Booj thoughts on security

Vulnhub - tr0ll

This details my attempts at breaking into the tr0ll VM from Vulnhub.

Having never attempted any VM’s like this before I resolved to do a cursory read over the solution before actually attempting as otherwise I knew I was going to get stuck very fast. After some reading I decided this would be a good first try and decided to attempt it a week later when most of the solution had left my head. However, a large number of the gotchas I still remember when attempting this box.

Firstly, I installed a Kali VM and a copy of the tr0ll VM and set both on the VMWare Host Only network. This ensures that both are assigned ip addresses.

So that became the first step. I needed to find the ip address to connect to. For this I used the arp-scan command which gave me a list of all ip’s on the network.

We got ya!

So .129 is going to the be the IP of our target machine. Okay we’ve done that but where do we go from here? Well might as well see if it has a web page. Let’s check out if we get anything over http.

Haha...very funny

So, realising that was a dead end I opened up nmap and set it to scan. Nmap’s been a staple in pretty much every course I’ve attended over the last few months and I’m always shocked at the amount of information it can uncover. Even though it’s only three services, the amount of info kinda blows my mind.

The Keys to the Kingdom

Well there’s a robot.txt exposed pretty immediately, with the /secret web directory exposed. So lets have a look in there.

Yes

Hilarious! Well, one other exposed service is ftp which allows anonymous access. I hadn’t heard much about this before so tried anonymous:anonymous which worked, but reading into it more fully apparently pretty much anything works here.

Going Deeper

All that the ftp directory exposed was a file called lol.pcap, so I downloaded that and fired up wireshark. All that followed was idle browsing through the packets which appeared to be exposing the details of a directory, but the most interesting part came up around packet 40, with a long string of text. This was one of the longer packets by far so popped out almost instantly.

Going Harder

So not much of interest except sup3rs3cr3tdirlol. I’d love to say I realised this was a web directory immediately but I did remember that in a previous walkthrough this VM had an annoying habit of directing you to a variety of web pages, so I popped this into the web browser and lo and behold.

Going Stronger

All we have in here is an executable roflmao, which I downloaded to my Kali VM, tried to run before seeing ‘Permission denied’. I know I could just edit the permissions manually quite easily but not really remembering how to do that and not wanting to google, I decided to just open it in a text editor.

Parting the red sea

And here we have the next piece of the puzzle. ‘Find address 0x0856BF to continue’. Remembering the whole part about the crazy web directories I popped that one in my web browser.

Am I 1337 now!?

I forgot to screenshot this but the folder ‘this_folder_contains_the_password’ has a file called ‘Pass.txt’ with one string in it, and the good_luck folder contains a ‘which_one_lol.txt’ file with a list of users.

I...actually believe you

Full disclosure, I knew from before that ‘Pass.txt’ itself was the password so didn’t waste a lot of time here but I know if I hadn’t I would’ve been stuck here for a very long time. Knowing that I loaded up hydra and tried to brute force the ssh credentials, because what else were these going to be. There’s one service still enabled and it feels like it flows well narratively.

Long story short I couldn’t get Hydra working but after googling around, I found out about a similar tool called medusa. Passing in the list of users and ‘Pass.txt’ as the password I got the credentials. overflow:Pass.txt

More of a script kiddie!

And with that I logged in via ssh, got root access and lived happily ever after. I almost wish it was that easy.

'So are you MSDOSing them?' - REDACTED 2017

And we’re in! The next few minutes were just spent poking around trying to find something interesting until I found an interesting little python file.

Better see a doctor about your ass there m8

And then fates cruel hand struck, and I was unceremoniously booted off.

tick tock

Well…that’s just a little bit annoying, but apparently nothing more than a minor annoyance. Turns out we can ssh back in just fine but get booted off every 5 minutes. In the end not a major showblocker but this became very frustrating as time went on.

I wanted to find out what was booting me off so I went for a bit of a search in the logs in /var/log. If I’d been more knowledgeable about what I was looking for this would’ve been faster but eventually I found a reference to another python file.

oh nooo

It seems to be referencing a cron job so I wondered if that was what was booting me off. First things first, I had to find the file.

Permission Denied

Knowing where it was, we had to check to make sure we could actually edit it and lo and behold, it’s owned by root but I seem to be able to edit this.

Spread open

At this point I remembered that this must be the script that some other walkthrough edited to run as root. Because if this is run as root in the cron job then I can use it elevate my permission

Sysadmin's hate him!

This didn’t work for ages…and I’m sure you can see why.

After a long time debugging and trying a variety of different commands I googled the answer. I forgot sudo. I felt quite thick right here but prepended sudo to the command and waited for the box to root itself. After a few minutes, I was booted again and…

Voila!

If you look there it’s me wiping the lmao.py file so I don’t get kicked off every 5 minutes and I finally had free reign. I popped into /root and grabbed my proof

FeelsGoodMan

This was pretty enjoyable but I was definitely helped by knowing many of the major issues beforehand. I look forward to trying different VM’s over the coming weeks and honing my skills.

comments powered by Disqus