Hack the TommyBoy VM (CTF Challenge)
https://www.vulnhub.com/entry/tommy-boy-1,157/
http://www.hackingarticles.in/hack-tommyboy-vm-ctf-challenge/
http://10.0.2.135/robots.txtUser-agent: * Disallow: /6packsofb...soda Disallow: /lukeiamyourfather Disallow: /lookalivelowbridge Disallow: /flag-numero-uno.txt- 第一組flag: http://10.0.2.135/flag-numero-uno.txt
Flag data: B34rcl4ws - 在10.0.2.135的網頁原始碼發現youtube連結:https://www.youtube.com/watch?v=VUxOd4CszJ8 ,也可用
curl http://10.0.2.135抓取 - 影片中有prehistoric forest線索,所以我們連到http://10.0.2.135/prehistoricforest/
- 在/prehistoricforest/底下發現http://10.0.2.135/prehistoricforest/index.php/2016/07/06/announcing-the-callahan-internal-company-blog/#comment-5 有線索Flag #2: thisisthesecondflagyayyou.txt
- 連到/prehistoricforest/thisisthesecondflagyayyou.txt 發現第二個flag:
Flag data: Z4l1nsky - 此網站是用wp架的,所以用wpscan掃一下:
wpscan --url http://10.0.2.135/prehistoricforest --enumerate user[+] Enumerating usernames ... [+] Identified the following 4 user/s: +----+----------+-------------------+ | Id | Login | Name | +----+----------+-------------------+ | 1 | richard | richard | | 2 | tom | Big Tom | | 3 | tommy | Tom Jr. | | 4 | michelle | Michelle Michelle | +----+----------+-------------------+ - 連到http://10.0.2.135/richard ,發現shockedrichard.jpg
- 使用
exif分析圖片:exif shockedrichard.jpg,發現hash: ce154b5a8e59c89732bc25d6a2e6b90b - 線上crack一下為:spanky
- 在留言版的Protected: Status of restoring company home page文章中,輸入spanky密碼
- 文章中提到nickburns以及FTP,接下來連到FTP:
ftp 10.0.2.135 65534,帳密為nickburns/nickburns - 下載readme.txt:
get readme.txt - 裡面提到NickIzL33t關鍵字,另外在port 8008裡也有提到是This is only for Nick's super secret stuff
- 連到http://10.0.2.135:8008/NickIzL33t ,但顯示only me and Steve Jobs can see this content,猜測要用iphone agent連
- 使用browser的agent add-on可讓我們切換agent,最後看到
Well, you passed the dummy test But Nick's secret door isn't that easy to open. Gotta know the EXACT name of the .html to break into this fortress. Good luck brainiac. Lol -Nick - 裡面提到
.html,所以我們使用dirbuster以及rockyou.txt字典檔暴破/NickIzL33t/底下目錄看看,同時也設定dirbuster的http user agent為iphone - 發現/fallon1.html,提示flagtres.txt,得到第三組flag:
Flag data: TinyHead - /hint.txt提示密碼規則,另外一個可下載密碼檔,但這檔案需要密碼
- 根據hint.txt的規則來建立字典檔:
crunch 13 13 -t bev,%%@@^1995 -o /root/Desktop/dict.txt - 結果產生了58000800筆資料...接著用
fcrackzip破解剛剛的zip密碼檔:fcrackzip -u -D -p /root/Desktop/dict.txt /root/t0msp4ssw0rdz.zip,最後得到PASSWORD FOUND!!!!: pw == bevH00tr$1995 解壓縮後開啟password.txt
Sandusky Banking Site ------------------------ Username: BigTommyC Password: money TheKnot.com (wedding site) --------------------------- Username: TomC Password: wedding Callahan Auto Server ---------------------------- Username: bigtommysenior Password: fatguyinalittlecoat Note: after the "fatguyinalittlecoat" part there are some numbers, but I don't remember what they are. However, I wrote myself a draft on the company blog with that information. Callahan Company Blog ---------------------------- Username: bigtom(I think?) Password: ??? Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.- 其中提到並不曉得bigtom的密碼,以及queen song,而queen有we will rock you的歌,所以使用rockyou.txt來暴破tom看看:
wpscan --url http://10.0.2.135/prehistoricforest/wp-login.php --wordlist /usr/share/wordlists/rockyou.txt --username tom --wp-content-dir /wp-content --threads 100,最後得到密碼: tomtom1 - 先前password.txt檔bigtommysenior有提到wrote a draft,在blog的POST下發現他的文章,接著用SSH連看看:
ssh [email protected],而密碼是fatguyinalittlecoat1938!! - 找到el-flag-numero-quatro.txt以及第四組flag:
Flag data: EditButton,根據提示,接著復原bak檔:cp callahanbak.bak /var/www/html/index.html並重新連上http://10.0.2.135/ 。 - 同時也找到LOOT.ZIP,但不知道密碼。
- 另外在根目錄下有個.5.txt檔,但權限是屬於www-data的,應該是最後一組flag了。
- 先前http://10.0.2.135:8008/NickIzL33t/fallon1.html 的原始碼有提示P4TCH_4D4MS,連進去後可看到上傳頁面:http://10.0.2.135:8008/NickIzL33t/P4TCH_4D4MS/
- 上傳web shell,發現有限制副檔名,先改成.jpg上傳,接著連進ssh找uploads資料夾:
find / -iname "uploads" -type d 2>/dev/null - 再把上傳的jpg檔改回php,連至shell
- 身份即是www-data,直接看.5.txt,得到最後一組flag:
Flag data: Buttcrack,並提示將這些flags組合起來解開loot.zip檔 - 最後組合起來的flag為:B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack,並解開LOOT.ZIP
- 得到THE-END.txt,結束。