Link to Tommy Boy 1 Vulnhub: https://www.vulnhub.com/entry/tommy-boy-1,157/

OBJECTIVE

The primary objective is to restore a backup copy of the homepage to Callahan Auto’s server. However, to consider the box fully pwned, you’ll need to collect 5 flags strewn about the system, and use the data inside them to unlock one final message.

Level: Intermediate

Victim IP: 192.168.253.133
Attacker IP (Kali Linux): 192.168.253.128

Enumeration

Nmap scan

nmap -sC -sV -p- 192.168.253.131
-sC for default scripts,-sV for version enumeration and -p- to scan all
ports.

Open ports are: 22 ssh , 80 http , 8008 http

Vising the ip reveals us a broken callahan auto website.

If we look at the page source then we can see preety interesting conversation between Nick and Richard.

Key thing there is , a blog directory for which a youtube video link is given

Hey Prehistoric Forest is the title of the video, so I tried /heyprehistoricforest , /prehistoricforest .

Among which /prehistoricforest/ worked

And we have wordpress under /prehistoricforest/We will work on this wordpress site later, first lets do directory fuzzing on the fist site we found.

A simple directory fuzzing didn’t reveal any directory . So i added extensions .txt and .php

We have robots.txt and big.txt

/big.txt contains some kind of wordlist, we may need this later so save it.

Under robots.txt we can see some disallowed directories,

/flag-numero-uno.txt contains our fist flag.

Flag data: B34rcl4ws

I think we are done here

Lets go back to wordpress site.

Visiting the blog post and reading comments reveals us our second flag location

thisisthesecondflagyayyou.txt

Flag #2 : Z4l1nsky

Reading more post and comments, we can see richard is talking about folder /richard which contains a picture.

This image may contain some interesting data, so download it.

Using exiftool we can see one result interesting. User Comment

ce154b5a8e59c89732bc25d6a2e6b90b This seems to be in encrypted format.

Using crackstation we can see it is md5 hashes file and result spanky

we have no idea what this is, first i tried to visit the directory /spanky but didn’t worked.

Then Looking into the wordpress site we have Status of restoring company home page post which asks for password

Entering password spanky worked.

Reading the contents the interesting items are
there’s a backup called callahanbak.bak that you can just rename to index.html and everything will be good again.

and

There is a ftp port open which goes online for 15 minutes and goes down after 15 minutes. Also the username and possible password hint is given

This is reason we didnt saw ftp open in our first nmap scan

Again running nmap scan reaveals we have ftp open on 65534

We were able to login to ftp as user nickburns and password nickburns simple guess worked for password.

We have readme.txt file . lets download it into our machine using get command

Reading the readme.txt reveals we have /NickIzL33t directory which nick used as dropbox.

I first tried visiting /NickIzL33t on port 80. Which didn’t worked.

Remember we have port 8008 http open.

Visiting /NickIzL33t under port 8008 gives us access to dropbox

This is the tricky part. Only steve jobs can see this contents so visiting this site from iphone worked.

Right click >> Inspect element >> View page as iphone
and reload the site shows we have passed the dummy test

Still we don’t have access to the full site.

It is asking for .html directory name to break into fortress. Lets do directory fuzzing to find this .html directory

Capture the request using the burpsuite and copy the user-agent part

Then run the ffuf

Looking at the result fallon1 stood out.

Visiting the fallon1 we can see the some hits and files.

Third Falg: TinyHead

Clicking on Big Tom’s encrypted pw backups downloads a password encrypted zip file.

clicking on hint reveals us the password combination

With this password combination we can create ourself a custom wordlist using crunch tool.

in the command; @ will insert lower case character
, will insert upper case character %will insert numbers
^ will insert symbols

Then user tool frackzip to bruteforce the password of zip file

bevH00tr$1995

Uzipping the zip file extracts password.txt file.

passwords.txt contains the some credentials, We are interested in callahan auto server credentials .
Password fatgutinalittlecoat is incomplete. This password contains some numbers which is written in draft of on the company blog.

For the blog site: username is bigtom which is not confirmed.
and password is related to famous queen song.

Going into wp-login of wordpress site, and entering bigtom as username and any random password shows

So we can confirm bigtom is not the valid username

Lets use wpscan tool to enumerate usernames

With this usernames , make username.txt (I kept only two entries tom and Big tom ; as only these two are related to bigtom )

Then bruteforce the username and password.

we found tom:tomtom1

and we have the last part of password 1938!!

bigtommysenior:fatguyinalittlecoat1938!!

Then we can ssh login with this credentials.

Fourth flag is EditButton
fifth flag is located in /5.txt we dont have access to /5.txt

lets restore the site by copying callahanbak.txt to index.txt

Site successfully restored.

change directory to /var/html/prehistoricforest. We can see wp-config.php Which usually contains juicy informations

Opening the wp-config.php gives us credentials for the mysql database.
lets view the contents of the database.

richard:$P$BzW7ZDwxd7THv1D4rTANjGGgzV0XK9/
tom:$P$BmXAz/a8CaPZDNTraFb/g6kZeTpijK
tommy:$P$BCcKbJIQtLuiBOybaQPkkfe1yYJRkn.
michelle:$P$BIEfXY1Li5aYTokSsi7pBgh0FTlO6k/

I tried to crack this hashed password using various online sites but i was unable, I planned to update the password to my own.

Visit https://wprefers.com/wordpress-password-hash-generator/ to generate the hashed md5 wordpress password

download the php reverse shell script from here https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Change the $ip to your machine ip.

Make netcat listner ready

Copy the php script, and paste under, Appearance >> Editor and 404 templates.

Now open this 404.php .

We now have shell as user www-data.

We can now read the fifth flag .5.txt

Fifth Flag : Buttcrack

all combined flag data is B34rcl4wsZ4l1nskyTinyHeadEditButtonButtcrack
which is the password for loot.zip

Again visit the ssh shell and unzip the loot.zip using the password.

reading the THE-END.txt completes the machine.

For any correction / query /suggestion contact on
Instagram dollarboysushil
Twitter (X) dollarboysushil
Youtube dollarboysushil