BACK_TO_ARCHIVES
2026-05-06 9 MIN READ

TommyBoy1 - Vulnhub

VULNHUB VULNERABLE VIRTUAL-MACHINE VM OCSP
TommyBoy1 - Vulnhub

TommyBoy1

Contents

Reconnaissance

Since the machine was deployed within the hypervisor network, an Nmap ping sweep was executed to enumerate active hosts and identify the target’s IP address.

nmap -sn 192.168.122.1/24

Scanning

An Nmap scan was performed to identify open ports and services:

# Nmap 7.95 scan initiated Sat Apr 25 18:17:33 2026 as: nmap -sC -sV -Pn --min-rate 3000 -p- -oN nmap.txt 192.168.122.128
Nmap scan report for CallahanAutoSrv01 (192.168.122.128)
Host is up (0.000055s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
|   256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
|_  256 56:9e:71:2a:a3:83:ff:63:11:7e:94:08:dd:28:1d:46 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Welcome to Callahan Auto
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 4 disallowed entries
| /6packsofb...soda /lukeiamyourfather
|_/lookalivelowbridge /flag-numero-uno.txt
8008/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: KEEP OUT
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 52:54:00:FC:9F:F4 (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 25 18:17:40 2026 -- 1 IP address (1 host up) scanned in 7.39 seconds

Initial Nmap enumeration identified an open SSH port and an HTTP service. Subsequent steps included directory discovery and targeted enumeration of the web service to further assess the attack surface.

Enumeration

Wordpress

The web application on port 80 was analyzed. Due to its simplicity, source code review was performed, revealing useful clues.

Web

Web

Inspection of the robots.txt file revealed the directory containing the first flag.

Web

Then ffuf was used for directory discovery, producing minimal results. Leveraging earlier findings, a YouTube reference to "prehistoricforest" was identified.

Wordpress

Enumeration of the site content revealed a password-protected post. Additional posts contained useful information that contributed to further analysis.

Wordpress

Wordpress

The directory referenced in the post contained an image. Analysis with exiftool revealed metadata including a hash, which was cracked to recover the password for the protected post.

Cracked

The recovered password allowed access to the protected post. The post disclosed a time-restricted FTP service, available for 15 minutes before resetting. It also referenced the user nickburns, whose password is required for further access.

Protected

Protected

A subsequent Nmap scan was performed to identify the port on which the FTP service was running.

# Nmap 7.95 scan initiated Sat Apr 25 20:35:33 2026 as: nmap -sC -sV -p- -oN results.txt 192.168.122.128
Nmap scan report for CallahanAutoSrv01 (192.168.122.128)
Host is up (0.000057s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a0:ca:62:ce:f6:7e:ae:8b:62:de:0b:db:21:3f:b0:d6 (RSA)
|   256 46:6d:4b:4b:02:86:89:27:28:5c:1d:87:10:55:3d:59 (ECDSA)
|_  256 56:9e:71:2a:a3:83:ff:63:11:7e:94:08:dd:28:1d:46 (ED25519)
80/tcp    open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to Callahan Auto
| http-robots.txt: 4 disallowed entries
| /6packsofb...soda /lukeiamyourfather
|_/lookalivelowbridge /flag-numero-uno.txt
8008/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: KEEP OUT
65534/tcp open  ftp     ProFTPD 1.2.10
MAC Address: 52:54:00:FC:9F:F4 (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 25 20:35:51 2026 -- 1 IP address (1 host up) scanned in 17.77 seconds

Common credential patterns and a limited dictionary attack identified valid credentials: nickburns:nickburns. Access to the FTP server was obtained, and a readme file was retrieved. The file contained the next clue, referencing a dropbox subdirectory on the web server.

FTP

FTP

Web Server

A service running on port 8008 was identified, but subsequent directory enumeration yielded no relevant results.

Server

Server

Based on a reference to Steve Jobs, it was inferred that modifying the User-Agent could influence the response. After changing it to an iPhone/macOS User-Agent, the application returned a different result.

Server

The Firefox User-Agent was replicated in Gobuster to perform directory enumeration. This approach produced different results, revealing directories with relevant information.

CUSTOM_USER_AGENT="Mozilla/5.0 (iPhone; CPU iPhone OS 18_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.0 Mobile/15E148 Safari/604.1"
echo "Using custom User-Agent: $CUSTOM_USER_AGENT"

gobuster dir -u http://192.168.122.128:8008/NickIzL33t/ -w /usr/share/wordlists/dirb/common.txt -a "$CUSTOM_USER_AGENT" -q -x html,txt,bak -t 10

Findings

Accessing /fallon1.html revealed three resources: hint.txt, a reference to the third flag, and a password backup archive. Based on the hint, further analysis was required to derive the password needed to extract the backup.

Findings

Findings

Research on the referenced movie was conducted to generate a custom wordlist using Crunch. This wordlist was then used with fcrackzip to successfully crack the password-protected archive.

Findings

crunch 13 13 -t bev,%%@@^1995 -o pass_dict.txt

fcrackzip -u -D -p pass_dict.txt t0msp4ssw0rdz.zip

Crunch, create every possible 13-character password that starts with bev, then has 2 numbers, 2 lowercase letters, 1 special character, and ends with 1995. Save them all in a file called pass_dict.txt.

Using the recovered password bevH00tr$1995, the ZIP archive was extracted. The passwords.txt file contained further hints for the SSH user credentials.

Passwords

Wordpress

Based on this information, WPScan enumeration was performed to identify potential users. The identified usernames were then used in a password brute-force attack.

wpscan --url http://192.168.122.128/prehistoricforest/ --enumerate vp,vt,u --random-user-agent

WordPress Security Scanner by the WPScan Team
Version 3.8.28
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...

[i] Update completed.
[+] URL: http://192.168.122.128/prehistoricforest/ [192.168.122.128]
[+] Started: Mon May  4 18:12:25 2026

Interesting Finding(s):

[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.122.128/prehistoricforest/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
|  - http://codex.wordpress.org/XML-RPC_Pingback_API
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/


[+] WordPress readme found: http://192.168.122.128/prehistoricforest/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.122.128/prehistoricforest/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
|  - https://www.iplocation.net/defend-wordpress-from-ddos
|  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.5.3 identified (Insecure, released on 2016-06-21).
| Found By: Rss Generator (Passive Detection)
|  - http://192.168.122.128/prehistoricforest/index.php/feed/, <generator>https://wordpress.org/?v=4.5.3</generator>
|  - http://192.168.122.128/prehistoricforest/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.5.3</genera
tor>


[+] WordPress theme in use: twentysixteen
| Location: http://192.168.122.128/prehistoricforest/wp-content/themes/twentysixteen/
| Last Updated: 2025-12-03T00:00:00.000Z
| Readme: http://192.168.122.128/prehistoricforest/wp-content/themes/twentysixteen/readme.txt
| [!] The version is out of date, the latest version is 3.7
| Style URL: http://192.168.122.128/prehistoricforest/wp-content/themes/twentysixteen/style.css?ver=4.5.3
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead wi...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
|  - http://192.168.122.128/prehistoricforest/wp-content/themes/twentysixteen/style.css?ver=4.5.3, Match: 'Version: 1.2'


[+] Enumerating Vulnerable Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:00:03 <==========================================> (652 / 652) 100.00% Time: 00:00:03
[+] Checking Theme Versions (via Passive and Aggressive Methods)

[i] No themes Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <============================================> (10 / 10) 100.00% Time: 00:00:00


[i] User(s) Identified:

[+] tommy
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
|  Login Error Messages (Aggressive Detection)


[+] richard
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
|  Rss Generator (Passive Detection)
|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
|  Login Error Messages (Aggressive Detection)


[+] tom
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
|  Login Error Messages (Aggressive Detection)


[+] Tom Jr.
| Found By: Rss Generator (Passive Detection)

[+] Big Tom
| Found By: Rss Generator (Passive Detection)


[+] michelle
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Mon May  4 18:12:34 2026
[+] Requests Done: 731
[+] Cached Requests: 9
[+] Data Sent: 249.348 KB
[+] Data Received: 23.686 MB
[+] Memory used: 296.52 MB
[+] Elapsed time: 00:00:08

Additionally, brute-force attacks were conducted using multiple password lists and dictionaries; however, obtaining the next results.

wp-password

After authenticating to the WordPress account, a post was identified containing the missing digits required to complete the SSH password, resulting in initial access to the system.

MissingNumbers

Exploitation

System enumeration included users, cron jobs, and sudoers configuration, but no privilege escalation paths were identified. A retrieved flag hinted at the location of the fifth flag; however, the file could not be accessed due to permission restrictions.

Vulnerable

Vulnerable

Further enumeration was performed using LinPEAS, revealing system details including database configuration (no active database service was identified) and a vulnerable version of pkexec susceptible to PwnKit.

Results

Results

Results

Results

Privilege Escalation

Further analysis of the identified CVE led to a suitable exploit. A public PoC from arthepsy was compiled in C and executed, resulting in immediate root access.

Root

With root access, the final flag /.5.txt was read, providing the last element needed to complete the password. This enabled extraction of the LOOT.ZIP file in the bigtommysenior directory.

theEnd

The machine highlighted an outdated version of PolKit as a critical privilege escalation vector. Extensive enumeration was required, often leading to multiple rabbit holes before achieving initial access. Overall, it provided valuable practice for OSCP-level methodologies in a challenging and engaging scenario.

Written by kur0bai

END_OF_REPORT | AUTHOR: JESUS SALCEDO