This is my writeup for the Tr0ll 2 VM.
Step 1 – Find out Tr0ll IP
Since all devices are on my home Wifi network, I run a quick netdiscover scan. The Tr0ll machine is at 192.168.1.21
Step 2 – Enumerate the IP to find out open ports, service version, OS etc..
This provides the following attack surface:
- Port 21 – vsftpd 2.0.8 or later
- Port 22 – OpenSSH 5.9p1 Debian 5ubuntu1.4
- Port 80 – Apache httpd 2.2.22
- OS – Linux
Step 3 – Enumerating web port
Dirb scan indicates presence of additional directories
Reviewed each of the URL’s, downloaded the images and noticed that size of 1 of the images was slightly off.
Evaluated the file using strings command
Checked for y0ur_self in the URL
The file has 99156 lines and is base64 encoded. Decoded the file, sorted and found a clue
Step 4 – Enumerating FTP port
Credentials Tr0ll / Tr0ll allow login. Downloaded a password protected zip file. Trying password as ‘ItCantReallyBeThisEasyRightLOL’ found above
Private key file obtained
Using the key to SSH. Was able to login but something is immediately terminating the session.
Attempting to use Shellshock vulnerability
Found a directory which contained 3 folders with 3 setuid binaries. 1 binary kicks out, the other implements a restriction on ls command. Copied the 3rd binary to temp folder
Ran program using gdb and calculated offset at 268 bytes
Using msfvenom to create reverse shell payload
Identified ESP address and obtained root access !!!