piątek, 16 września 2016

Tr0ll 1 - CTF

I just finished the Tr0ll CTF. Annoying thing... ;) Big thanks goes to Maleus for preparing the game.

I started this machine and Kali Linux on other VM. To find the target's IP I used netdiscover with -r(ange) parameter:



So 116 is our guy. Let's scan it to check if there is any service running:


Ok, cool, yeah I see that FTP. We'll back to it later. Let's try WWW first:

Ok, cool. 1:0 for the tr0ll. ;] Let's find out if there is anything interesting in places like robots.txt or sitemap.xml, etc... Quick check with dirb:

Nothing special. Found robots.txt contains only '/secret/' directory:


...unfortunately:


Nope. I thought it's a good time to check that FTP:


As I saw before, there is a PCAP file to grab. Let's find out what's inside:


First:

Ok, let's try to read the file (tcpdump):
We can see that there is a clear-text FTP traffic, let's check it in Wireshark:



You should also find this one:


I was looking for dirs/files when I saw:

Ok. Not yet. :)



I grabbed the file and checked what is it:


I thought maybe it is something like during the LoTR CTF...


Now, what 'tr0lled' me the most, was that the address is... not in the binary :D Cool. ;)

Inside those dirs you'll find some TXT files. I thought maybe it's some kind of a wordlist (or user/password list)... I decided to mix it with hydra:



Ok, we're ready:


After a while you'll find that this is useless. Let's think about it one more time:


this_folder_contains_the_password - so what we're looking for? 


A txt file with passwords? A JPG with hidden message in exif? Or maybe we're just looking at it?

Yeah. Good job. ;) If you're looking for a rootshell you can get it like this:



Or you can try the other way:


Quick check and we found cleaner.py:


So we found that file, ls -la to check more details:



As you can see, file is owned by root and writable by overflow user. (As a proof - echo'ed "#" at the end of the file.) It means that we can overwrite the file to run something else (as root). Let's prepare our little shell in /tmp and run it with our new cleaner.py code:



And after another logout:


We will get a root again. :)

That's all.

Big thanks goes to the author for preparing this game! Also thanks goes to VulnHub for hosting this Tr0ll;)

Cheers




Brak komentarzy:

Prześlij komentarz