Hello Friend, This is my writeup for VulnHub Tr0ll 1. It was inspired by the constant trolling of the machines within the OSCP labs. The goal is simple, gain root and get Proof.txt from the /root directory. Not for the easily frustrated! Fair warning, there be trolls ahead!
Difficulty: Beginner
Type: boot2root
Download : https://www.vulnhub.com/entry/tr0ll-1,100/
Let’s jump right in !
Network Scanning
In the first step of scanning I used the “arp-scan -l” command to perform a Local Network Scan to find out the IP address of the targeted machine.
After getting the target machine’s IP address I scanned the target for open port using Nmap.
Command : nmap -A -T4 -p- -oN nmap 192.168.0.174
# Nmap 7.80 scan initiated Fri Jun 4 13:25:17 2021 as: nmap -A -T4 -p- -oN nmap 192.168.0.174
Nmap scan report for 192.168.0.174
Host is up (0.0012s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 1000 0 8068 Aug 10 2014 lol.pcap [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.0.143
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 600
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
| 2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
| 256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_ 256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 4 13:25:34 2021 -- 1 IP address (1 host up) scanned in 16.72 seconds
Enumeration / Reconnaissance
From scan result I found that http port 80 is open so I explored target IP in the web browser.
Lol, there was not much info on website so I checked robots.txt file and it shows a folder /secret.
After traversing to the secret folder I found that is a troll.
From nmap scan result I found that FTP 21 port is open with Anonymous login enabled.
Let’s login with username : anonymous and any random password
Command : ftp 192.168.0.174
Here I found one pcap file.
I transferred the pcap file on my system.
Command : get lol.pcap
I analyzed the file on wireshark. There are several TCP stream I can follow, 2 of them is with interesting info.
The first stream reveals a file secret_stuff.txt
The second stream reveal a word sup3rs3cr3tdirlol.
Tried to plug them in the website. I can’t find secret_stuff.txt but sup3rs3cr3tdirlol is a folder on the website.
I downloaded roflmao which is a binary file.
After running the binary file.
Command : ./roflmao
I came up with the message is : “Find address 0x0856BF to proceed”
I explored /0x0856BF in the browser considering it a possible web directory and indeed it gives two sub-directories.
I opened both sub-directories the good_luck directory looks interesting which contain a one more file which_one_lol.txt.
The which_one_lol.txt contain a word-list might be this can be useful in conducting the brute force against ssh.
The second sub-directory contain the password.
I save the file name(Pass.txt) and Good_job_:) in password.txt.
Exploitation
With the list of username(lol.txt) and password(password.txt) to try, let’s do a online cracking using hydra.
Command : hydra -L which_one_lol.txt -P password.txt 192.168.0.174 ssh
Here I found the credentials : Username=overflow, Password=Pass.txt
As ssh port 22 was open so I used these credentials to login.
Command : ssh overflow@192.168.0.174
Wow!! Now I got the remote shell on this target box.
I update the shell with python. For update the remote shell mostly I prefer https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
Command : python -c “import pty; pty.spawn(‘/bin/bash’)”
All right, Finally have my foot in.
Privilege Escalation
Did some enumeration like “sudo -l” but didn’t find anything useful. The author is really trolling. I got kicked out every 5 minutes. Lol..
Finally found something interesting when looking for the writable files.
Command : find / -writable 2>/dev/null | grep /proc -v
“grep /proc -v” to exclude files in /proc folder, which are not relevant.
The cleaner.py looks interesting, so I checked out the script.
It’s a script to remove all files in the /tmp folder. It would be useful if there’s a cron job defined to run this script regularly. So I created a file at /tmp to test it out and wait a while.
The created file is gone! So I am going to modify the script to get a root access.
I copied /bin/sh inside /tmp and enables the SUID permission
wait a while..
I found the sh file in the /tmp folder let’s run the file.
Wow I got the root shell!!
Afterwords
As it turns out, the cron job is located at /var/spool/cron/crontabs that executes lmao.py in every 5 minutes to kick me out of my login and cleaner.py in every 2 minutes.
