• VM: Tr0ll: 1
  • Goal: acquire root access
  • Approach: solve without automated exploitation tools

Enumeration

Target Discovery

First locate the IP address of my target:

nmap -n -sn 192.168.172.200-
discovery
Target: 192.168.172.232

Port Scanning

nmap -P- -A 192.168.172.232
nmap scanning
Ports Service/Banner
TCP: 21 vsftpd 3.0.2
TCP: 22 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2
TCP: 80 Apache 2.4.7

Checkout website

website

Lol, there isn’t much info on the website. So I check robots.txt file and it shows a folder /secret.

robots.txt
secret folder

Ha, the author is trolling. Ok, not much so far on the website. Let’s turn to the ftp.

FTP anonymous login

Try to login as anonymous.

ftp

Ok, there’s a file lol.pcap. Looks like a packet capture file. Download it and check it out using wireshark. In wireshark, there are several TCP Streams I can follow, 2 of them with interesting info.: (at display filter, type tcp.stream eq 0 to see first stream and increment the number for the next stream)

TCP stream 0

The first stream reveals a file secret_stuff.txt.

TCP stream 2

The second stream so a word sup3rs3cr3tdirlol. Try to plug them in to the website. I can’t find secret_stuff.txt but sup3rs3cr3tdirlol is a folder on the website:

sup3rs3cr3tdirlol

Click on roflmao shows that it’s a binary file to download.

roflmao

Using hexeditor to check out the file I find a message:

hexeditor roflmao
hexeditor

The message is: Find address 0x0856BF to proceed

I search the address in the hex editor but couldn’t find the address. Turns out it’s also a folder on the website:

0856bf

Follow the good_luck directory and I find a list of names. I save the list to a file names.txt

which_one_lol
which_one_lol-content

Then I check out this_folder_contains_the_password/

passwords

I save both the file name (Pass.txt) and content (Good_job_:))to the file passwords.txt

Exploitation

With a list of names & some passwords to try, let’s do a online password cracking using hydra.

hydra -L names.txt -P passwords.txt 192.168.172.232 ssh -f -V

After running it for a while, the attack receives bunch of connection refused errors and then failed. Looks like the SSH server denied the login attempts after some failure. But it comes back after a while. So I slow down the attack using -c 10 flag.

hydra -L names.txt -P passwords.txt 192.168.172.232 ssh -f -V -c 10

hydra

It takes longer to crack but I did find a valid user/password pair: overflow/Pass.txt

SSH Login

ssh overflow@192.168.172.232
ssh

Login success. All right. Finally have my foot in. 🙂

Privilege Escalation

Did some enumeration like sudo -l, crontabs & etc without finding anything fruitful. The author is really trolling. I got kicked out every 5 minutes. That’s the most annoying part. lol

Finally catch something interesting when looking for world writable files:

find / -perm -o+w -type f 2> /dev/null | grep /proc -v

‘grep /proc -v’ to exclude files in /proc folder, which are not relevant.

The cleaner.py looks interesting. Let’s check out the script:

cleaner script

It’s a script to remove (cleanup) all files in the /tmp folder. It would be useful if there’s a cron job defined to run this script regularly. So I create a file at /tmp to test it out:

test file

And wait a while…

test file gone

Looking good. The test.txt file is gone! Now I am going to modify the script to create a shell with setuid privilege:

modify script

Wait for a while again…

shell created

The file dash is created and owned by root. Awesome, with setuid privilege, the shell is running as root. Root shell obtained!

Capture the Flag

root flag

Afterword

As it turns out, the cron job is located at /var/spool/cron/crontabs. It executes /opt/lmao.py every 5 minutes to kick us out of our login and /lib/log/cleaner.py every 2 minutes

crontabs

Thank you author Maleus for the box Tr0ll 1 and all the trolling!

This Post Has One Comment

  1. Nice write up. Thank you for this.

Leave a Reply

Close Menu