- VM: Tr0ll: 1
- Goal: acquire root access
- Approach: solve without automated exploitation tools
Enumeration
Target Discovery
First locate the IP address of my target:
nmap -n -sn 192.168.172.200-

Port Scanning
nmap -P- -A 192.168.172.232

Ports | Service/Banner |
TCP: 21 | vsftpd 3.0.2 |
TCP: 22 | OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 |
TCP: 80 | Apache 2.4.7 |
Checkout website

Lol, there isn’t much info on the website. So I check robots.txt file and it shows a folder /secret.


Ha, the author is trolling. Ok, not much so far on the website. Let’s turn to the ftp.
FTP anonymous login
Try to login as anonymous.

Ok, there’s a file lol.pcap. Looks like a packet capture file. Download it and check it out using wireshark. In wireshark, there are several TCP Streams I can follow, 2 of them with interesting info.: (at display filter, type tcp.stream eq 0 to see first stream and increment the number for the next stream)

The first stream reveals a file secret_stuff.txt.

The second stream so a word sup3rs3cr3tdirlol. Try to plug them in to the website. I can’t find secret_stuff.txt but sup3rs3cr3tdirlol is a folder on the website:

Click on roflmao shows that it’s a binary file to download.

Using hexeditor to check out the file I find a message:
hexeditor roflmao

The message is: Find address 0x0856BF to proceed
I search the address in the hex editor but couldn’t find the address. Turns out it’s also a folder on the website:

Follow the good_luck directory and I find a list of names. I save the list to a file names.txt


Then I check out this_folder_contains_the_password/


I save both the file name (Pass.txt) and content (Good_job_:))to the file passwords.txt
Exploitation
With a list of names & some passwords to try, let’s do a online password cracking using hydra.
hydra -L names.txt -P passwords.txt 192.168.172.232 ssh -f -V
After running it for a while, the attack receives bunch of connection refused errors and then failed. Looks like the SSH server denied the login attempts after some failure. But it comes back after a while. So I slow down the attack using -c 10 flag.
hydra -L names.txt -P passwords.txt 192.168.172.232 ssh -f -V -c 10

It takes longer to crack but I did find a valid user/password pair: overflow/Pass.txt
SSH Login
ssh overflow@192.168.172.232

Login success. All right. Finally have my foot in. 🙂
Privilege Escalation
Did some enumeration like sudo -l, crontabs & etc without finding anything fruitful. The author is really trolling. I got kicked out every 5 minutes. That’s the most annoying part. lol
Finally catch something interesting when looking for world writable files:
find / -perm -o+w -type f 2> /dev/null | grep /proc -v
‘grep /proc -v’ to exclude files in /proc folder, which are not relevant.

The cleaner.py looks interesting. Let’s check out the script:

It’s a script to remove (cleanup) all files in the /tmp folder. It would be useful if there’s a cron job defined to run this script regularly. So I create a file at /tmp to test it out:

And wait a while…

Looking good. The test.txt file is gone! Now I am going to modify the script to create a shell with setuid privilege:

Wait for a while again…

The file dash is created and owned by root. Awesome, with setuid privilege, the shell is running as root. Root shell obtained!
Capture the Flag

Afterword
As it turns out, the cron job is located at /var/spool/cron/crontabs. It executes /opt/lmao.py every 5 minutes to kick us out of our login and /lib/log/cleaner.py every 2 minutes

Thank you author Maleus for the box Tr0ll 1 and all the trolling!
c493dD0g
7 Jun 2022Nice write up. Thank you for this.