Hi Friends,
Greetings for today,
Today I will go through Troll:1 which is a great VM for OSCP aspirants and its very basic and tricky I hope you will enjoy a lot So, lets get started.......
you can download the VM from here let find its IP in our network using command.....
1. netdiscover -r 192.168.1.0/24
2. we got the IP which is 192.168.1.141 let's run a quick nmap to analyze the open ports and services running.
3. we have 3 ports running in the target machine 21,22 and 80 lets start with ftp
4. ftp anonymous login success and got a file called lol.pcap, moved this file to our system and let analyze if we get any clue from this using packet sniffer(wireshark)
5. then got something like FTP Data (Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P Sucks, you were so close… gotta TRY HARDER!
6. First of all I thought this string can be our ssh’s password(root account) but I was wrong, clearly mentioned here that this is dir so I tried it on port 80 lets enumerate port 80 now.
7. First I got nothing in the 80 except this on img , I downloaded the image then I thought there can be a hidden dir or clue in this image but nothing found then I tried sup3rs3cr3tdirlol
8. I
found a bin file in it I downloaded it and analyze it
9. Then I found something very frustrating thing(a hex value) I was like what should I do with it.....
10. I copied this and used it as a url
11. Again I found 2 new directories once I opened the good luck directory I got a txt file with some usernames
12. And in another directory I got a file called Pass.txt
13. But when I opened Pass.txt file there was a message I tried these credentials In ssh broutforcing using tool called medusa.
14. I tried a lot with these username and password but I was unable to understand that where I am wrong this is a very frustrating part of this machine
Greetings for today,
Today I will go through Troll:1 which is a great VM for OSCP aspirants and its very basic and tricky I hope you will enjoy a lot So, lets get started.......
you can download the VM from here let find its IP in our network using command.....
1. netdiscover -r 192.168.1.0/24
2. we got the IP which is 192.168.1.141 let's run a quick nmap to analyze the open ports and services running.
3. we have 3 ports running in the target machine 21,22 and 80 lets start with ftp
4. ftp anonymous login success and got a file called lol.pcap, moved this file to our system and let analyze if we get any clue from this using packet sniffer(wireshark)
5. then got something like FTP Data (Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P Sucks, you were so close… gotta TRY HARDER!
6. First of all I thought this string can be our ssh’s password(root account) but I was wrong, clearly mentioned here that this is dir so I tried it on port 80 lets enumerate port 80 now.
7. First I got nothing in the 80 except this on img , I downloaded the image then I thought there can be a hidden dir or clue in this image but nothing found then I tried sup3rs3cr3tdirlol
9. Then I found something very frustrating thing(a hex value) I was like what should I do with it.....
10. I copied this and used it as a url
11. Again I found 2 new directories once I opened the good luck directory I got a txt file with some usernames
12. And in another directory I got a file called Pass.txt
13. But when I opened Pass.txt file there was a message I tried these credentials In ssh broutforcing using tool called medusa.
14. I tried a lot with these username and password but I was unable to understand that where I am wrong this is a very frustrating part of this machine
- Once again I started analyzing everything very carefully but when I reached in point number 11 this_folder_contains _the_password means a lot J
- Then I again tried ssh broutforcing with username list and instead of Pass.txt file I used Pass.txt as string in password and......
15. BOOM!
We got ssh credentials successfully let’s try login into ssh
16. Then
I typed uname –a for kernel information of the target system
17. I searched for an exploit in exploitdb and I got an exploit 37292.c I copied it
into my apache server I started my local web server.
18. I downloaded that exploit in the target system’s tmp folder very quickly because
there was a time limit for logged in into ssh after a minute I logged out from
the system
19. I compiled the exploit using gcc
<exploit_name> -o ex then very
quickly I run the compiled exploit……
20. And
BOOOOOOOOOOOOOOOOOOOM………. We are root of that system and here is the proof.txt
file
We did iT...
Thanks For Reading,
Have a Good Day....
Try Harder!
Try Harder!
Reach me@Portfolio