TryHackMe | CTF | Walkthrough |Troll 😅😂😭

Walkthrough of Troll Machine. This box is levelled as Medium Category, check out the link https://tryhackme.com/room/boxo1troll1

1. Enumerate

Lets find out the number of ports open on this machine

Using nmap to find open ports on the machine

Usually I run the gobuster to enumerate on the open ports and find some information. Unfortunately, gobuster didn’t yield anything useful.

Trolled at index.html

trolled again at /secret directory

After getting trolled number of times, immediately my attention went to anonymous FTP login. Username being anonymous and there was no password so enter did the job.

I downloaded the lol.pcap file on my system. I used wireshark to find out the information in the .pcap file. I started analysing it which lead to understanding that the .pcal file had some FTP protocol in it. It means someone used it to login and this opened up the possibility of pawning the machine. I saw some messages which said secret_stuff and I started to follow stream on each packets.

One of the interesting packets was with the length of 213, I opened and found a secret directory.

sup3rs3cr3tdirlol

I had more information now to find out something on the website of the machine. I went there with <IP address>/sup3rs3cr3tdirlol

I downloaded the file roflmao, its was an execution type file when i checked its properties. I couldn’t find anything useful from the execution of the file, except one message to find address 0x0856BF.
strings roflmao command was very useful here to find out the information from the binary that couldn’t be opened using the conventional tools

I went there with <IP address>/0x0856BF . Guess what it worked!!, but hang on it’s not the end.

What!!!!! they just literally gave the password to me. Atleast that’s what I though in the beginning.

2. BruteForcing

It was not time to brute force the open port ssh with the username and password on the website. Initially, I failed a lot of times to get the password right. It was because the password was not correct. Lesson learnt: Whenever you see a password spoon-feed to you, do not believe it will 100 % workout. The password was Pass.txt which was the name of the file. Initially, I downloaded the username and password file on my machine and started brute-forcing with hydra.

I downloaded the username and password file on my local machine

I downloaded the username and password file on my local machine

Brute-forcing again with hydra

Username: overflow Password: Pass.txt (I see where the name’s come from)

3. Capture the flag

Got the access of ssh using the command ssh overflow@<IP address>
I did not find anything in the machine so I check for the kernal exploits, I started with uname -a command to find the kernal version.

I found something in Exploit database, the complete code was given for local privilege escalation.

I copied the code in my local machine and used python server to copy this code to the vulnerable machine.

Ran the server on port 80

Now, I had to execute the file which I have copied. I encountered error that I can’t download the file, I changed the directory to temp, worked like a charm.

I used gcc <filename> . It resulted in a.out file. I ran the file ./a.out

I checked it and I became the root user of the machine. Finally, I went to root directory and did a cat on the proof.txt to find the flag.

Hit claps icon, that helps.
Cheers 🍻 !! See you in the next one.