Open In App

Vulnhub Tr0ll in Kali Linux – Walkthrough

Improve
Improve
Like Article
Like
Save
Share
Report

In this article, we will discuss Vulnhub’s Tr0ll box, which is pretty good for beginners, starting their foray into Pentesting and Ethical Hacking. For those unfamiliar with Vulnhub, it is a platform, which provides vulnerable boxes, which can be practiced on, to gain experience in Ethical Hacking. The outcome is to capture the flag, indicating successful penetration/dominance over a machine.  

Note: IP Address of the victim machine, will henceforth be referred to as IP. 

Objectives of the machine:

  • Detect the victim machine(to be hacked into), from our machine(attacker machine)
  • Find clues and information, that allows us to gain entry to the victim machine
  • Escalate privileges (if possible) on the victim machine
  • Capture the flag

You can download the box from https://download.vulnhub.com/tr0ll/Tr0ll.rar

Extract the .vmx file, load up the box onto the VM and change the network settings of the box to “Bridged” and load up the VM.

Step 1: Firstly, we detect the box’s IP Address, using ‘netdiscover’

netdiscover

netdiscover

Step 2: Quickly run a Nmap Syn scan over it, to cause as little noise as possible, along with verbose cranked to 2 (-vv)

nmap -sS <IP> -vv

We get the open ports below:-

nmap for troll

Step 3: Let’s power up Mozilla and explore port 80

http://<IP>:80

We get this,

Step 4: We will download the image and ran an exiftool scan to find any possible comments or directories. We will find that there were none.

Step 5: In order to check for hidden directories, we will run a dirbuster and nikto scan upon the IP.

dirb http://<IP>

dirbuster

nikto -h http://<IP>

nikto

Step 6: Let’s explore the robots.txt file, on our browser. This is what we get.

Step 7: Going over to /secret,

Downloading the image and running exiftool did not yield anything.

Step 7: We recall that the ftp port was open on the victim. Logging in as an anonymous user, we get,

ftp <IP>

You will be pretty confused to see a file with an extension of .pcap. It is a file, that records network traffic(probably from the victim’s machine) and can be uploaded on to Wireshark, for analysis. Wireshark is a tool, used for mapping network packets. It allows you to view details about the same.

Step 9: We upload lol.pcap to Wireshark. This is what we get when following TCP Packets.

Seems like we get two pointers-secret_stuff.txt and sup3rs3cretdirlol, which may be a directory.

Step 10: We explore the directories on our browser http://<IP>:80/secret_styff.txt and http://<IP>:80/sup3rs3cr3tdirlol secret_stuff.txt was a dead path and does not exist on the webserver. Instead, we get this from /sup3rs3cr3tdirlol

sup3rs3cr3tdirlol

Step 11: roflmao file, once downloaded appears to be an executable file. You may get this conclusion from exiftool, when trying to find what type of file it is. ‘strings’ command can be used to extract the contents from the file.

strings roflmao

roflmaoroflmao

These are our strings. Out of this,0x0856BF looks interesting. It might turn out to be a directory after all.

Step 12: Using phrase 0x0856BF,we explore on the web directory

http://<IP>:80/0x0856BF

Our hunch turned out to be right after all. Browsing each folder, we get:-

Step 13: We used the hydra tool for brute-forcing SSH Login since we do not know the password. For reference, we refer to the rockyou.txt wordlist file, which can possibly crack the password. We will store the username ‘overflow’ into a file named ‘overflow.txt’.

hydra -L <Username.txt> -P /usr/share/wordlists/rockyou.txt ssh://<IP> 

We got our credentials. Phew!

Step 14: Let’s log in and get a shell.

python -c 'import pty;pty.spawn("/bin/bash")'

We get overflow user’s shell and prompt. When trying to poke around, the shell expires/times out. We need to devise a strategy, that gives us a permanent shell.

Step 15: Let us find writable files in the system.

find / -writable 2>/dev/null

Out of all possible results, we can see an executable .py file located in /lib. Here’s a fact-A cleaner.py file that is used to clean junk files.

Step 16: Let us modify it, to get a permanent shell, using the following commands. We edit the file, using a nano editor

Step 17: Save the file, with the modified changes, using Ctrl+X. A shell file, which is executable will be created at /tmp .

Step 18: Let’s execute it. We get a prompt-less shell. Well, whatever.

Step 19: We navigate to the root user’s directory and find the flag.txt file. The flag is located in the file.


Last Updated : 23 Sep, 2021
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads