I apologize for not being word-perfect in English, I am not native English speaker.
Below is the information from the creator. Our main purpose is to restore website as well as collect 5 flags to claim the full pwned of VM.
HOLY SCHNIKES! Tommy Boy needs your help! The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads. Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. – who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit! You’ll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business 🙁
let’s start with nmap to see is there have any service available for me to attack.
As a result of nmap’s, we’ve got the fist flag already. I’ve checked on each other items that list in disallowed items in robots.txt but nothing interest found.
Callahan Auto’s webpage on TCP/80.
Another secret webpage on TCP/8008.
I also run Nikto against both web services on TCP/80 and TCP/8008.
TCP/80 I found that there is A LOT of directory indexing but nothing important found on TCP/8008
By view page source of Callahan Auto’s webpage on TCP/80. I found an information in the html comment section which is about where is the URL of company’s blog.
A hint is about this video so I tried to access to the company’s blog with randomly URI from the name of video and I found one URI work! that is “prehistoricforest” The company’s blog is running by WordPress.
I checked all of company’s blog posts and pages, I found a post that has password protected also a second flag in this post http://192.168.111.137/prehistoricforest/index.php/2016/07/06/announcing-the-callahan-internal-company-blog/
It’s time to launch wpscan against company’s blog to check for any vulnerable theme or plugin also enumerate for all of available usernames.
It not that much information for me, Akismet should be a fault-positive? I don’t know but I got a list of usernames and I don’t know where to go next. I decided to brute-force Big Tom’s WordPress account with rockyou dictionary, it work! I am now accessible to company’s blog with Big Tom’s credential but the problem is Big Tom’s account is not a member of WordPress administrator.
I found Big Tom’s draft post and it is a SECOND part of his SSH credential “1938!!”
Back to the password protected post. I need to figure it out what is the password to see this post, I found another blog post asking about this password and the only hint is one of picture in Ricard’s home directory. http://192.168.111.137/richard/
Follow it to check inside Richard’s directory, I found only 1 picture in it.
This is what shockedrichard.jpg looks like. Yes! shocked me as well. How can I get the password from this picture? I hope it not a steganography.
Lucky on me, I’ve some basic forensic skill. EXIF should be the answer! I use exif tool in Kali to extract whatever metadata information stored in this picture. Take a carefully look at the “User Comment” section, is it a md5 hash?
Let’s try with duckduckgo instead of cracking this md5 string by myself and waste a time. what ever result from duckduckgo should be a password to see protected post, thought?
The password for protected post is “spanky” so now I am able to access to the password protected post to go on.
This protected post contain several important information.
We can restore Callahan Auto’s website with a backup file in Big Tom’s home directory, file named callahanbak.bak
we have to complete #1 under Big Tom’s account only but Big Tom’s always forget his credential as we can see in previously Big Tom save his second part of SSH credential in draft blog post.
There have another information under Nick’s FTP but FTP server is not always online(up 15mins, down 15 mins then loop)
Nick’s just reset his FTP account name “nickburns” with easy to guess password and he deleted his SSH account already.
Let try attack Nick’s FTP server. His FTP server listening on TCP/65534. I wait until FTP server online and Nick mentioned about password “it easy to guess”, The password is same as his username.
Nick’s FTP server has only one text file called readme.txt so I downloaded it to follow up.
TL;DR 1. There is a subfolder called NickIzL33t on this server and Nick used it as his personal dropbox. 2. Nick has created an encrypted zip file to store Big’s Tom credentials. 3. Nick created a hint for a password to extract an encrypted zip file.
I found Nick’s dropbox under another virtual host on this server listening on TCP/8008 but as always! it has some security setup.
The hint says that only Nick and Steve Jobs can see the content so I tried to change user-agent to iPhone.
Now I am able to access his private dropbox but it just a dummy test! It has another level for a protection. I need to find the exact html file name to access the real dropbox URL.
I’ve run dirbuster with modified user-agent against it to find out what is the exact page. I’ve tried all of default dirbuster’s dictionary but no luck so I tried with rockyou dictionary and this time it work!
From the information above we have a several items to follow up.
Extract Big Tom’s encrypted password backup file from this hint below
The third flag.
http://192.168.111.137:8008/NickIzL33t/flagtres.txt THREE OF 5 FLAGS – you’re awesome sauce. Flag data: TinyHead
I use crunch to generate wordlist by follow all of condition from a hint to crack encrypted zip file as below
[email protected]:~# crunch 13 13 -t bev,%%@@^1995 -o passlist_tomboy.txt Crunch will now generate the following amount of data: 812011200 bytes 774 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 58000800 crunch: 62% completed generating output crunch: 100% completed generating output
Then crack it with fcrackzip.
Password found, let’s try extract encrypted Big Tom’s password backup file.
Now I got the first part of Big Tom’s SSH credential and I already got the second part of his credential from his draft in company’s blog post so his SSH credential should be.
Username: bigtommysenior Password: fatguyinalittlecoat1938!!
By accessing to Big Tom’s SSH account I got the fourth flag as well as the location of fifth flag. there also a protected zip file called LOOT.ZIP and the backup file for website.
Now I should restore Callahan Auto’s website, This is the main objective so I’ll do it first.
Callahan Auto website back to online….. : )
The last item to follow up is capture the last flag! I’ve tried A LOT of privilege escalation technic but this a brand new Ubuntu box there’s no local privilege escalation exploit available yet but for 0day IDK.
I’ve checked their wp-config to obtain MySQL credential. I have a quick reviewed in the databases to see if there has another thing for me to get the last flag or not but it seem I’ve already completed with website part. no information for me this time.
One little idea came up to my mind, if file /5.txt has other permission configured instead of root:root or other special permission, so let check it up. hmmmm well “www-data” is the owner of /.5.txt!!
I don’t need to be a root to access to this file anymore, I need to compromise this web-server to get a shell running by this web-server service account(www-data).
The backend of this web-server is Apache and I am very familiar with this kind of service configuration due to my primary job. I checked all apache configurations and found the exact location of Nick’s dropbox document root.
I went to Nick’s dropbox document root to see is there have any other item I missed or not? I also found there is a vulnerable upload page in it. This should be a page for Nick to upload his private stuff.
I am not a programmer but I can write some basic PHP, Bash and Python script. With my little knowledge to reviewing this upload page source code this such a vulnerable upload page because it checks only extension of uploading file, not for the exactly file type.
I use Burp Suite to edit data in uploading process of a php revere-shell file while I am listening for a connection from php reverse shell on my Kali box.
There are no issues about this at all, everything working as expected. I got the last flag.
As you can remember there is encrypted file called “LOOT.ZIP” in Big Tom’s home directory. let put all flags data together to extract it.
Subscribe via RSS