piątek, 16 września 2016

Tr0ll 1 - CTF

I just finished the Tr0ll CTF. Annoying thing... ;) Big thanks goes to Maleus for preparing the game.

I started this machine and Kali Linux on other VM. To find the target's IP I used netdiscover with -r(ange) parameter:

So 116 is our guy. Let's scan it to check if there is any service running:

Ok, cool, yeah I see that FTP. We'll back to it later. Let's try WWW first:

Ok, cool. 1:0 for the tr0ll. ;] Let's find out if there is anything interesting in places like robots.txt or sitemap.xml, etc... Quick check with dirb:

Nothing special. Found robots.txt contains only '/secret/' directory:


Nope. I thought it's a good time to check that FTP:

As I saw before, there is a PCAP file to grab. Let's find out what's inside:


Ok, let's try to read the file (tcpdump):
We can see that there is a clear-text FTP traffic, let's check it in Wireshark:

You should also find this one:

I was looking for dirs/files when I saw:

Ok. Not yet. :)

I grabbed the file and checked what is it:

I thought maybe it is something like during the LoTR CTF...

Now, what 'tr0lled' me the most, was that the address is... not in the binary :D Cool. ;)

Inside those dirs you'll find some TXT files. I thought maybe it's some kind of a wordlist (or user/password list)... I decided to mix it with hydra:

Ok, we're ready:

After a while you'll find that this is useless. Let's think about it one more time:

this_folder_contains_the_password - so what we're looking for? 

A txt file with passwords? A JPG with hidden message in exif? Or maybe we're just looking at it?

Yeah. Good job. ;) If you're looking for a rootshell you can get it like this:

Or you can try the other way:

Quick check and we found cleaner.py:

So we found that file, ls -la to check more details:

As you can see, file is owned by root and writable by overflow user. (As a proof - echo'ed "#" at the end of the file.) It means that we can overwrite the file to run something else (as root). Let's prepare our little shell in /tmp and run it with our new cleaner.py code:

And after another logout:

We will get a root again. :)

That's all.

Big thanks goes to the author for preparing this game! Also thanks goes to VulnHub for hosting this Tr0ll;)


Brak komentarzy:

Prześlij komentarz