Open In App

Tr0ll 3 Walkthrough of Check the Flag or CTF Problem

Improve
Improve
Like Article
Like
Save
Share
Report

The CTF or Check the Flag problem is posted on vulnhub.com. VulnHub is a platform which provides vulnerable applications/machines to gain practical hands-on experience in the field of information security. Tr0ll 3 is a machine on vulnhub. To Download visit:
Troll 3 Machine – Vulnhub Below are the steps for the Vulnhub – Tr0ll 3 Walk-through:

Find Host Inside the Network

  • Use command netdiscover -i (interface name) -r (IP address/16) Example:
netdiscover -i eth0 -r 10.0.2.0/16  

Scan the Target with nmap

  • We got the target IP. Next step is to scan the target with nmap.
    Example:
nmap -p- -A -O -T 4 IP_address
  • Nmap shows that only port 22 (SSH) is open. Once we turn on the target machine we notice that there is credentials (start:here).

SSH Login

  • Use command ssh start@IP_address (hit enter and enter password) We are in. Time to search something useful. Use ls command to see the content and we found two files redpill and bluepill which contains no useful information.

Finding the files that we can access

  • Use command find / -type f -perm 777 2>/dev/null to find the files with all permission . Use scp start@IP_address:file_path ./home/Kali/ to copy files from remote host to our machine . Here gold_star.txt contains bunch of passwords and wytshadow.cap looks like wireless network captured packet. wytshadow.cap can be opened through wireshark but it is not handy if you are remotely handling in another PC .So, its better to use tcpdump command to analyze the packet which tells us that it is a Deauthentication packet and all the packets have the protocol as “802.11” .
    Note: 802.11 is the protocol used for transmission of the packet between wireless connected devices.

Command to extract the Password

  • Now, we have a .cap file and some gibberish strings. So, we use a tool called aircrack-ng which might be helpful to extract the password. Now use wytshadow as user_id and the cracked password to access another user named wytshadow We notice that there is a file called oohfun which has SUID bit. Let’s execute it. 
    Note: any file detail can be checked using command “file file_name” Now, try to check what sudo privileges we have here, using sudo -l and enter the password that we have cracked using aircrack-ng which shows us that we can start the ngnix server using sudo privileges. Now go to /etc/ngnix/sites-available path were we find a file name default . Opening it shows that we can remotely handle it using lynx service on port 8080. But first we have to start the ngnix server on port 8080 Start the ngnix server using command sudo service nginx start and we can check the status using netstat -nalp | less
  • Now to listen on the specific port type ” lynx http://10.0.2.10:8080″ in Kali terminal. Voila! We got another credential. Let’s switch into genphlux user by using the credentials above.
  • Now use ls command and we have file maleus and xlogin. Maleus seems to be interesting. Let’s explore the file. We see that it stores a RSA key and xlogin is simple HTML document file Copy the private key and save it in any file with permission 600 ( I named ssh-key) There is ELF 64-bit executable file dont_even_bother that has full permissions. When we execute the file it requires a password which we do not have, yet.
    Use ls -lah and we got another interesting file, “.viminfo” . We check the file by using cat command and got the credential (B^slc8I$).
    Now use sudo -l command to see root privileges file and we can run don’t_even_bother file as root as maleus user.
    We first delete the contents of dont_even_bother file and then inject our malicious code inside this file.
  • Now inject the following script into dont_even_bother.c file. It’s the script that will invoke a shell on executing.
int main(void) {
setgid(0); setuid(0);
execl("/bin/sh", "sh", 0);
}
  • Here we supplied group_id and user_id value as 0 because in Linux “0” stands for root user which will help us to extend the current privileges
  • Now we have to compile the C code in order to make it executable
    We compile the file by using the gcc compiler “gcc dont_even_bother.c -o dont_even_bother”
    Now as you remember we can run dont_even_bother as sudo user.So, lets run it .
  • Now, type whoami to see who are you and Great! We successfully got the root shell and owned root.
    Now type cd /root and then ls to see the content

Last Updated : 07 Mar, 2024
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads