Tr0ll:1 exploitation POC

Hi Friends,
Greetings for today,
Today I will go through Troll:1 which is a great VM for OSCP aspirants and its very basic and tricky I hope you will enjoy a lot So, lets get started.......
you can download the VM from here let find its IP in our network using command.....

1. netdiscover  -r

2. we got the IP which is let's run a quick nmap to analyze the open ports and services running.

3. we have 3 ports running in the target machine 21,22 and 80 lets start with ftp

4. ftp anonymous login success and  got a file called lol.pcap, moved this file to our system and let analyze if we get any clue from this using packet sniffer(wireshark)

5. then got something like  FTP Data (Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P Sucks, you were so close… gotta TRY HARDER!

6. First of all I thought this string can be our ssh’s password(root account) but I was wrong, clearly mentioned here that this is dir so I tried it on port 80 lets enumerate port 80 now.

7. First I got nothing in the 80 except this on img , I downloaded the image then I thought there can be a hidden dir or clue in this image but nothing found then I tried sup3rs3cr3tdirlol

 8. I found a bin file in it I downloaded it and analyze it

9. Then I found something very frustrating thing(a hex value) I was like what should I do with it.....

10. I copied this and used it as a url

11. Again I found 2 new directories once I opened the good luck directory I got a txt file with some usernames

12. And in another directory I got a file called Pass.txt

13. But when I opened Pass.txt file there was a message I tried these credentials In ssh broutforcing using tool called medusa.

14. I tried a lot with these username and password but I was unable to understand that where I am wrong this is a very frustrating part of this machine

  • Once again I started analyzing everything very carefully but when I reached in point number 11  this_folder_contains _the_password means a lot J
  • Then I again tried ssh broutforcing with username list and instead of Pass.txt file I used Pass.txt as string in password and......

15. BOOM! We got ssh credentials successfully let’s try login into ssh

16. Then I typed uname –a for kernel information of the target system

17. I searched for an exploit in exploitdb and I got an exploit 37292.c I copied it into my apache server I started my local web server.

18. I downloaded that exploit in the target system’s tmp folder very quickly because there was a time limit for logged in into ssh after a minute I logged out from the system

19. I compiled the exploit using gcc <exploit_name>  -o ex then very quickly I run the compiled exploit……

20. And BOOOOOOOOOOOOOOOOOOOM………. We are root of that system and here is the proof.txt file

We did iT...

Thanks For Reading,
Have a Good Day....
Try Harder!
Reach me@Portfolio