TR0LL 1
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is the study of the hacking process for the vulnerable machine Tr0ll 1.
- According to the author's description there is a Proof.txt file at the /root directory.
- Tr0ll 1 can be downloaded from here:
- Once downloaded and extracted with VMware:
2 - ENUMERATION
- Using netdiscover to find the IP corresponding to Tr0ll 1:
- Scanning with Nmap there are 3 available services at port 21 (FTP), 22 (SH) and 80 (HTTP):
2.1 - Web service
- Starting with the web service, we detect the presence of the folder /secret and the file robots.txt:
- Same information with nikto:
- Going directly to the website, there is nothing interesting:
- Similar results when checking robots.txt and /secret:
2.2 - FTP Service
- Scanning specifically the port 21 for FTP service, we discover that the anonymous login is allowed:
- Login with anonymous:
- There is a very promising file called lol.pcap:
3 - EXPLOITATION
- Getting the file lol.pcap:
- lol.cap can be also downloaded by using the browser with FTP protocol:
- Opening lol.pcap with Wireshark:
- There is a line about a file called secret_stuff.txt:
- Following the TCP Stream number 0:
- Following the TCP Stream number 2:
- So, we learn that there is an additional directory called sup3rs3cr3tdirlol
- Let's see if we can access it via the browser:
- A file called roflmao is contained, let's download it and see what we can learn about it
- It seems to be a BIN file:
- At this moment there are no execution permissions:
- Giving execution permissions:
- Running the file we find more information:
- Trying 0x0856BF as a web directory, we discover 2 new folders:
- The folder good_luck contains a list of potential usernames:
- About the folder this_folder_contains_the_password there are 2 strings that could be passwords: Pass.txt and Good_job:)
- Let's create a text file for potential usernames:
- Same thing for potential passwords:
- Launching Hydra over SSH service using both wordlists:
- The result is successful for overflow:Pass.txt
- Using overflow:Pass.txt as SSH credentials we get a remote shell:
- However this shell is of low privilege, so we need privilege escalation to complete the attack:
4 - PRIVILEGE ESCALATION
- Let's try two alternative ways to perform privilege escalation:
4.1 - Exploiting the Operating System
- From previous step we know that Tr0ll 1 is an Ubuntu 14.04 machine with kernel 3.13:
- Googling for an exploit for this version of machine:
- searchsploit helps us to find the privilege escalation exploit:
- The path to find the exploit is:
- Looking for 37292.c:
- Setting a SimpleHTTPServer at port 8000 of the attacker Kali:
- Going to the remote shell at Tr0ll1, let's change to directory /tmp, what is usually writable:
- Downloading 37292.c from Kali:
- Compiling 37292.c:
- Running the executable 37292 we get finally a root shell:
4.2 - Exploiting crontab bad configuration
- It is noticeable that every some minutes the SSH connection is closed by the remote host, sending back a laughing message:
- At the same time the content of /tmp is removed by the remote host:
- These two circumstances make us think that probably a crontab job is working here.
- However, when searching for crontab permissions are denied:
- Looking for writable areas:
- Going to cronlog we detect the presence of a script called cleaner.py running every 2 minutes via crontab:
- Let.s find it:
- Interestingly, cleaner.py has full root privileges:
- Reading the content of cleaner.py we understand now why tr0ll1 is clearing all content of /tmp every 2 minutes:
- Now, the idea that comes to our mind: why not change the content of the script on our own interest? For instance, providing the user overflow with sudo privileges to run a root shell.
- Let's check that at this moment the user overflow does not have any sudo privileges:
- Editing cleaner.py to assign all sudo editing privileges to the user overflow:
- Waiting until the period expires, tr0ll1 kicks me out of the SSH connection:
- Reconnecting again with SSH:
- Eventually user overflow gives us a root shell:
- Being root we can look deeper into the crontab works to understand what was happening at tr0ll1:
- Every 5 minutes the script lmao.py sends back a teasing message and also kills the session for the user overflow:
5 - CAPTURING THE FLAG
- Going to the /root folder we finally read the flag proof.txt:
