Troll 1 CTF Walkthrough

Troll 1 CTF Walkthrough

 In this article we will see a walkthrough of the Tr0ll: 1 virtual machine.
Tr0ll: 1 Details
VM Description
The goal is simple, gain root and get Proof.txt from the /root directory.
Penetration Methodology:
Network Scanning (Nmap, netdiscover)
Anonymous FTP login
Abusing web browser
Brute-force attack (hydra)
SSH login
Privilege Escalation
Get root access
Capture the flag



Let’s try to find the IP of this machine using arp-scan or netdiscover. Below, we can see our results: the IP address is found as 192.168.0.8.
Commands used : arp-scan -l or netdiscover
Let’s run Nmap scans on the target server to get more information about it.

Command used : nmap -A 192.168.0.8
I have done here an aggressive scan and We can see that below that the Nmap finds port 80 open, with exposed robots.txt and FTP with anonymous login (there were others as well, like Port 22-SSH).
Connecting to FTP client as shown below with user :anonymous and there is no password for this ftp.

Command Used: ftp 192.168.0.8
In current directly on ftp I found a pcap file and I downloaded in to my system
Command used : get lol.pcap
Then I opened that pcap file in my system using wireshark .

Then right click on packet and select follow tcp stream.
I found a some secret stuff so I came back to pcap file home and checking secret_stuff.txt file then I found that file in line 40 .

Then clicked in to line 40 and I got sup3rs3cr3tdirlol.
Then I added sup3rs3cr3tdirlol to the url : http://192.168.0.8/sup3rs3cr3tdirlol
In this I found roflmao .so I opend the roflmao and in that file has some word lists so I download that roflmao file in system

Then I used a strings command for roflmao file to find anything else at that time I found 0x0856BF.
I enter this one in url

http://192.168.0.8/0x0856BF
Then I found two folders .so I clicked on to the good luck in that folder I found which_one_lol.txt. In that I have some words so I downloaded it.
Then I clicked in to this_folder_contains_the_password and in that I found Pass.txt .so I clicked that but I didn’t found anything so I assumed the password was Pass.txt.
Now I tried an a bruteforce attack to find login creditianls

Command used: hydra -L which_one_lol.txt -p Pass.txt ssh
My assumption was right .now we have login credentials . so we can login in to the machine using ssh port.
Command used : ssh overflow@192.168.0.8 and password “Pass.txt”
 We successfully entered to the machine but we don’t have privilege so we have to do privilege escalation.
First we have to find a writeable files in this system.
Command Used: find / - writable 2<dev/null
Then I found a python a file which was located in /lib/log/cleaner.py .so I decided to modify this file to gain the access it is a small program. So here the following script was added by admin to clean up all junk file from inside /tmp and these type of files depends upon specific time interval for executions.
There so many methods to gain root access as in this method we copied /bin/sh inside /tmp and enabled SUID for /tmp/sh. It is quite simple, first, open the file through some editor for example nano /lib/log/cleaner.py and replace“rm -r /tmp/*” from the following line as given below:
os.system('cp /bin/sh /tmp/sh')
os.system('chmod u+s /tmp/sh')
After few seconds the sh file has been created in the /tmp path
Then we go to the tmp file path and run sh file to gain the root access.
Commands used:
cd/tmp
ls
./sh
id
ls
cd /root

Cat Proof.txt
In above picture we got root access and search for proof.txt .and at last I found proof.txt .

Comments

Post a Comment

Popular posts from this blog

Hackademic challenge 1 - 5

Image
  Hackademic Ch 1 - 5   The OWASP Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe, controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through the attacker's perspective.Currently, there are 10 web application security scenarios available.   Link: http://hackademic.teilar.gr/index.html   Challenge : 1 What to find: Our agents (hackers) informed us that there reasonable suspicion that the site of this  Logistics Company  is a blind for a human organs' smuggling organisation. This organisation attracts its victims through advertisments for jobs with very high salaries. They choose those ones who do not have many relatives, they assasinate them and then sell their organs to very rich clients, at very high prices. These employees are registered in the secret files of the company as "special clients"! One of our agents has b...
Read more

Raven1 CTF Walkthrough

Image
Raven1 CTF Walkthrough In this article we will see a walkthrough of the Raven: 1 virtual machine. Raven1 :Details Download Raven1 : https://www.vulnhub.com/entry/raven-1,256/ VM Description: Raven is a Beginner/Intermediate boot2root machine. There are four flags to find and two intended ways of getting root. Built with VMware and tested on Virtual Box. Set up to use NAT networking. Penetration Methodology: l  Ne twork Scanning :arp-scan and nmap. l  Directory Brute-force (dirbuster). l  Brute-force attack (hydra). l  Wordpress scan for user enumeration. l  SSH login. l  Mysql Database. L et’s try to find the IP of this machine using  arp-scan or netdiscover . Below, we can see our results: the IP address is found as 192.168. 0.122 . Commands used : arp-scan -l or netdiscover L et’s run Nmap scans on the target server to get more information about it. Command used : nmap -A 192.168.0.122  I h...
Read more

Raven 2 Ctf walkthrough

Image
  Raven 2 CTF Walkthrough   In this article we will see a walkthrough of the Raven: 2 virtual machine. Raven2 :Details Download Raven2 : https://www.vulnhub.com/entry/raven-2,269/ VM Description: Raven 2 is an intermediate level boot2root VM. There are four flags to capture. After multiple breaches, Raven Security has taken extra steps to harden their web server to prevent hackers from getting in. Can you still breach Raven? Penetration Methodology: l  Network Scanning :arp-scan and nmap. l  Directory Brute-force (dirbuster). l  Exploiting RCE in PHP version < 5.2. 18 on Exploit-db l  Reading database password from the wp-config file. l  Searchsploit for MYSQL . l  Exploiting UDF file dynamic library vulnerability for MYSQL using exploit -db. l  MYSQL Database. l  Privilege Escalation . l  Getting Root Access . Let’s try to find the IP of this machine using arp-scan or netdiscover. Below, we can see our results: th...
Read more