Vulnhub - Tr0ll:1


Today, we are going to pwn Troll:1 from Vulnhub by maleus.

Nmap

Running a nmap scan on the machine for analysing the services running on the machine. Doing that so, nmap -sV -sC -A -p- -T5 102.168.43.169

FTP Enumeration

From our nmap scan we knew that it FTP has Anonymous login enabled, so using ftp package we log in to ftp as anonymous user and found there was a lol.pcap.

Opening it in wireshark, we can see there is a secret_txt somewhat existed in a network from where this traffic was captured. So I tried to follow the TCP stream and found that there is a directory mentioned in that specific file.

HTTP Service Enumeration

Beforehand, I tried checking robots.txt and found out that we have been trolled again from the mentioned /secret page like the index page.

Robots.txt’s content:-

User-agent:*
Disallow: /secret

From that pcap file we founded a directory reference so let’s try it,that directory listing from the web I found that there is a binary and it was 32 Bit ELF, running it shows the following string:-

robin@oracle:~/Vulnhub/Tr0ll$ ./roflmao
Find address 0x0856BF to proceed

That was a directory reference, going over there I found 2 more directories.

The good_luck directory has which_one_lol.txt having following data:-

maleus
ps-aux
felux
Eagle11
genphlux < -- Definitely not this one
usmc8892
blawrg
wytshadow
vis1t0r
overflow

Other one has a text file named Pass.txt which says Good_luck:-).

SSH Login and Root Flag

Using hydra to craft a dictionary attack. since at this point it was way too clear. Now, I tried doing th attack with hydra -L new.txt -P pass.txt 192.168.43.169 ssh which was giving a error, I had no idea what is happening sice the machine involved some trolling for the users, aftering spending 15 minutes on the argument being provided to the hydra, I tried hydra -L user.txt -p Pass.txt 192.168.43.169 ssh which gave us the password Pass.txt for user overflow, oh god that was definitely a good troll.

Now, there are some commands I usually run in order to find anything interesting, so while trying them, I found the linux kernel is way too old usingg uname -a which in our case seems exploitabe. Using this exploit, I downloaded it on my host machine and started a local HTTP server via python -m SimpleHTTPServer 1337 in order to transfer te file to the machine.

Now, I checked whether the machine has gcc installed or not and to our surprise it does. Now,let’s compile and run it already. Using gcc -o root root.c since I renamed that file to root.c. Running that exploit gave us root shell.

The Flag

Time to get flag:-

That was it, until then enjoy.

Fun

While enumerating the system I found lamo.py in /opt folder which was the cause of our automatic connection close because of timing constraints. Here, it’s content:-

Just after checking it, I got disconnected.


Author: D4mianwayne
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint polocy. If reproduced, please indicate source D4mianwayne !
  TOC