Code name: tr0ll
VM download: http://download.vulnhub.com/tr0ll/Tr0ll.rar
Challange: hack your way into the system and get root
First of all and just after booting our victim’s box, we start by searching tr0ll on the network.
As our victim VM is running under VirtualBox, we can find its ip easily, we just have to look at the MAC Vendor, it will be CADMUS COMPUTER SYSTEMS.
Now we got our victim’s IP we will use nmap to scan for open ports and interesting information
# nmap -Pn -A -p- 192.168.11.8
Nice, ports 21, 22 and 80 open. And according to the output of nmap, there’s an ftp server running on port 21 with anonymous login enabled!
# ftp 192.168.11.8
We successfully logged into the ftp server, and after checking our permissions, the only thing we can do here is downloading the lol.pcap file
# get lol.pcap
lol.pcap looks like a wireshark capture file. Let’s use wireshark see what’s inside
The capture file seems to be a “conversation” between an ftp client and an ftp server. But if we look it closely we can see an interesting file out there, secret_stuff.txt. As we just saw that file doesn’t seem to be inside the ftp server right now. We can use wireshark to read it’s content
“we almost found the sup3rs3cr3tdirlol”
Well, let’s keep that and go scan our next service. Next step will be looking inside the web server. We start by just browsing it
Nothing more than the expected, no sensitive information found. We will use nikto to look for hidden directories
# nikto -h http://192.168.11.8
After running the scan we found the “/secret/” dir. And if we browse it..
Nothing new… just more trolling. N0w’s when the thinkin’ begins. After few minutes I reminded the sup3rs3cr3tdirlol… and when I looked at that dir in the browser
Nice, that’s actually a directory on the web server. That directory contains a file, we will download it.
After a few tries, we realized that the file is an executable. If we run that executable we can get a memory address. Following the same logic we used with the sup3rs3cr3tdirlol, let’s put it in the browser one more time.
Nice, now let’s look inside that directories
The first seems to contain a list of users and the second a password. We can try to perform a dictionary based attack against ftp and ssh services on our target marchine.
After few minutes banging my head against the wall, I realized that the ssh username was “overflow” and its password was “Pass.txt”(trolled again). So we can log into the system with these credentials.
Nice, we are in. Now we can look for suid files or weaknesses in kernel
But after about 2 minutes inside…
Uh.. something or someone killed our connection. What could it be? After a quick analysis we can see that it happens every 2 minutes. Every 2 minutes? Can it be a cron task?? Let’s see
We can’t actually see or edit crontab but we can read /var/log/cronlog and that will give some interesting info
Nice, cron is running a python script called cleaner every 2 minutes. We can use the find command to search for that file
# find / -name ‘cleaner.py’ 2>/dev/null
Now let’s read the file
What that file does is delete all the content in /tmp everytime it’s called.
But that’s executed by the user root! Thinking the same? That could be a great way of doing our privilege escalation!
For the next trick we will need to start our netcat listener on port 9988
Then and after editing our “perl-reverse-shell.pl” we will download it in the /tmp dir on the target machine
And finally, we will edit cleaner.py like this:
Now every 2 minutes, our victim will send a root shell to 9988 on our box B-). We can go to the fridge, grab a beer and wait for a shell