Running a nmap scan on the machine for analysing the services running on the machine. Doing that so,
nmap -sV -sC -A -p- -T5 18.104.22.168
From our nmap scan we knew that it FTP has Anonymous login enabled, so using ftp package we log in to ftp as anonymous user and found there was a
Opening it in wireshark, we can see there is a
secret_txt somewhat existed in a network from where this traffic was captured. So I tried to follow the TCP stream and found that there is a directory mentioned in that specific file.
Beforehand, I tried checking
robots.txt and found out that we have been trolled again from the mentioned
/secret page like the index page.
User-agent:* Disallow: /secret
From that pcap file we founded a directory reference so let’s try it,that directory listing from the web I found that there is a binary and it was 32 Bit ELF, running it shows the following string:-
robin@oracle:~/Vulnhub/Tr0ll$ ./roflmao Find address 0x0856BF to proceed
That was a directory reference, going over there I found 2 more directories.
good_luck directory has
which_one_lol.txt having following data:-
maleus ps-aux felux Eagle11 genphlux < -- Definitely not this one usmc8892 blawrg wytshadow vis1t0r overflow
Other one has a text file named
Pass.txt which says
Using hydra to craft a dictionary attack. since at this point it was way too clear. Now, I tried doing th attack with
hydra -L new.txt -P pass.txt 192.168.43.169 ssh which was giving a error, I had no idea what is happening sice the machine involved some trolling for the users, aftering spending 15 minutes on the argument being provided to the hydra, I tried
hydra -L user.txt -p Pass.txt 192.168.43.169 ssh which gave us the password
Pass.txt for user
overflow, oh god that was definitely a good troll.
Now, there are some commands I usually run in order to find anything interesting, so while trying them, I found the linux kernel is way too old usingg
uname -a which in our case seems exploitabe. Using this exploit, I downloaded it on my host machine and started a local HTTP server via
python -m SimpleHTTPServer 1337 in order to transfer te file to the machine.
Now, I checked whether the machine has gcc installed or not and to our surprise it does. Now,let’s compile and run it already. Using
gcc -o root root.c since I renamed that file to
root.c. Running that exploit gave us root shell.
Time to get flag:-
That was it, until then enjoy.
While enumerating the system I found
/opt folder which was the cause of our automatic connection close because of timing constraints. Here, it’s content:-
Just after checking it, I got disconnected.