Vulnhub Tr0ll:A Walkthrough

Hello readers,

This is my technical writeup, covering Vulnhub’s Tr0ll box, which is pretty good for beginners, starting their foray into pentesting.

For those unfamiliar with Vulnhub, it is a platform, which provides vulnerable boxes, which can be practiced on, to gain experience in Ethical Hacking. The outcome is to capture the flag, indicating successful penetration/dominance over a machine.

The credits for creating this box goes to Maleus

I honestly had a good time playing around with the box. It taught me the importance of having good observational skills too.

NOTE:IP Address of the victim machine, will henceforth be referred to as IP Address.

Let’s start

You can download the box from here-https://download.vulnhub.com/tr0ll/Tr0ll.rar

Extract the .vmx file, load up the box onto the VM and change the network settings of the box to “Bridged” and load up the VM.

RECONAISSANCE

Firstly, we detect the box’s IP Address, using ‘netdiscover’

The IP, on the VMware host, is our target

Quickly ran a Nmap Syn scan over it, to cause little noise as possible, along with verbose cranked to 2 (-vv)

Command- nmap -sS <IP> -vv

We get the open ports below:-

These are the open ports

ENUMERATION

Let’s power up Mozilla and explore port 80.

( ͡°╭ʖ╮° )

I downloaded the image and ran an exiftool scan to find any possible comments or directories. There were none.

In order to check for hidden directories, I ran a dirbuster and nikto scan upon the IP

Command-dirb http://<IP>

Dirb scan results

Command-nikto -h http://<IP>

nikto scan results

Let’s explore the robots.txt file, on our browser.

This is what we get.

It indicates that /secret directory exists in the web server

Going over to /secret,

Yeah I am, but this brought a smile to my face.

Downloading the image and running exiftool did not yield anything.

We recall that the ftp port was open on the victim. Logging in as an anonymous user, we get

I was pretty confused to see a file with an extension of .pcap. After some digging on Google, I found that it is a file, that records network traffic(probably from the victim’s machine) and can be uploaded on to Wireshark, for analysis.

This is what we get, when following TCP Packets.

Pretty strange text

Seems like we get two pointers-secret_stuff.txt and sup3rs3cretdirlol,which may be a directory.

secret_stuff.txt was a dead path and does not exist on the web server. Instead we get this from /sup3rs3cr3tdirlol

Roflmao file, once downloaded appears to be an executable file. I get this conclusion from exiftool, when trying to find what type of file it is.

I tried ‘catting’ to view the file and executing the file, with no avail.

Further Google digging and writeups suggested that the ‘strings’ command can be used to extract the contents from the file.

Command-strings roflmao

These are our strings. Out of this,0x0856BF looks interesting. It might turn out to be a directory after all.

Our hunch turned out to be right after all.

Browsing each folder, we get:-

Possible set of usernames, for SSH Login

This may not be the password after all

GAINING ACCESS

I ain’t taking any chances by brute forcing ssh with ‘genalphux’ username. Instead, we copy each username onto a vim file.

We use hydra tool for brute forcing SSH Login, since we do not know the password. For reference, we refer to the rockyou.txt wordlist file, which can possibly crack the password.

Command-hydra -L <Username.txt> -P /usr/share/wordlists/rockyou.txt ssh://<IP>

We got our credentials. Phew!

LEVERAGING OUR SHELL

Let’s login and get a shell.

Command-python -c ‘import pty;pty.spawn(“/bin/bash”)’

We get overflow user’s shell and prompt. When trying to poke around, the shell expires/times out. We need to devise a strategy, that gives us a permanent shell.

LEVERAGING PRIVILEGES

Let us find writable files in the system.

Command-find / -writable 2>/dev/null

Out of all possible results, we can see a executable .py file located in /lib.

Here’s a fact-A cleaner.py file is used to clean junk files.

Let us modify it, to get a permanent shell, using the following commands. We edit the file, using a nano editor

Save the file, with the modified changes, using Ctrl+X.

A shell file, which is executable will be created at /tmp

Let’s execute it. We get a prompt-less shell. Well, whatever.

We navigate to root user’s directory and find the flag.txt file.

Pwned!

REPORTING

Well,you have it now!

Conclusion:-

Though privilege escalation can be tricky according to the situation encountered in a box, it is pretty handy to gain knowledge about all possible ways to elevate to root. May it be with the help of exploits, escaping restrictive shell or through plain sudo su.

Unusually I found the box to be plain sailing, until the root escalation part was encountered.

References:-

Vulnhub Machines Walkthrough Series - Tr0ll: 1 - Infosec Resources

Tr0ll 1 - vulnhub walkthrough - NetOSec