Sure enough, visiting the directory...
Gr8 b8 m8. After logging in to the FTP server and downloading the "lol.pcap" file, I take a closer look in Wireshark. It looks like a capture of a useless FTP session. However, halfway down I found something of interest.
Visiting the newly found "sup3rs3cr3tdirlol/" in the webserver, I found a file called "roflmao."
Upon further inspection, it appears to be a binary, and after executing it, I see what appears to be a memory address of some sort.
My first instinct was to use edb-debugger to perhaps find something to do with the address mentioned in the executable. Fortunately, I didn't waste much time (20 minutes lol) because after pasting the address in to the web browser...
Yeah... Anyway, I find what looks like a username list and a password list (Pass.txt) in the respective directories so I decide to go ahead and start brute forcing SSH. It took me awhile, but "Pass.txt" is literally the password for the "overflow" user.
Within minutes, I can tell escalation is going to be annoying because I'm getting kicked off seemingly randomly and my "/tmp/" files keep getting deleted. I figure this is the work of a cron job, so I take a look at "cron.log."
Taking a look at the file, I see this is indeed what is removing my tmp files.
I also see this file is writable, meaning I can simply create a setuid binary and give it root permissions and I should be good. I create a simple setuid C program and compile it in the tmp directory.
Then I modify the cleaner.py script to give the file root permissions and set the setuid bit.
After "ls -al"-ing a few times, I see the file permissions change and I'm able to execute the program and become root!
This was a very fun VM and it did actually remind me of working in the OSCP labs. I look forward to making time for Tr0ll 2.
