Tr0ll – VulnHub #4

First thing I did was run a netdiscover scan to find the IP.Screenshot from 2016-10-15 16-55-19.png
From there I ran for some recon…screenshot-from-2016-10-15-16-56-19I saw that anonymous FTP was enabled so I gave it a try.I found one PCAP file that I opened in Wireshark.I followed the TCP stream of ftp-data and found the contents of a text file that were talking about a directory.I assumed it was talking about port 80’s HTTP server.

My theory was confirmed.screenshot-from-2016-10-15-17-00-12I downloaded the file and found it was a executable.When I ran it it told me to find a address.I was kinda confused when I opened the file in edb and found that there was no such address.

This slideshow requires JavaScript.

I was thinking…what other kind of address could there be? Oh,I know a URL? It took me a while but I was correct.screenshot-from-2016-10-15-17-03-00Both of directories contained text files.

This slideshow requires JavaScript.

I tried to bruteforce SSH with “Good_job_:)” as a password, but after some trial and error I finally did it but with “Pass.txt” as the password.screenshot-from-2016-10-15-17-05-02I SSH’d to the box and found something very interesting…The kernel was vulnerable to privesc.

This slideshow requires JavaScript.

I fired up a Python HTTP server and used the exploit.It worked perfectly.screenshot-from-2016-10-15-17-11-20Since I got root I read the proof.txt and finished this VM.screenshot-from-2016-10-15-17-12-21This VM was really fun.It was different and I must say it really got me stuck sometimes but that’s the point of it not? I also hope you enjoyed.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s