VulnHub Machine Troll 1 — Walkthrough
Since i am back to the university and the classes have started. I got a pretty much free time to study and learn out of my University courses. I love War-Gaming and hacking into the vulnerable machines which are obviously vulnerable by default.
This time i moved onto hacking one of the VulnHub machines named Troll-1 from the series of Troll vulnerable machines. This machine can be downloaded from the below link.
https://www.vulnhub.com/entry/tr0ll-1,100/
The first step is always to find the IP address of the vulnerable machine in our LAN. So netdiscover is the best option. Although any other administration tool or NMAP can be used directly for checking the IP address of the machine.
netdiscover -i eth0
The second step is always to find what ports are opened on the vulnerable system and also obtaining the information regarding the services being run on the vulnerable system. NMAP/ZenMap does all of that for us. The scanning methods depend according to your needs. I am going with the TCP-Connect Scan as the VM is within my LAN.
nmap -sC -sV -A <ip-address>
We can clearly see that 3 ports are open. The FTP (21), SSH (22) and HTTP (80). Time to enumerate these services now.
It can be seen that Anonymous FTP login is enabled. So let’s try grabbing the banner of the FTP.
Let’s try opening the default page on port 80.
Nothing seems to be there but this troll. Looks like we are having any problem but that sarcastic face is telling us that there is something juicy.
From the NMAP scan a directory name can be seen. Let’s try opening that directory.
Looks like we got trolled again. Hmmm. There is something we are missing. Let’s try wireshark to map what’s going on.
On analyzing via the WireShark we just found a text revealing some important information.
It is written that you have found “sup3rs3cr3tdir”. Let’s try accessing this directory.
So we just found a troll file. Let’s download it and analyze it.
So it seems to be an LSB executable. The need here is to perform a static analysis of the file.
So we found the address to proceed. Let’s follow the hidden information.
So there are two folders. One says to be the Good Luck and the second contains the password. Just because there names suggest so.
The Good Luck folder contains a txt file. Seems to be the usernames or passwords.
The second folder seems to contain passwords.
It seems that we are trolled again.
I did one more job here that is i have added the Pass.txt as a string into the password file and which_one_lol into the password and usernames files as well. Just because till now i have understood this machine as a troll and i knew that the trolling will keep on going until we root this machine.
Let’s move onto HYDRA to bruteforce the SSH service with the information we have found.
We have successfully got the password for the SSH login. Now let’s move onto logging into the system.
We are into the machine and now it’s time to enumerate the version of the OS so that we can look for any possible exploits.
So the machine is running Ubuntu version 14.04. Now its time to move onto searchsploit to look for any particular exploit for this version.
Now all we need is to host this file and to download it on the system via wget.
Compiling the exploit using gcc compiler and then executing it to escalate privileges.
Last step is to grab the proof.txt file.
That was it. An easy but trolling machine.
I hope you enjoyed the walkthrough.
