The Tr0ll is back with the 3rd machine in the series!
start with credentials in plaintext
The start is atypical..the machine only has the SSH port open, and in the author description we are told to start:here for the login..so let’s try to SSH with these credentials. It works and we are in right away.
If you take the bluepill, you are being taught the secrets of how to make a hacker waste time.
Jumping straight into enumeration with LinEnum, we notice there are many potentially interesting users on the system:
When searching for world writable files, we find the following:
-] Files not owned by user but writable by group:
-rwxrwxrwx 1 root root 49962 Aug 2 00:23 /var/log/.dist-manage/wytshadow.cap
-rwxrwxrwx 1 eagle russ 35737600 Aug 2 00:24 /.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/gold_star.txt
We also find possible credentials for the eagle user among the files owned by the start user:
I transferred the capture file to my machine, also checked the contents of that troll file, it was filled with blocks of strings like these:
Before looking at the exfiltrated file, I switched to the user eagle with the above password.
Be the eagle – wireless traffic cracking
The packet capture file contains wireless traffic, so I thought about cracking it with aircrack-ng. For the first attempt, I fed it the gold_star.txt file as wordlist, and it found the passphrase in 5 minutes:
There was nothing particularly interesting from eagle’s point of view, other than the sudo privilege for starting the vsftpd service:
User eagle may run the following commands on Tr0ll3:
(root) /usr/sbin/service vsftpd start
We keep this option on the bench for now, since we have something else to work with. We know there’s a wytshadow user, and the .cap file had the same name, so I used the key as password for this account and new user, new shell!
wytshadow and the Lynx
Inside the home directory we find a SUID executable:
-rwsrwxrwx 1 genphlux root 8566 Jun 17 2015 oohfun
wytshadow@Tr0ll3:~$ file oohfun
oohfun: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.24, BuildID[sha1]=309f4fec949b0e2eb3f6ec83ccadff89c553e397, not stripped
If we run it, we see the string “iM Cr@zY L1k3 AAA LYNX” printed continuously on the screen. If we look in the strings of the file, we see a reference to a shell script:
/lol/bin/run.sh -b 0.0.0.0
If we look at that file, we see it does exactly what we saw earlier, printing the string in an infinite loop:
I was curious about what was inside /lol, it appears to be a JBoss installation:
bin client common copyright.txt docs jar-versions.xml JBossORG-EULA.txt lgpl.html lib readme.html server
genphlux can also start an Apache server:
User genphlux may run the following commands on Tr0ll3:
(root) /usr/sbin/service apache2 start
I started the server, also getting a 403 Forbidden, lynx or not. Moving on for now, I SSH’ed in as maleus with the found private key.
maleus – don’t even bother
Inside his home we find another binary:
maleus@Tr0ll3:~$ file dont_even_bother
dont_even_bother: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.24, BuildID[sha1]=455a77b2503f19c1a09cbc9b66d513b2fa3af73c, not stripped
This binary asks for a password:
Enter the password :
And in the strings we find a message for finding the correct password probably:
Your reward is just knowing you did it! :-P
This reward isn’t really that enticing, so I didn’t jump into reversing this, it might be a troll dead end. I continued looking through the home folder and found a possible password inside the .viminfo file:
""1 LINE 0
"2 LINE 0
"3 LINE 0