So I came across Billy Madison 1.0, a recently published vulnerable system. As I had really enjoyed this author’s previous Tommy Boy 1.0, I decided to have at it. Boy was it fun, but I did run across a few hurdles along the way due to my thinking.
Big thanks to Brian Johnson for making it and helping me waste several hours of my life on it.
Plot: Help Billy Madison stop Eric from taking over Madison Hotels!
Sneaky Eric Gordon has installed malware on Billy’s computer right before the two of them are set to face off in an academic decathlon. Unless Billy can regain control of his machine and decrypt his 12th grade final project, he will not graduate from high school. Plus, it means Eric wins, and he takes over as head of Madison Hotels!
So downloaded the VM, got it up and running setup on the same network as my Kali box, off to the races.
First up, lets figure out what IP it is running under as it was configured with NAT I chose to enumerate only that network:
Excellent, 192.168.244.157 it is.
First off, trusty nmap against all TCP ports( -p 0-65535) and Service Detection (-sv):
Some interesting results there, 2 services that were not able to be ID’d, HTTP on two ports, telnet, ssh, and smb.
TCP/80 - HTTP (Apache) - Round 1
I decided to go for HTTP next and pulled up the page to find a defaced website. The source for the page was as follows:
I then proceeded to download all the images, check them with exiftool and binwalk to see if anything was hidden. Nothing of interest here sadly.
Next up HTTP on port 69. This contained what appeared to be a Wordpress site, quick inspection indicated that there was something amiss, links did not appear to work outside of login, the login page was not in the standard location, and searching was completely broken. At this point I’m thinking honeypot, and considering the service shows up as BaseHTTPServer which I recall being python’s SimpleHTTPServer it seems probable, but lets be thorough with wpscan:
No plugins, just one theme. I also re-ran it with –enumerate u and got nothing. Yep feels odd, and since I have no idea on usernames or passwords lets back burner this for now.
TCP/22 - SSH
Attempting to connect to 22 instantly returned a rejection message stating keys were required. Nothing to see here.
TCP/23 - Telnet - Or is it?
Attempting to connect to 23 returns a slightly odd error:
Ok lets go look at the NMAP results:
There was definitely some text returned and after cleaning it up the following text is seen:
Interesting, so Billy attempted to hack Eric’s Wifi, and another insult is thrown. The very interesting part here is ROTten passwords” and rkfpuzrahngvat. My first thought, ROT-10 cipher.
Created a small python script to give all possible ROT combinations to see if anything jumped out at me:
Ok, Nothing really jumped out there sadly, but I’ll save those off for later use if needed.
TCP/80 - HTTP - Round 2!
I was at a bit of a loss at this point, so I proceeded to use some other enumeration tools including nikto, dirbuster, and zap. Sadly none of then bore any really good fruit.
Finally, since all I had at this point was the ROT cipherd text I decided to do dirb with the list as a wordless.
Huzzah! We found a directory entering exschumerating.
Retrieving that page presented us with Eric’s first backdoor gem.
OK, some interesting points, looking at the currently-banned-hosts.txt resulted in it showing my system as being blocked. It also specified that the only way to revert it was to reboot the system which I went ahead and did just incase it had other adverse affects.
Onto the text, the particular pieces that I found interesting were .captured, veronica and rocks. As it indicated that she would rock if her password contained veronica I jumped to using the rockyou password dump and creating a custom wordlist from it.
This reduced my potential passwords down from 14 million to a manageable 733. Sadly I still had no locations to attempt to log in to (other than the fake WordPress) so I moved onto the .captured clue. Unfortunately my first attempts to find the file ended in failure, so I decided to look elsewhere. (Silly typos)
TCP/2525 - SMTP -
SMTP identified as 220 BM ESMTP SubEthaSMTP null. A bit of research came up with it was a Java library. I attempted to use VRFY to identify emails but it all failed. I then considered doing a client side attack and send veronica an email with a beef backdoor in case she was active and opening links (blondes…). However this did not pan out, no links were clicked so I abandoned that idea.
TCP/445 - SMB - Guest Mode
I went ahead and enumerated SMB to see what could be found there:
Sweet, EricsSecretStuff available anonymously with READ/WRITE permissions, that could be useful. Connection to the share resulted in some files, confusion, and disappointment.
Retrieving the files shows ebd.txt to say that “Eric’s Backdoor is CLOSED”, good to know. And the .eml file actually contained the data I sent veronica! I attempted to edit the file and put new files only to find that nmap was incorrect and we had Read-Only privileges.
So whatever I email gets placed into this directory, interesting… is this a monitoring technique, or something else? At this point I spent some time thinking how I could exploit this, but as I could not edit files it wasn’t a proper form of placing files on the system, and since I couldn’t execute it was pointless.
Lets try to enumerate other users, I try veronica first.
Excellent! Veronica’s password!…. well…. not really. False positive =(.
I decided to cut my losses so and go back to the admin console.
TCP/80 - HTTP - Here we go again
I went ahead and ran dirb again, this time, looking for any file that was in the veronica.txt password file with the .captured extension.
Well hoping it was some sort of pcap file I decided to try .pcap next with the same results. At this point google to the rescue, the other file types Wireshark can read are .cap and .dmg.
Success! 012987veronica.cap exists. I proceed to download and open it in Wireshark and follow each TCP stream in succession. This provided a series of emails that Eric described earlier about how he got Veronica to fall for the phishing scam.
Ok initial phish here.
Interesting, port knocking to enable FTP. Will check that youtube in a bit.
Excellent! Another potential username/password! (A hilarious one at that.)
And here begins the attack.
Eric has gained access to Billy’s system.
Port Knocking to FTP
Ok lets follow in those steps. The youtube video https://www.youtube.com/watch?v=z5YU7JwVy7s provides an amusing little bit of Billy Madison along with a series of numbers that should be the port knocking code to get in.
1066, 1215, 1466, 1467, 1469, 1514, 1981, 1986 perfect I have the port knock sequence all set, or so I thought. I attempted to then knock using a simple bash script:
Fail! Next I tried the nmap command instead, still nothing. What else. OK, maybe its the first two with the correct Spanish Armada 1588, no dice. I then proceed to try UDP and a ton of various other combinations all failed. And then I listened to the video again and wrote down precisely what he said for the Spanish Armada - 1466 67 1469 1514 1981 1986 1588.
Score! I proceeded to download all the files, five of which were local priv escalation exploits (score!) and a .notes file.
All right! Another video to watch and Eric’s backdoor! But some bad news, his privsec exploits now fail (thinking maybe they need to be modified to a different target?) and he lost the paper! Go figure…
Also an interesting note, he mentions reusing his his wifi password as his login. I wonder if that would be one of the ROT passwords earlier…
Watching the video results in Billy saying Eric’s kid will be a soccer player. Now to send an email. I modified my previous client side attack script to just send the text and shipped it out.
I once again checked the edb.txt file on the SMB share now to find it said “OPEN”. Excellent, now where is it? Not wanting to get locked out I ran the following nmap:
Success! new port opens on 1974. I attempted to log in as eric using the ROT passwords…
…and FAILURE. Damn ok, what did I miss. Eric mentioned he looked at veronica’s FTP but not billy’s. Lets go ahead and look at Veronica’s FTP. Attempting to login with veronica:012987veronica but that fails. Ok lets try some hydra action!
Score! Valid password of email@example.com for the account veronica. Connecting to the server yields some files:
Well, we have another pcap file and an email from Billy, perhaps it will let us know what is contained within.
WiFi Password Cracking
Looking through the email from Billy to Veronica, it seems he was trying to break Eric’s WiFi password but did not finish, chances are the PCAP file we downloaded contains something that will help.
While downloading the PCAP file and made the cardinal sin of downloading a binary file in ASCII mode. After chasing my tail for a bit, getting corrupted file errors, I re-download but set binary before hand and voila! we have a non-corrupted PCAP download.
Seeing as we need to crack wireless I decided to use Aircrack-ng and once again utilizing the rockyou dump.
Ok, we now have a shell to the box, the ability to reproduce in case we need to reboot. Now to escalate privileges and win!
First, we start off with some enumeration. Right from the login we see it is running Ubuntu 16.04.1 and has a kernel version of 4.4.0-36.
A run of searchsploit (exploit-db.com’s offline search) reveals the following possible exploits:
Nice, as the top one is not for Ubuntu but for Censura we have 4 possible exploits. I recall seeing these same numbers on Eric’s FTP home directory.
Ok, lets continue and do a bit more enumeration. I have a couple of go-to scripts I always like to run when I gain access to a new box.
After a quick glance, I don’t see anything particularly interesting in either of the enumeration scripts, and the Exploit Suggester came up empty. I decide to check out the exploits found from searchsploit.
After doing a bit of research on them, they are indeed for 4.4.0 kernel’s but for revision 21, and we are on revision 36. Damn! I guess the system was updated post exploit. Oh Well, lets give them a try just in case.
Damn, no go! At this point, I spend WAY too much time trying to devise a way to utilize these exploits on the newer kernel. I’ve been trying to learn a bit of exploit development as of late and I guess since that was fresh on the brain it wanted me to go that route. That was a rabbit hole that was not worth the time. Lesson learned; Pay more attention in the Enumeration phase.
At this point I looked back at the enumeration scripts and still not finding much I decided to re-run them through a grep filter, maybe that would provide more insight as frankly there is a ton of data in them.
I decide to check against anything done by eric. Since he is the one that originally attacked the box, perhaps his account would have a backdoor that he forgot.
How did I miss that! There is a SUID file that is owned by the user root and the group eric. That must be something of interest. Running the command results with the world’s 2nd worst help page.
Ok it seems to take two arguments as files and does something with them. I create two new files and use them as the parameters.
Ok, file 2 can’t exist. I re-run with file2 not existing.
OK, interesting, no error and it has an interesting output about MKNOD. Ok lets try with a file I actually want to see: /etc/shadow.
Excellent! Same success output, however looking at the created file it has identical permissions to the original AND it is 0 bytes in size.
I then proceeded down another fun rabbit hole trying to figure out what the command was doing. I did some research on MKNOD and in the end pretty much came up empty.
After spending way too much time trying to figure out this one, I finally had an epiphany; what if I make a file in a directory I normally can not write to? What then? Seeing as I wanted to exploit this idea the best place I could think of to write was in /etc/cron.hourly/ as any script placed in there would run once every hour. Here’s to wishing there was a cron.5minutes.
OK, successful execution, but can I write to the new file?
Yes! If the above script executes properly, I should be able to run nano as root and edit any file I want. As a backup, I went ahead and created a second script in the same was as above and used these other commands. I also wanted to setup a netcat backdoor, but the one available on the server did not have -e so no go there.
Now to wait about an hour. Interestingly enough I had never noticed before that the default for crontab is to run the cron.hourly at the 17-minute mark and not precisely on the hour.
After an hour I checked the permissions on nano
YES! Nano was now a SUID binary. A simple editing of /etc/sudoers should do the trick now and give eric sudo privileges. I added the following line to the sudoers file
And now for the moment of truth. Can I become root?
Awesome! Now that I have root it is time to complete the tasks to win the VM.
Finding Billy’s paper
Ok now as root lets go find that paper! I noticed during my sifting through the drive that there is a /PRIVATE folder that I couldn’t get into. So lets go check that one out.
Nice Ok, so found the report but it’s encrypted, go figure. Thankfully Eric left us a hint of a wiki page. First thought that pops into my head is to use cewl to make a word list from the page and then crack it. At this point, I started trying to figure out what kind of encryption was used and came up a bit empty. The only one I figured it would be as it had no header information would be Truecrypt. So lets try TrueCrack.
And down the rabbit hole I go! Well after a couple of minutes of trying other encryptions (interestingly enough bcrypt thought it was GPG encrypted which lead me to find .gpg keys under the root account and trying that), I decided to look at the wordlist.
Ahh damnit, I didn’t take into account if you just send STDOUT from cewl to a file it will have the header. Ok, I remove the first line and re-run TrueCrack.
Excellent, now we have a password for the volume. Mounting the volume is simple, just using Veracrypt (make sure you check the Truecrypt box). Once mounted lets go look at it.
Final Cleanup - Eric’s Backdoor Removals
Ok so what did Eric accomplish on this box that should be removed. Well frankly a ton, in a real world scenario I would be concerned with missing things like rootkits on the box and would probably just suggest backing up protected documents and reinstalling. But lets ignore that.
User account to be removed - Eric
SSH backdoor on 1974
Privilege escalation binary
FTP server Breach
Web Server Defacement on TCP/80
Honeypot on TCP/23
Honeypot on TCP/69
Cleanup of /etc/rc.local
Hacking tools in /opt
GPG keys compromised
Malicious User Removal
First things first, malicious user eric should be removed from the system. Note, this command will delete all files in the home directory as well, if you wish to preserve -r would be appropriate.
SSH Backdoor Removal
Malicious script /root/ssh/canyoussh.sh must be removed along with its crontab entry.
As the service running this SSH server is the actual sshd daemon, editing of /etc/ssh/sshd_config and restoring port to 22 would be recommended. However something is listening on port 22.
Looking in /root there is a ssh.sh script.
So its a script called rubberglue, interesting. What it seems to do is take any connection to the bound port and connect back to the source ip address on the same port. I like it! Either way, removal of this script and the /opt/rg directory would be necessary. Now if this was intentional then keeping all of this would be appropriate and just changing the port would be advised.
Privilege escalation binary
Removal of /usr/local/share/sgml/donpcgd would be recommended. Or at least removal of SUID.
FTP Knock Routine
Modification of the knock would be appropriate as it was compromised. This can be accomplished by editing /etc/knockd.conf.
Cleanup of /opt/coloradoftp-prime/home would also be recommended and removal of the malicious/defaced files contained within.
Web Server Defacement on TCP/80
Restoration of the apache web server would be recommend, or removal. Web directory was /var/www/html.
Honeypot on TCP/23
Telnet honeypot removal should be removed. Removal could be done by removing the /opt/honeyports directory, /root/checkban and /root/telnet.sh scripts.
Removal of the following line from the root crontab would also be required:
Honeypot on TCP/69
The Wordpress installation on TCP/69 was indeed a honeypot. Cleanup would involve deletion of /root/wp.sh and removal of /opt/wp.
Cleanup of /etc/rc.local
Rc.local seems to have been compromised as well, removal of all malicious scripts should be performed.
Hacking tools in /opt
Some interesting hacking tools/tips were also found in /opt/bpatty, /opt/Sn1per and /opt/reconng, all of which should be carefully backed up for later use :) and removal. Also included below are a couple of the other pretty sweet scripts in /opt.
/opt/bpatty - Brian’s Pentesting and Technical Tips for You - pretty neat collection of thoughs, a decent read. Available on github.
/opt/Sn1per - Scanner/Enumeration tool - Going to have to play around with this one, also available on github.
/opt/reconng - Recon tool, great stuff, already included in Kali but available on BitBucket
/opt/honeyports - Port based Honeypot script. Available on github
/opt/rg - RubberGlue Honeypot Available on BitBucket
GPG keys compromised
Lastly, as root was compromised, the GPG keys contained in /root/.gnupg should be considered compromised and removed.
Overall, this was a great challenge! I learned a couple valuable lessons during the course of breaking in and it gave me some ideas for some script updates to do. Overall great theming of the whole thing, I really appreciated that. Off to break more things!