Sunday, September 2, 2018

Tr0ll 1


- Layout for this exercise:


The goal of this exercise is the study of the hacking process for the vulnerable machine Tr0ll 1.

- According to the author's description there is a Proof.txt file at the /root directory.

- Tr0ll 1 can be downloaded from here:

-  Once downloaded and extracted with VMware:


- Using netdiscover to find the IP corresponding to Tr0ll 1:

- Scanning with Nmap t
here are 3 available services at port 21 (FTP), 22 (SH) and 80 (HTTP):

2.1 - Web service

- Starting with the web service, we detect the presence of the folder /secret and the file robots.txt:

- Same information with nikto:

- Going directly to the website, there is nothing interesting:

- Similar results when checking robots.txt and /secret:

2.2 - FTP Service

- Scanning specifically the port 21 for FTP service, we discover that the anonymous login is allowed:

- Login with anonymous:

- There is a very promising file called lol.pcap:


- Getting the file lol.pcap:

- lol.cap can be also downloaded by using the browser with FTP protocol:

- Opening lol.pcap with Wireshark:

- There is a line about a file called secret_stuff.txt:

- Following the TCP Stream number 0:

- Following the TCP Stream number 2:

- So, we learn that there is an additional directory called sup3rs3cr3tdirlol

- Let's see if we can access it via the browser:

- A file called roflmao is contained, let's download it and see what we can learn about it

- It seems to be a BIN file:

- At this moment there are no execution permissions:

- Giving execution permissions:

- Running the file we find more information:

- Trying 0x0856BF as a web directory, we discover 2 new folders:

- The folder good_luck contains a list of potential usernames:

- About the folder this_folder_contains_the_password there are 2 strings that could be passwords: Pass.txt and Good_job:)

- Let's create a text file for potential usernames:

- Same thing for potential passwords:

- Launching Hydra over SSH service using both wordlists:

- The result is successful for overflow:Pass.txt

- Using overflow:Pass.txt as SSH credentials  we get a remote shell:

- However this shell is of low privilege, so we need privilege escalation to complete the attack:


- Let's try two alternative ways to perform privilege escalation:

4.1 - Exploiting the Operating System

- From previous step we know that Tr0ll 1 is an Ubuntu 14.04 machine with kernel 3.13:

- Googling for an exploit for this version of machine:

- searchsploit helps us to find the privilege escalation exploit:

- The path to find the exploit is:

- Looking for 37292.c:

- Setting a SimpleHTTPServer at port 8000 of the attacker Kali:

- Going to the remote shell at Tr0ll1, let's change to directory /tmp, what is usually writable:

- Downloading 37292.c from Kali:

- Compiling 37292.c:

- Running the executable 37292 we get finally a root shell:

4.2 - Exploiting crontab bad configuration

- It is noticeable that every some minutes the SSH connection is closed by the remote host, sending back a laughing message:

- At the same time the content of /tmp is removed by the remote host:

- These two circumstances make us think that probably a crontab job is working here.

- However, when searching for crontab permissions are denied:

- Looking for writable areas:

- Going to cronlog  we detect the presence of a script called running every 2 minutes via crontab:

- Let.s find it:

- Interestingly, has full root privileges:

- Reading the content of we understand now why tr0ll1 is clearing all content of /tmp every 2 minutes:

- Now, the idea that comes to our mind: why not change the content of the script on our own interest? For instance, providing the user overflow with sudo privileges to run a root shell.

- Let's check that at this moment the user overflow does not have any sudo privileges:

- Editing to assign all sudo editing privileges to the user overflow:

- Waiting until the period expires, tr0ll1 kicks me out of the SSH connection:

- Reconnecting again with SSH:

- Eventually user overflow gives us a root shell:

- Being root we can look deeper into the crontab works to understand what was happening at tr0ll1:

- Every 5 minutes the script sends back a teasing message and also kills the session for the user overflow:


- Going to the /root folder we finally read the flag proof.txt: