up. nick server readme

TL;DR 1. There is a subfolder called NickIzL33t on this server and Nick used it as his personal dropbox. 2. Nick has created an encrypted zip file to store Big’s Tom credentials. 3. Nick created a hint for a password to extract an encrypted zip file.

I found Nick’s dropbox under another virtual host on this server listening on TCP/8008 but as always! it has some security setup. nick dropbox protected

The hint says that only Nick and Steve Jobs can see the content so I tried to change user-agent to iPhone. nick dropbox burp

Now I am able to access his private dropbox but it just a dummy test! It has another level for a protection. I need to find the exact html file name to access the real dropbox URL. nick dropbox user-agent

I’ve run dirbuster with modified user-agent against it to find out what is the exact page. I’ve tried all of default dirbuster’s dictionary but no luck so I tried with rockyou dictionary and this time it work! nick dropbox dirbuster setup nick dropbox dirbuster result

http://192.168.111.137:8008/NickIzL33t/fallon1.html nick dropbox fallon1

From the information above we have a several items to follow up.

  1. Extract Big Tom’s encrypted password backup file from this hint below nick hint

  2. The third flag.

http://192.168.111.137:8008/NickIzL33t/flagtres.txt
    THREE OF 5 FLAGS – you’re awesome sauce.
    Flag data: TinyHead

I use crunch to generate wordlist by follow all of condition from a hint to crack encrypted zip file as below

[email protected]:~# crunch 13 13 -t bev,%%@@^1995 -o passlist_tomboy.txt
    Crunch will now generate the following amount of data: 812011200 bytes
    774 MB
    0 GB
    0 TB
    0 PB
    Crunch will now generate the following number of lines: 58000800
    crunch:  62% completed generating output
    crunch: 100% completed generating output

Then crack it with fcrackzip. fcrackzip result

Password found, let’s try extract encrypted Big Tom’s password backup file. extract encrypted file

Now I got the first part of Big Tom’s SSH credential and I already got the second part of his credential from his draft in company’s blog post so his SSH credential should be.

Username: bigtommysenior
    Password: fatguyinalittlecoat1938!!

By accessing to Big Tom’s SSH account I got the fourth flag as well as the location of fifth flag. there also a protected zip file called LOOT.ZIP and the backup file for website. Big Tom HHH

Now I should restore Callahan Auto’s website, This is the main objective so I’ll do it first. restoring callahan auto website

Callahan Auto website back to online….. : ) callahan auto website online

The last item to follow up is capture the last flag! I’ve tried A LOT of privilege escalation technic but this a brand new Ubuntu box there’s no local privilege escalation exploit available yet but for 0day IDK. Callahan Auto OS version

I’ve checked their wp-config to obtain MySQL credential. I have a quick reviewed in the databases to see if there has another thing for me to get the last flag or not but it seem I’ve already completed with website part. no information for me this time.

One little idea came up to my mind, if file /5.txt has other permission configured instead of root:root or other special permission, so let check it up. hmmmm well “www-data” is the owner of /.5.txt!! 5 txt perm

I don’t need to be a root to access to this file anymore, I need to compromise this web-server to get a shell running by this web-server service account(www-data).

The backend of this web-server is Apache and I am very familiar with this kind of service configuration due to my primary job. I checked all apache configurations and found the exact location of Nick’s dropbox document root. apache 8008 configuration

I went to Nick’s dropbox document root to see is there have any other item I missed or not? I also found there is a vulnerable upload page in it. This should be a page for Nick to upload his private stuff. Nick Vuln upload page

I am not a programmer but I can write some basic PHP, Bash and Python script. With my little knowledge to reviewing this upload page source code this such a vulnerable upload page because it checks only extension of uploading file, not for the exactly file type.

I use Burp Suite to edit data in uploading process of a php revere-shell file while I am listening for a connection from php reverse shell on my Kali box. uploading malicious php brup edit upload data tomboy-flag 5

There are no issues about this at all, everything working as expected. I got the last flag.

As you can remember there is encrypted file called “LOOT.ZIP” in Big Tom’s home directory. let put all flags data together to extract it.

password: B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

the end