Sunday, September 2, 2018

Tr0ll 2


- Layout for this exercise:


- The goal of this exercise is the study of the hacking process for the vulnerable machine Tr0ll 2.

- According to the author's description there is a Proof.txt file at the /root directory.

- Tr0ll 2 can be downloaded from here:,107/

- Once downloaded and extracted with VirtualBox:


- Using netdiscover to find the IP corresponding to Tr0ll 2:

- Scanning with Nmap there are 3 available services at port 21 (FTP), 22 (SH) and 80 (HTTP):


3.1 - Exploiting the FTP service

- Using Hydra and a wordlist to attackt the FTP service we get valid credentials:

- Connecting to the FTP service via the browser and using Tr0ll:Tr0ll as credentials:

- There is a zip file called

- Saving:

- Also, the MOTD (Welcome to Tr0ll FTP) gives us a hint about the same credentials:

- Getting via the command shell:

- There is a password to protect the unzipping:

3.2 - Exploiting the Web service

- Conecting directly with the browser:

- Trying the file robots.txt we discover a lot of potential available folders:

- Editing the folders into a text file:

- Now, using dirb with the folders file as a wordlist we discover that of the whole list of folders there are only 4 of them accessible:

- Checking one fake directory, for instance you_found_me:

- However, going to the 4 valid directories, we find a picture called cat_the_troll.jpg:

- Downloading the 4 pictures an renaming them:

- Checking what type of file they are:

- Redirecting the strings command outputs to text files:

- Using diff  to compare the files, we notice that the picture corresponding to the directory dont_bother includes a final different line:


- Following the advice of the line, let's try y0ur_self as a new directory:

- The file answer.txt contains strings encoded with base64:

- Decoding with base64 and outputting to d_answer:

- Now we have a new wordlist:


- Let's try to unzip the file found at the FTP server, using fcrackzip and the decoded text file d_answer as a wordlist:

- Using the password to unzip we find a file called noob:

- noob contains an RSA Private Key:

- The presence of an RSA Private Kye gives us a hint that probably we are dealing with an SSH login solution.

3.3 - Exploiting the SSH service

- Now, let's try to exploit the SSH service. 

- SSH -i option allows to include an identity_file, in our case the RSA Private Key discovered before, contained into fhe file noob:

- However, the system rejects the connection:

- Taking advantage of the Shellshock vulnerability applied to the OpenSSH server, providing the RSA Private Key for user noob, as explained here:

- Testing:

- Finally, a low privilege shell is achieved:

- Improving the shell:

- Exploring:

- The .bash_history informs us about a potential Buffer Overflow (./bof):

- Going to the suspicious folder /nothing_to_see_here:

- We find choose_wisely:

- There are 3 doors:

- The 1st door contains an executable r00t file that accepts an input:

- The 2nd door includes an executable r00t file that fools the attacker:

- Same thing for the 3rd door:

- So, definitely the interesting file to be exploited is the r00t that accepts an input.

- However, let's notice that once accessing to Tr0ll 2 several times, the 3 doors change their contents, alternating the 3 different r00ts. 

- Meaning that before launching any exploit we must find the r00t that accepts the input, every time we try to access to either door1, door2 or door3.


4.1 - Checking security protections

- Before building any exploit to achieve privilege escalation, let's check what type of protection measures we have ahead of us.

- About ASLR it is disabled:

- For checking other protections, let's use checksec:

- Setting a simple HTTP server:

- Downloading checksec to /tmp:

- Giving execution permissions:

- Copying r00t to /tmp:

- Applying checksec over r00t we learn that NX is disabled:

4.2 - Exploiting the Buffer Overflow

- Now it is time to start the privilege escalation process.

- Starting r00t with gdb in a quiet (-q) mode:

- Passing a long list of "A"s to overflow the stack:

- Running the breakpoint:

- The program ends up with a Segmentation fault because the stack has been overflown with "A"s (0x41).

- For discovering at what point the overflow has occured let's create a pattern of 1000 characters:

- Starting again an launching the pattern:

- The Segmentation fault happens at 0x6a413969:

- There is an offset of 268 chars:

- Let's redo the python script:

- As expected, the EIP has been rewritten with "BBBB" (0x42424242). 

- At this point, the ESP points to 0xbffffb80:

-  Now, let's find a shellcode to achieve the Privilege Escalation, for instance this one available at shell-storm:

- Redoing the python script to include:

a) 0xbffffb80 = \x80\xfb\xff\xbf (reverse order for Little Endian)
b) a bunch of NOPs (\x90)
b) the shellcode

- Launching the script as input for r00t (out of gdb !!):

- A root shell is achieved:

- It is important to notice that the final exploit must be launched out of gdb, because of some privilege problems related to the debugger, otherwise the exploit will fail.

- By the way, ShellShock affects bashes till version 4.3, what explains the vulnerability in our case (bash 4.2).


- Finally the flag is available at the file Proof.txt: