Okay this is a new box so we need to run nmap on the box 🙂
There is three ports open, 21, 22 and 80.
The website just trolls us.
The ftp is anonymous readable so we can check if there is something there.
There is a file named lol.pcap. This is interesting.
The pcap is someone connecting to the ftp and downloading super_secret.txt
Since the ftp protocol is not encrypted we can see the content of the file downloaded 🙂
In wireshark just go. Statistics > Conversations > TCP
You can see there is 4 tcp conversation. we one we are interested in is the 3rd.
This gives us the content of the file:
Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol 😛
Sucks, you were so close… gotta TRY HARDER!
we need to find the sup3rs3cr3tdirlol
just go browse http://192.168.0.59/sup3rs3cr3tdirlol/
You can download a 32 bit executable roflmao there and run it.
When the program is run it prints out this : Find address 0x0856BF to proceed
This could normally be a memory address but since we cant read the memory on the target it must be something else.
This could be a browser address !
Browsing to http://192.168.0.59/0x0856BF/
Gives us 2 folders. Good_luck and this_folder_contains_the_password
The first gives us a list of username.
genphlux < — Definitely not this one
The second gives us a file named Pass.txt containing Good_job_:).
Since this is a troll machine we need to take this literally. The folder contain the file named Pass.txt.
I created two file one with list of users and one with a list of passwords.
hydra -L user -P password -V 192.168.0.59 ssh -t 1
By bruteforcing with hydra we found the real password to log into ssh was overflow // Pass.txt
[ssh] host: 192.168.0.59 login: overflow password: Pass.txt
Now we need to do a lot of enumeration, Best guide i have is from g0tmi1k
By checking all the config file, i finally came accros something that looked strange.
in /lib/log There was a folder named cleaner.py, this is why we get our stuff deleted in /tmp
But this file is writable by anyone! and root execute it sometimes to clean the /tmp directory.
I used this python shell to give me a shell as root:
I just replaced it with this script to get a root reverse shell 😛
you just need to listen for the incoming connection like this.
nc -lnvp 443
Since you are root you can read the content of /root/proof.txt
Good job, you did it!