TR0LL 2
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is the study of the hacking process for the vulnerable machine Tr0ll 2.
- According to the author's description there is a Proof.txt file at the /root directory.
- Tr0ll 2 can be downloaded from here:
https://www.vulnhub.com/entry/tr0ll-2,107/
- Once downloaded and extracted with VirtualBox:
2 - ENUMERATION
- Using netdiscover to find the IP corresponding to Tr0ll 2:
- Scanning with Nmap there are 3 available services at port 21 (FTP), 22 (SH) and 80 (HTTP):
3 - EXPLOITATION
3.1 - Exploiting the FTP service
- Using Hydra and a wordlist to attackt the FTP service we get valid credentials:
- Connecting to the FTP service via the browser and using Tr0ll:Tr0ll as credentials:
- There is a zip file called lmao.zip:
- Saving:
- Also, the MOTD (Welcome to Tr0ll FTP) gives us a hint about the same credentials:
- Getting lmao.zip via the command shell:
- There is a password to protect the unzipping:
3.2 - Exploiting the Web service
- Conecting directly with the browser:
- Trying the file robots.txt we discover a lot of potential available folders:
- Editing the folders into a text file:
- Now, using dirb with the folders file as a wordlist we discover that of the whole list of folders there are only 4 of them accessible:
- Checking one fake directory, for instance you_found_me:
- However, going to the 4 valid directories, we find a picture called cat_the_troll.jpg:
- Downloading the 4 pictures an renaming them:
- Checking what type of file they are:
- Redirecting the strings command outputs to text files:
- Using diff to compare the files, we notice that the picture corresponding to the directory dont_bother includes a final different line:
......
- Following the advice of the line, let's try y0ur_self as a new directory:
- The file answer.txt contains strings encoded with base64:
- Decoding with base64 and outputting to d_answer:
- Now we have a new wordlist:
.........................
- Let's try to unzip the file found at the FTP server, using fcrackzip and the decoded text file d_answer as a wordlist:
- Using the password to unzip we find a file called noob:
- noob contains an RSA Private Key:
- The presence of an RSA Private Kye gives us a hint that probably we are dealing with an SSH login solution.
3.3 - Exploiting the SSH service
- Now, let's try to exploit the SSH service.
- SSH -i option allows to include an identity_file, in our case the RSA Private Key discovered before, contained into fhe file noob:
- However, the system rejects the connection:
- Taking advantage of the Shellshock vulnerability applied to the OpenSSH server, providing the RSA Private Key for user noob, as explained here:
http://bloggars-online.blogspot.com/2014/10/bash-shellshock-ssh-exploit.html
https://www.zdziarski.com/blog/?p=3905
https://github.com/opsxcq/exploit-CVE-2014-6271
https://resources.infosecinstitute.com/practical-shellshock-exploitation-part-2/#gref
https://unix.stackexchange.com/questions/157477/how-can-shellshock-be-exploited-over-ssh
https://unix.stackexchange.com/questions/157477/how-can-shellshock-be-exploited-over-ssh
- Testing:
- Improving the shell:
- Exploring:
- The .bash_history informs us about a potential Buffer Overflow (./bof):
- Going to the suspicious folder /nothing_to_see_here:
- We find choose_wisely:
- There are 3 doors:
- The 1st door contains an executable r00t file that accepts an input:
- The 2nd door includes an executable r00t file that fools the attacker:
- Same thing for the 3rd door:
- So, definitely the interesting file to be exploited is the r00t that accepts an input.
- However, let's notice that once accessing to Tr0ll 2 several times, the 3 doors change their contents, alternating the 3 different r00ts.
- Meaning that before launching any exploit we must find the r00t that accepts the input, every time we try to access to either door1, door2 or door3.
4 - PRIVILEGE ESCALATION
4.1 - Checking security protections
- Before building any exploit to achieve privilege escalation, let's check what type of protection measures we have ahead of us.
- About ASLR it is disabled:
- For checking other protections, let's use checksec:
- Setting a simple HTTP server:
- Downloading checksec to /tmp:
- Giving execution permissions:
- Copying r00t to /tmp:
- Applying checksec over r00t we learn that NX is disabled:
4.2 - Exploiting the Buffer Overflow
- Now it is time to start the privilege escalation process.
- Starting r00t with gdb in a quiet (-q) mode:
- Passing a long list of "A"s to overflow the stack:
- Running the breakpoint:
- The program ends up with a Segmentation fault because the stack has been overflown with "A"s (0x41).
- For discovering at what point the overflow has occured let's create a pattern of 1000 characters:
- Starting again an launching the pattern:
- The Segmentation fault happens at 0x6a413969:
- There is an offset of 268 chars:
- Let's redo the python script:
- As expected, the EIP has been rewritten with "BBBB" (0x42424242).
- At this point, the ESP points to 0xbffffb80:
- Now, let's find a shellcode to achieve the Privilege Escalation, for instance this one available at shell-storm:
- Redoing the python script to include:
a) 0xbffffb80 = \x80\xfb\xff\xbf (reverse order for Little Endian)
b) a bunch of NOPs (\x90)
b) the shellcode
- Launching the script as input for r00t (out of gdb !!):
- A root shell is achieved:
- It is important to notice that the final exploit must be launched out of gdb, because of some privilege problems related to the debugger, otherwise the exploit will fail.
- By the way, ShellShock affects bashes till version 4.3, what explains the vulnerability in our case (bash 4.2).
5 - CAPTURING THE FLAG
- Finally the flag is available at the file Proof.txt:
