I started this machine and Kali Linux on other VM. To find the target's IP I used netdiscover with -r(ange) parameter:
Ok, cool, yeah I see that FTP. We'll back to it later. Let's try WWW first:
Nothing special. Found robots.txt contains only '/secret/' directory:
...unfortunately:
Nope. I thought it's a good time to check that FTP:
Ok, let's try to read the file (tcpdump):
You should also find this one:
I was looking for dirs/files when I saw:
Ok. Not yet. :)
I grabbed the file and checked what is it:
Now, what 'tr0lled' me the most, was that the address is... not in the binary :D Cool. ;)
Inside those dirs you'll find some TXT files. I thought maybe it's some kind of a wordlist (or user/password list)... I decided to mix it with hydra:
Ok, we're ready:
After a while you'll find that this is useless. Let's think about it one more time:
this_folder_contains_the_password - so what we're looking for?
A txt file with passwords? A JPG with hidden message in exif? Or maybe we're just looking at it?
Yeah. Good job. ;) If you're looking for a rootshell you can get it like this:
Or you can try the other way:
Quick check and we found cleaner.py:
So we found that file, ls -la to check more details:
As you can see, file is owned by root and writable by overflow user. (As a proof - echo'ed "#" at the end of the file.) It means that we can overwrite the file to run something else (as root). Let's prepare our little shell in /tmp and run it with our new cleaner.py code:
And after another logout:
And after another logout:
We will get a root again. :)
That's all.
Big thanks goes to the author for preparing this game! Also thanks goes to VulnHub for hosting this Tr0ll;)
Cheers
That's all.
Big thanks goes to the author for preparing this game! Also thanks goes to VulnHub for hosting this Tr0ll;)
Cheers
Brak komentarzy:
Prześlij komentarz