tr0ll

Okay this is a new box so we need to run nmap on the box 🙂
There is three ports open, 21, 22 and 80.
The website just trolls us.
The ftp is anonymous readable so we can check if there is something there.
There is a file named lol.pcap. This is interesting.
The pcap is someone connecting to the ftp and downloading super_secret.txt
Since the ftp protocol is not encrypted we can see the content of the file downloaded 🙂

In wireshark just go. Statistics > Conversations > TCP
You can see there is 4 tcp conversation. we one we are interested in is the 3rd.

This gives us the content of the file:
Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol 😛

Sucks, you were so close… gotta TRY HARDER!
.
we need to find the sup3rs3cr3tdirlol
just go browse http://192.168.0.59/sup3rs3cr3tdirlol/
You can download a 32 bit executable roflmao there and run it.
When the program is run it prints out this : Find address 0x0856BF to proceed
This could normally be a memory address but since we cant read the memory on the target it must be something else.
This could be a browser address !
Browsing to http://192.168.0.59/0x0856BF/
Gives us 2 folders. Good_luck and this_folder_contains_the_password
The first gives us a list of username.
maleus
ps-aux
felux
Eagle11
genphlux < — Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow

The second gives us a file named Pass.txt containing Good_job_:).
Since this is a troll machine we need to take this literally. The folder contain the file named Pass.txt.
I created two file one with list of users and one with a list of passwords.

hydra -L user -P password -V 192.168.0.59 ssh -t 1

By bruteforcing with hydra we found the real password to log into ssh was overflow // Pass.txt
[22][ssh] host: 192.168.0.59 login: overflow password: Pass.txt
Now we need to do a lot of enumeration, Best guide i have is from g0tmi1k
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
By checking all the config file, i finally came accros something that looked strange.
in /lib/log There was a folder named cleaner.py, this is why we get our stuff deleted in /tmp
But this file is writable by anyone! and root execute it sometimes to clean the /tmp directory.
I used this python shell to give me a shell as root:
https://www.trustedsec.com/files/RevShell_PoC_v1.py
I just replaced it with this script to get a root reverse shell 😛
you just need to listen for the incoming connection like this.

nc -lnvp 443

Since you are root you can read the content of /root/proof.txt
Good job, you did it!
702a8c18d29c6f3ca0d99ef5712bfbdc

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s