Tommy Boy VM is a CTF based on the movie Tommy Boy and the fictitious company "Callahan Auto" in the movie. I found this VM to have a good mix of challenges and I enjoyed every moment of it.

As with every VM, I start out with a netdiscover to find the IP address.

netdiscover -i eth1 -r 10.0.2.4

And quickly I spotted the IP 10.0.2.12. Next as always is a quick NMAP to checkout whats available to look at on this machine.

root@kali:~# nmap -sS -A -sC -O 10.0.2.12 -oN ~/Desktop/nmap.txt

Very interesting, 3 ports to checkout to start with. Obvious choice is port 80 as websites generally have a large attack surface and easy low hanging fruit.

root@kali:~# dirb http://10.0.2.12/

Definiately need to checkout that robots.txt first and see what they don't want me accessing.

Most of these just contain images, except for of course the last one which is flag-numero-uno.txt - yay for the first flag.

Next I took a look at the sourcecode for the landing page on port 80.

Checking out the youtube video link left in the source code comment let me find their internal blog which turns out to be Wordpress.

Run wp-scan - nothing interesting found.

Lookig through the comments I see a link to thisisthesecondflagyayyou.txt which was easy enough to load up and find the second flag.

Comments on the first post points me to the picture to get the password for the locked wordpress post.

This directory contained only an image. First up I try foremost which gave me nothing. Exifdata however gave me a strange user comment, after looking it it awhile, I figured it might be a hash - crackstation gave up the password straight away.

Unlocked wordpress post which contained a wealth of information. Firstly, there is FTP on a nonstandard port and goes up and down every 15 minutes. It also gives me a username to try with a "easy to guess password".

Ahh so there is FTP. Another quick NMAP scan at a time when it is working shows us the port.

Another look with -sV showed a decent version of proftpd. Didnt see any exploits for this version so I moved on. First login with the same username from the blog post and used it again for the password got me straight in. yay

Only a readme file - downloaded.

The subdirectory they reference isn't here on port 80. Time to checkout 8008.

Found it but its still hidden. Lots of talk about Steve Jobs. Reading back on the comments from the readme.txt file he talks about looking at it on the phone. Start changing my user-agent. Ah ha - a standard iphone user agent - of course that is why he was talking about Steve Jobs.

Now there is a reference to a hidden .html file I need to find. Tried directory-list-2.3-medium.txt and a custom wordlist from these text files with some rules - no luck.

Finally, after a couple of hours of pulling out my hair and re-visiting what I had done, I tested the rockyou.txt wordlist stripped to just A-za-z0-9 characters.

wfuzz -c -w /root/Desktop/rockyou2.txt --hc 404 -H "User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7" http://10.0.2.12:8008/NickIzL33t/FUZZ.html

Finally making some more progress.

curl -v -A "User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7" http://10.0.2.12:8008/NickIzL33t/fallon1.html

The directory contains 3 files.</p>

Ok so there is the 3rd flag. Hint.txt showed a bunch of rules for how the big tom's password was generated. Time to create a wordlist.

for w in bev{A..Z}{0..9}{0..9}{a..z}{a..z}{\`,\~,\!,\@,\#,\$,\%,\^,\&amp;,\*,\(,\),\-,\_,\+,\=,\[,\],\;,\',\,,\.,\/,\<,\>,\?,\:,\"}1995; do echo $w; done > ~/Desktop/wordlist2.txt

After generating password, zip file is cracked.

Password zip file has a list of usernames and passwords. Blog post seems to have the wrong username, after clicking on the big tom user you can see in the URL bar the username is tom.

"famous queen song" - wonder if that means the "rockyou.txt" word list. I quick hydra scan on the standard wordpress login page showed me the login details for tom.

The passwords.txt and the draft post details combined gives us the rest of the server login details and tells us its SSH.

After logging in via SSH with the supplied details, I start of with files in the home directory.

The file "el-flag-numero-quatro.txt" is obviously the forth flag. Almost there. It also tells us that there is a /5.txt file. Closer inspection shows its /.5.txt and owned by www-data.

I figure the best way to get access to that user is via a web exploit. Looking around /var/thatssg0nnaleaveamark (the directory for apache on 8008 as per config file) I find the half complete upload script they talked about earlier.

This looks easier than hacking wordpress. Also the .htaccess file in the upload directory has enabled php code on gif files. This should be easy.

<?php echo file_get_contents('/.5.txt'); ?>

Simple view the gif with another curl command and all the flags are belong to me. Interesting though is the 5th flag tells you to put all the flags together to unlock the LOOT.zip file found in bigtommy's ssh account.

That completes the Tommy Boy VM - a very fun capture the flag to play. I can already see people on IRC pulling out there hair with finding the HTML file as I did. Looking forward to more from the 7MinSec guys.

-Geckom