Tr0ll 1 Vulnhub Walkthrough
Hello everyone, today we’re going to be solving Tr0ll 1 on vulnhub. This is a beginner’s level machine to solve. Let’s begin.
You can find Tr0ll 1 here : https://www.vulnhub.com/entry/tr0ll-1,100/
First let’s have a look at what the home/login page of Tr0ll looks like :
That is all that we get. So let’s make use of our Kali Linux and crack this.
Step 1 : sudo netdiscover
As you can see in the above picture, I have successfully found the Tr0ll IP address upon running the netdiscover command. Let’s fire up firefox and check what the website has for us.
Okay, so it looks like there’s some trolling going on here. Let us use the other way of getting into networks, nmap.
Step 2 : nmap (ip)
I ran an nmap stealth scan for all ports. And hence as a result we can see that it shows us 65532 ports are closed out of 65535 and the 3 ports that are open are mentioned above. Let us go ahead and try an anonymous ssh login.
Step 3 : anonymous login on ftp port
Username : anonymous,
Password : (enter).
These credentials successfully helped me login, and on running the ‘ls -al’ command as shown above, I managed to find a file with a .pcap extention, which means ‘packet capture’. I went ahead to download that file into my Kali machine in order to open it in wireshark.
Note : .pcap files can only be opened in Wireshark.
Step 4 : Wireshark
After opening the file in Wireshark, I started viewing the packets in TCP Stream as highlighted in the above picture and I found a suspicious text file, so I decided to try it on the URL.
As you can see above we found something on ‘URL/secret’. Before this I did try ‘secret_stuff.txt’ and ‘secret_stuff’, however it did not give me any result.
Let us further investigate in Wireshark if we find more such hints or directories or files.
Another one. The way this was written raised a doubt in my head so I decided to try this on the URL too, and the result was as follows ;
Here, I found a file named ‘roflmao’ as shown above, so I went on to download and view it.
On running the nano command on the file name, this was the output. In between the gibberish, I found something on the third line which I thought I should try on the URL.
We are getting close, I must say. Let’s see what these directories have for us.
After opening the good_luck directory, there was a text file which I have shown above. According to me, these are a few usernames that we might have to brute force to find the correct one. Let’s go and see what the password folder has for us.
Since this has spaces and special characters, I’m going to consider ‘Pass.txt’ as the password as highlighted in the URL in the above picture.
Before moving ahead, I decided to make a text file of all the usernames we found and saved it in my Kali machine (easier to brute force a text file).
Step 5 : hydra command (brute force)
In the hydra command, -L is used when we have a list of usernames, you can use -l in case you have a definite username. Likewise -p is used because we have a definite password. But in case we have a list of password in a text file, we can use -P file.txt.
As shown in the highlighted part, we have successfully found the username and password.
Step 6 : ssh login using obtained credentials
You can see above, the Ubuntu version is 14.04 which is an outdated version, which means we can find some exploits for it. Hence, let’s try msfvenom.
Step 7 : msfconsole
Here, I have used -q to avoid the banner. Now, let us search for exploits (searchsploit) using the version number that is 14.04.
On getting the result, we have to look for what I have mentioned in the above picture. We need to get that linux/local/37292.c file in the overflow user (ssh login).
Step 8 : Download the exploit into the base Kali machine
Here, I took help of my best friend, Google. I searched for 37292.c exploit and clicked on the first link which is the one you can see above.
Step 9 : Create localhost python server
In the next step, we’ll open up the terminal and put the above command. Now this will create a localhost python server. You can enter 0.0.0.0:8000 in the URL to view the contents or machineip:8000.
Hence, now after creating this server, we will visit it using Firefox.
As you can see above, all the contents on /home are visible here.
Step 10 : Downloading the exploit in overflow user profile
I have already logged into overflow using Pass.txt above, and I have entered the /tmp folder and we’re going to be downloading the exploit here. As shown above, the wget command is followed by the localhost python server IP address that we created.
Also as shown above, the exploit has been successfully saved into the /tmp folder.
Finally, we will use the third and fourth command in the above image to carry out the exploit and gain root access. You can use the above commands to do the same. At the end you can see, ‘whoami’ command gives us an output of ‘root’ which means we are the root user right now.
And last but not the least, the flag. We can go to the root folder and find the flag.
We have successfully become the root and hacked the machine which tried to troll us.
That’s all for Tr0ll 1, we will cover more CTFs in the future. Thank you!