Tommy Boy — 1:Vulnhub Walkthrough
Hello Guys! It’s me, Russell Murad, working as a Junior Security Engineer at Enterprise Infosec Consultants (EIC).
In this writeup, we’ll solve a vulnerable box called “Tommy Boy-1”.
The machine inspired by a movie named, “Tommy Boy”, released in 1995.
It is extremely CTFish, a lot of rabbit hole, take me a long time to finish. I’ve configured both the Vulnhub machine and my kali machine on the virtual box bridge connection.
You can download the machine from here.
Now, let’s begin –
1. First, we’ll use arp-scan to check our victim machine’s IP address. Command –
arp-scan -l
2. After that we need to find some open port and service enumeration. So, we’ll use Nmap for that.
nmap -sC -sV -A -O -p- -T4 — script http-enum 192.168.0.184
There are three ports we’ve been found so far. 22 and 80 which are HTTP and SSH. Another one is 8008 — which is also HTTP.
Another thing is that don’t get happy to see all those directories. Maximum of those just blank folders.
3. Now let’s try to do Directory bruteforcing. We’ll add a “-s” parameter for only finding 200 status coded directory.
gobuster dir -u http://192.168.0.184/ -x php,txt,bak,old,zip,gz,conf,cnf,js -s 200 -w /home/kali/Desktop/Big.txt -t 40a robots.txt — file we’ve found. Let’s check it.
4. Four directories! Let’s check those ones by one.
Flag-numero-uno.txt file has our first flag. Four more to go!
Flag data: B34rcl4ws5. Rest off those directories have some stupid looking photo’s which I’ve inspected. But nothing is hidden there. Now, let’s browse the main website and check the source.
Interestingly, there is a conversation.
And There’s a hint for finding the blog’s name. A youtube video provided there. I’ve watched that 2 seconds video and it says, “prehistory forest”.
6. Let’s browse it using that directory and we’ll find out a WordPress site hosted on that server.
And that blog contains some posts, from which we’ve got our second flag.
We’ve got two flags. Three more to go!
Flag data: Z4l1nsky7. One of the posts have some hint for us. It says to use /Richard directory instead of using /prehistoric. Let’s do this.
There’s a photo inside that directory. We’ll download it and investigate it using Exiftool.
exiftool shockedrichard.jpg
8. We’ve found a hash, let’s decode it using hashes.com –
9. We’ve found another post on the blog and wait a second it says that there’s an FTP service on that server! Which is goes down for 15 minutes and turned on for 15 minutes.
10. Let’s try to find it out by using Nmap one more time -
nmap -sC -sV -A -O -p- -T4 — script http-enum 192.168.0.184
And there it is — 65534 port.
11. There’s a clue about this FTP service. IT Service Guy Nick reset his account which is “nickburns” now and it also says that he used a “Very Very easy to guess password.”
I was thinking about what could be it! My logic says that an easy password can itself the username. And guess what, my intuition is correct. It worked!
12. There’s a readme.txt file, let’s download it and open it.
It’s talking about a subfolder named “NickIzL33t”.
13. Let’s try to open that directory on the browser. First I tried to open it using 80 port but failed. Then tried using 8080 port And troll! It’s saying only nick and steve jobs can see this content.
14. I’ve to get stuck for some minutes then I’ve figured out it’s talking about iPhone! From the iPhone, you can access this drive! Let’s go to burp and change the user agent.
15. Well, it did very little help here. Cause it needs to know the .html page to access.
16. I’ve got stuck for another hour, cause my kali have some problem using wfuzz, dirbuster for some reason doesn’t give any useful result, dirb is the same problem, gobuster don’t have a user-agent option for file mode.
So, I’ve to use Fuff at last and figure out the .html file.
Look at the fallon1, which is different in size, words, and Lines.
17. Let’s browse it. We’ve got out the third flag, a hint, and a backup.
18. Flag is -
Flag data: TinyHead
19. We’ll download the zip file now –
It’s password protected.
20. Let’s check the hint –
It’s talking about zip files’ password. Which will contain Tom’s wife’s nick — bev, one uppercase, two lowercase, two numbers, one symbol, and The year Tommy boy releases.
21. We’d checked that the movie released in 1995.
22. Now we’ll use “Crunch” for generating the wordlist we need for password cracking.
crunch 13 13 -t bev,%%@@¹⁹⁹⁵ -o Dic.txt
23. We will use fcrackzip for cracking the zip file password. We’ll use the wordlist file we’ve just created.
Here’s the password we’ve found —
bevH00tr$199524. Now we’ll unzip it using the password.
25. Let’s open the password.txt –
26. At this moment, I’ve got stuck again cause none of their credentials are not working there.
And the username — bigtommysenior, his password are missing some number which we need to collect from a draft from the blog.
After an hour I’ve decided to use wpscan to find some user and password. Cause we need to login to an account for the draft in the blog.
Here’s some username we’ve found so far, I’ve tried to brute-force all of them but end up successful with only one account — tom. Which password is tomtom1.
27. Let’s login with those credentials.
There’s the draft, we’ve been talking about. And we’ve got the numbers that are missing from the password.
28. Let’s login using the username and password (with merging 1938!!) of bigtommysenior.
And those credentials worked!
29. And there’s the fourth flag in the /home folder.
Flag Data: Edit Button
30. Let’s use the “callahanbak.bak” file to getting the site online. We’ll copy that file into “/var/www/html” and save it by naming it “index.html”
And it gets live!!!
We’ve tried to exploit the server using a lot of public exploits for getting root but none of these worked.
So, now we’ve used another approach.
31. Let’s search for some writeable file using the find command –
Find / -perm -222 -type d 2>/dev/null
32. Watch carefully we’ve got an upload directory. Now let’s go to that directory, make a PHP one-liner shell.
33. We’ll open up the shell from the browser and access the flag file from the root. The final Flag is –
Flag data: Buttcrack
34. But there’s another task left, we need to open up the Loot.zip and for that, we need to merge every flag’s data we’ve been found so far. We’ve done it and it’ll be like this –
B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack
35. We’ll unzip the zip file using the password and see there is our End file.
So, guys, that’s it for today.
Thank you for reading this write-up. Cheers!