[Hacking series] – tr0ll 1

Written by  on May 29, 2015 

Code name: tr0ll

Webpage: http://overflowsecurity.com/?p=70

VM download: http://download.vulnhub.com/tr0ll/Tr0ll.rar

Challange: hack your way into the system and get root

First of all and just after booting our victim’s box, we start by searching tr0ll on the network.

# netdiscover


As our victim VM is running under VirtualBox, we can find its ip easily, we just have to look at the MAC Vendor, it will be CADMUS COMPUTER SYSTEMS.

Now we got our victim’s IP we will use nmap to scan for open ports and interesting information

# nmap -Pn -A -p-


Nice, ports 21, 22 and 80 open. And according to the output of nmap, there’s an ftp server running on port 21 with anonymous login enabled!

# ftp


We successfully logged into the ftp server, and after checking our permissions, the only thing we can do here is downloading the lol.pcap file

# get lol.pcap

lol.pcap looks like a wireshark capture file. Let’s use wireshark see what’s inside


The capture file seems to be a “conversation” between an ftp client and an ftp server. But if we look it closely we can see an interesting file out there, secret_stuff.txt. As we just saw that file doesn’t seem to be inside the ftp server right now. We can use wireshark to read it’s content


“we almost found the sup3rs3cr3tdirlol”

Well, let’s keep that and go scan our next service. Next step will be looking inside the web server. We start by just browsing it


Nothing more than the expected, no sensitive information found. We will use nikto to look for hidden directories

# nikto -h


After running the scan we found the “/secret/” dir. And if we browse it..


Nothing new… just more trolling. N0w’s when the thinkin’ begins. After few minutes I reminded the sup3rs3cr3tdirlol… and when I looked at that dir in the browser


Nice, that’s actually a directory on the web server. That directory contains a file, we will download it.


After a few tries, we realized that the file is an executable. If we run that executable we can get a memory address. Following the same logic we used with the sup3rs3cr3tdirlol, let’s put it in the browser one more time.


Nice, now let’s look inside that directories


The first seems to contain a list of users and the second a password. We can try to perform a dictionary based attack against ftp and ssh services on our target marchine.

After few minutes banging my head against the wall, I realized¬† that the ssh username was “overflow” and its password was “Pass.txt”(trolled again). So we can log into the system with these credentials.


Nice, we are in. Now we can look for suid files or weaknesses in kernel


But after about 2 minutes inside…


Uh.. something or someone killed our connection. What could it be? After a quick analysis we can see that it happens every 2 minutes. Every 2 minutes? Can it be a cron task?? Let’s see


We can’t actually see or edit crontab but we can read /var/log/cronlog and that will give some interesting info


Nice, cron is running a python script called cleaner every 2 minutes. We can use the find command to search for that file

# find / -name ‘cleaner.py’ 2>/dev/null


Now let’s read the file


What that file does is delete all the content in /tmp everytime it’s called.


But that’s executed by the user root! Thinking the same? That could be a great way of doing our privilege escalation!

For the next trick we will need to start our netcat listener on port 9988


Then and after editing our “perl-reverse-shell.pl” we will download it in the /tmp dir on the target machine


And finally, we will edit cleaner.py like this:


Now every 2 minutes, our victim will send a root shell to 9988 on our box B-). We can go to the fridge, grab a beer and wait for a shell


Game over tr0ll P-)

Category : hacking series

Leave a Reply