boot2root/CTF

Walkthrough for Tr0ll: 1


More boot2root fun with yet another pretty basic (but at times frustrating) challenge put together by maleus21 and hosted by the Supreme Leaders of Excellence and Quality Stickers, Vulnhub.

While these kinds of hack games don’t typically represent what you may find in a live production environment, often you’re left with a reminder that the dual concepts of thinking outside the box and being eternally flexible in your approach are critical in any engagement.

Also, this box was intentionally designed to make you hate it by by regularly booting you off it and deleting your stuff.

Let’s get into it.

Tr0ll: 1 is a VMWare-based virtual image – load it up with your preferred network settings and go ahead and locate the system using your any number of methods. My Tr0ll server is sitting at 192.168.20.228, and a quick nmap scan shows what services are exposed:

ba01

FTP, SSH and HTTP. Nmap has also let us know that for the FTP service, anonymous logins are permitted which is good news. But let’s leave that for later and take a look at what’s running on the web interface:

ba02

Fit to theme, but nothing particularly helpful there. Nikto sheds some more light on what’s hosted here:

ba03

So there’s another directory called secret and the site hosts a robots.txt file. Reviewing this file, we see a single entry for the secret directory. Attempting to browse there presents another troll and a dead end:

ba04

With nothing else immediately standing out on the HTTP front, it’s time to turn to FTP. Logging in anonymously, we see a packet capture file available, so let’s grab it:

ba05

Opening this file up in wireshark, we observe an FTP transaction between 10.0.0.12 and 10.0.0.6. Following the transaction stream, and focusing on the conversation originating from 10.0.0.6 (at 549 bytes in length) the transfer of a text file is clearly seen:

ba06

So now we need to reassemble the FTP-DATA packets that transported the file secret_stuff.txt to 10.0.0.6. Filtering by protocol (in this case ftp-data), we see 3 packets, and packet number 40 is the one we want:

ba07

The contents of the text file that was transferred contains reference to a sup3rs3cr3tdirlol that we almost found, apparently. After dancing around the FTP server for a while without finding anything, trying the directory name on the web server returns a 200 OK:

ba08

A single file called roflmao is available. After downloading and doing a quick analysis of the file, we see it’s a basic 32-bit ELF binary that doesn’t appear to have any user-interactive parameter – leaving little chance of an exploitable vulnerability:

ba09

So let’s try what we did with the super secret directory – let’s append it to the base URL of the Tr0ll web server. It is an address, after all:

ba10

Excellent. Browsing these directories, we find what appears to be a username list (which_one_lol.txt) and a password (Pass.txt). Looks like we’ve got a list to try brute-forcing ssh…but no dice. None of the combinations are working with hydra – and based on the behaviour of the Tr0ll server, it looks like there’s rate-limiting or blocking happening when brute forcing activity is detected. That blocks us off from ssh attacks for a short while.

ba11

Got stuck here for a little bit. Obviously, I cleaned up the username list to remove the smart comment. I tried a number of password mutations and word lists, but the blocking/banning really ground things to a halt. Then it hit me that the blocking was put there to stop brute force attempts, because they were not required.

The semantics of the directory name this_folder_contains_the_password finally stood out. After some trial and error, the winning combination of overflow:Pass.txt was rewarded with a shell:

ba12

Alrighty, time to get root. Then we get booted:

ba13

Great – so now we know that pretty soon after getting onto the box, we’re going to get booted. We need to plan out what we’re going to do before we get on there. The handy LinEnum.sh script is a good place to start, so let’s get that onto the box and get the results off for analysis super quick. Using python -m SimpleHTTPServer 80 in the directory where I’ve got the script, I can get it across to the Tr0ll server and get the results off there fast:

ba14

now we can analyse the output of LinEnum.sh. After a close review, we hone in on /lib/log/cleaner.py listed under the World-writeable files section of the report. Trying to open it in vim, we’re given the option to recover the swap file and continue work. So let’s see what’s in this python script:

ba15

The contents of this script run as root at regular intervals, and we have write privs to the file . So let’s just replace this entire file with a python reverse shell:

ba16

So now all we have to do is set up a listener on our box and wait for the cronjob to run:

ba17

And that’s all she wrote.

Thanks to maleus21 for putting in the time and effort, TheColonial for listening to my rants, and to the Vulnhub crew for hosting entertainment for those long, rainy days.

sw1tch

Leave a Reply

Your email address will not be published. Required fields are marked *