Sunday, September 2, 2018

Tr0ll 2


TR0LL 2

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is the study of the hacking process for the vulnerable machine Tr0ll 2.

- According to the author's description there is a Proof.txt file at the /root directory.

- Tr0ll 2 can be downloaded from here:

https://www.vulnhub.com/entry/tr0ll-2,107/


- Once downloaded and extracted with VirtualBox:






2 - ENUMERATION

- Using netdiscover to find the IP corresponding to Tr0ll 2:







- Scanning with Nmap there are 3 available services at port 21 (FTP), 22 (SH) and 80 (HTTP):




3 - EXPLOITATION

3.1 - Exploiting the FTP service

- Using Hydra and a wordlist to attackt the FTP service we get valid credentials:






- Connecting to the FTP service via the browser and using Tr0ll:Tr0ll as credentials:







- There is a zip file called lmao.zip:




- Saving:




- Also, the MOTD (Welcome to Tr0ll FTP) gives us a hint about the same credentials:




- Getting lmao.zip via the command shell:





- There is a password to protect the unzipping:





3.2 - Exploiting the Web service

- Conecting directly with the browser:







- Trying the file robots.txt we discover a lot of potential available folders:



- Editing the folders into a text file:






- Now, using dirb with the folders file as a wordlist we discover that of the whole list of folders there are only 4 of them accessible:




- Checking one fake directory, for instance you_found_me:




- However, going to the 4 valid directories, we find a picture called cat_the_troll.jpg:























- Downloading the 4 pictures an renaming them:








- Checking what type of file they are:




- Redirecting the strings command outputs to text files:





- Using diff  to compare the files, we notice that the picture corresponding to the directory dont_bother includes a final different line:





......




- Following the advice of the line, let's try y0ur_self as a new directory:




- The file answer.txt contains strings encoded with base64:








- Decoding with base64 and outputting to d_answer:




- Now we have a new wordlist:


.........................

- Let's try to unzip the file found at the FTP server, using fcrackzip and the decoded text file d_answer as a wordlist:




- Using the password to unzip we find a file called noob:



- noob contains an RSA Private Key:





- The presence of an RSA Private Kye gives us a hint that probably we are dealing with an SSH login solution.


3.3 - Exploiting the SSH service

- Now, let's try to exploit the SSH service. 

- SSH -i option allows to include an identity_file, in our case the RSA Private Key discovered before, contained into fhe file noob:





- However, the system rejects the connection:




- Taking advantage of the Shellshock vulnerability applied to the OpenSSH server, providing the RSA Private Key for user noob, as explained here:

http://bloggars-online.blogspot.com/2014/10/bash-shellshock-ssh-exploit.html
https://www.zdziarski.com/blog/?p=3905
https://github.com/opsxcq/exploit-CVE-2014-6271


- Testing:



- Finally, a low privilege shell is achieved:




- Improving the shell:




- Exploring:




- The .bash_history informs us about a potential Buffer Overflow (./bof):




- Going to the suspicious folder /nothing_to_see_here:




- We find choose_wisely:




- There are 3 doors:




- The 1st door contains an executable r00t file that accepts an input:







- The 2nd door includes an executable r00t file that fools the attacker:




- Same thing for the 3rd door:




- So, definitely the interesting file to be exploited is the r00t that accepts an input.

- However, let's notice that once accessing to Tr0ll 2 several times, the 3 doors change their contents, alternating the 3 different r00ts. 

- Meaning that before launching any exploit we must find the r00t that accepts the input, every time we try to access to either door1, door2 or door3.


4 - PRIVILEGE ESCALATION

4.1 - Checking security protections

- Before building any exploit to achieve privilege escalation, let's check what type of protection measures we have ahead of us.

- About ASLR it is disabled:



- For checking other protections, let's use checksec:























- Setting a simple HTTP server:




- Downloading checksec to /tmp:




- Giving execution permissions:





- Copying r00t to /tmp:






- Applying checksec over r00t we learn that NX is disabled:







4.2 - Exploiting the Buffer Overflow

- Now it is time to start the privilege escalation process.

- Starting r00t with gdb in a quiet (-q) mode:




- Passing a long list of "A"s to overflow the stack:




- Running the breakpoint:




- The program ends up with a Segmentation fault because the stack has been overflown with "A"s (0x41).

- For discovering at what point the overflow has occured let's create a pattern of 1000 characters:




- Starting again an launching the pattern:







- The Segmentation fault happens at 0x6a413969:




- There is an offset of 268 chars:




- Let's redo the python script:










- As expected, the EIP has been rewritten with "BBBB" (0x42424242). 

- At this point, the ESP points to 0xbffffb80:




-  Now, let's find a shellcode to achieve the Privilege Escalation, for instance this one available at shell-storm:






- Redoing the python script to include:

a) 0xbffffb80 = \x80\xfb\xff\xbf (reverse order for Little Endian)
b) a bunch of NOPs (\x90)
b) the shellcode


- Launching the script as input for r00t (out of gdb !!):




- A root shell is achieved:




- It is important to notice that the final exploit must be launched out of gdb, because of some privilege problems related to the debugger, otherwise the exploit will fail.


- By the way, ShellShock affects bashes till version 4.3, what explains the vulnerability in our case (bash 4.2).


5 - CAPTURING THE FLAG

- Finally the flag is available at the file Proof.txt: