This is my walk through of how I gained root access to the Tr0ll 1 CTF image posted on vulnhub.com. Here we go —
Once the image loaded up,we need to figure out the IP address of the host.
nmap -sn -PE 192.168.1.200-254
Ok, so the host pulled .207 from DHCP. Lets do a deeper scan.
nmap -p- -A 192.168.1.207
The nmap scan shows anonymous ftp open, port 80 and SSH. The scan discovered a robots.txt file and a /secret directory. Lets open a browser and see what we can find.
Connecting to the site just shows us an image. Viewing the source doesn’t help us any here.
Next, I checked out the robots.txt file.
The robots.txt file only lists the /secret path which we saw in the nmap scan. Lets check it out.
Nothing really helpful here. View-source doesn’t show us anything either. So next I ran Nikto and didn’t really find anything of use. So I decided to check out the anonymous FTP access.
I found a .pcap file on via FTP. So I grabbed the file and opened it up in Wireshark.
As you can see in the screen shot, I found a reference to the sup3rs3cr3tdirlol. It took me a bit to figure this out, but turns out it was a directory, and it contained a file.
I saved the file to my Kali machine. I ran exiftool against the file, but didn’t find anything useful.
So I made the file executable and tried to run it. Tried a few other things. This took me a VERY long time to figure out. But I finally did. There is a line in the strings output that references an address.
This is actually a directory on the web server, which contains two additional directories.
Checking out the good_luck folder I found a txt file. I downloaded it and examined and I’m guessing this is a list of usernames.
Checking out the this_folder_contains_the_password folder. Another file, Pass.txt. I download it and take a look. A single password?
This took me a bit to figure out as well. But the username is in the which_one file and the password is actually Pass.txt
hydra -L which_one_lol.txt -p Pass.txt 192.168.1.207 ssh
Now, lets SSH to the host and see what OS/kernel versions are being used.
Ok, so the host is running Ubuntu 14.04 and 3.13 Kernel. Lets see if I can find any privilege escalation vulnerabilities for these versions.
searchsploit ubuntu 14.04
After doing a little research, 37292.c looks promising. Lets download it to the host.
Now lets compile and run it.
gcc 37292.c -o priv
Looks like it worked. We are able to get to the /root folder and read the proof.txt