Friday, December 23, 2016

[VulnHub] Tr0ll: 1

Starting off, an nmap script scan displays a few things of note. The FTP server allows anonymous access and shows an interesting packet capture file. Also, a "secret/" directory was found in robots.txt which, judging by the name of the VM, is surely not the right rabbit hole.

Sure enough, visiting the directory...

Gr8 b8 m8. After logging in to the FTP server and downloading the "lol.pcap" file, I take a closer look in Wireshark. It looks like a capture of a useless FTP session. However, halfway down I found something of interest.

Visiting the newly found "sup3rs3cr3tdirlol/" in the webserver, I found a file called "roflmao."

Upon further inspection, it appears to be a binary, and after executing it, I see what appears to be a memory address of some sort.

My first instinct was to use edb-debugger to perhaps find something to do with the address mentioned in the executable. Fortunately, I didn't waste much time (20 minutes lol) because after pasting the address in to the web browser...

Yeah... Anyway, I find what looks like a username list and a password list (Pass.txt) in the respective directories so I decide to go ahead and start brute forcing SSH. It took me awhile, but "Pass.txt" is literally the password for the "overflow" user.

Within minutes, I can tell escalation is going to be annoying because I'm getting kicked off seemingly randomly and my "/tmp/" files keep getting deleted. I figure this is the work of a cron job, so I take a look at "cron.log."

Taking a look at the file, I see this is indeed what is removing my tmp files.

I also see this file is writable, meaning I can simply create a setuid binary and give it root permissions and I should be good. I create a simple setuid C program and compile it in the tmp directory.

Then I modify the script to give the file root permissions and set the setuid bit.

After "ls -al"-ing a few times, I see the file permissions change and I'm able to execute the program and become root!

This was a very fun VM and it did actually remind me of working in the OSCP labs. I look forward to making time for Tr0ll 2.