Tr0ll 2

This is my writeup for the Tr0ll 2 VM.

Step 1 – Find out Tr0ll IP

Since all devices are on my home Wifi network, I run a quick netdiscover scan. The Tr0ll machine is at 192.168.1.21

Step 2 – Enumerate the IP to find out open ports, service version, OS etc..

This provides the following attack surface:

  • Port 21 – vsftpd 2.0.8 or later
  • Port 22 – OpenSSH 5.9p1 Debian 5ubuntu1.4
  • Port 80 – Apache httpd 2.2.22
  • OS – Linux

Step 3 – Enumerating web port

Dirb scan indicates presence of additional directories

Reviewed each of the URL’s, downloaded the images and noticed that size of 1 of the images was slightly off.

Evaluated the file using strings command

Checked for y0ur_self in the URL

The file has 99156 lines and is base64 encoded. Decoded the file, sorted and found a clue

 

Step 4 – Enumerating FTP port

Credentials Tr0ll / Tr0ll allow login. Downloaded a password protected zip file. Trying password as ‘ItCantReallyBeThisEasyRightLOL’ found above

Private key file obtained

Using the key to SSH. Was able to login but something is immediately terminating the session.

Attempting to use Shellshock vulnerability

Found a directory which contained 3 folders with 3 setuid binaries. 1 binary kicks out, the other implements a restriction on ls command. Copied the 3rd binary to temp folder

Ran program using gdb and calculated offset at 268 bytes

Using msfvenom to create reverse shell payload

Identified ESP address and obtained root access !!!

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *