Tr0ll: 2 CTF Walkthrough

-

Meet the VM here: https://www.vulnhub.com/entry/tr0ll-2,107/

Hey there!

This is the way I followed to find the flag in Tr0ll 2 VM. It is not a difficult thing. As I guess, anyone can do it. Let's move on.....

  • Finding the IP address of the Tr0ll VM.

  • Running nmap tool to get an idea about open ports and running services on the machine.



According to the nmap result, the target machine runs 3 services.

-21 ftp
-22 ssh
-80 http

  • Finding the common paths on the http web service.

  • Check the robots.txt file to get all the paths.
  • Add all the paths in robots.txt into a text file and run dirb again using it as a dictionary (troll_paths.txt).

Four working directories found. There is an image in each one. Nothing else.
  • Get these four images and check md5 values.

There is only one image having some different hash value.
  • Run strings command on the image which has a different hash.

Browsed to the /y0ur_self page and found answer.txt file. It looks like a password dictionary encoded with base64.


  • Save the decoded answer.txt file for later use (answer_decoded.txt).

  • Connect to the target machine using ftp service.

In this case the server asks for username and password. We can get into it by simply guessing the username and password as Tr0ll. Then we can find a zip file called lmao.zip and it is locked.

  • Crack the zip file using the password file previously found.


After extracting the zip file, we can see there is a file called noob. It is a file that contains RSA private key.



  • Check ssh with the given private key to log into the system.
  • Gain access using Shellshock vulnerability.
  • Get a low privileged shell and find the paths.


There are three door files. In each door, we can see a file called r00t. 2 of them are wrong files. Exploiting a wrong file will give some troubles. After several tries, I could find the correct one which has a segmentation fault.
  • Exploit r00t binary file.
  • Create a pattern string to find the buffer size.
  • Debugging the target file using gdb.

  • Find the offset value.
  • Generate a shellcode payload.
  • Exploit the target r00t binary using the payload to get the root access.
  • Finally, get the flag.

That's it. hope you get the way of doing it.
Thank You!

~CS

Comments

Post a Comment

If you got something from my writings, just put your thoughts out to words...

Popular posts from this blog

Best Ways to Make Money Online 2019

-
Image
This guide shows the best ways to make money on the internet. These methods are now very popular because you can make money online with less time and effort. However there is no way to earn money quickly but if you can try hard, you'll be able to get extra money. Start your own website or blog and connect with advertising If you need to earn money online, create your own blog or website first. If you're a student or you're away from school one of the best things you can do is start a blog and put your cv on it. Getting a blog is great if you're applying for a job, and it really helps you stand out from the crowd. You can easily start a blog using Google Blogger or Wordpress. Blogger by Google:  https://www.blogger.com/ WordPress:  https://wordpress.com/ By putting pay-per-click ads like Google Adsense, you can earn money with a website. It's going to take a while to start making money. Next, on your blog, you need to have interesting content. You'...
Read more

Cross-site Request Forgery Protection in Web Applications via Synchronizer Token

-
Image
What Is CSRF? Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in. A successful CSRF attack can be devastating for both the business and user. It can result in damaged client relationships, unauthorized fund transfers, changed passwords and data theft—including stolen session cookies. CSRFs are typically conducted using malicious social engineering, such as an email or link that tricks the victim into sending a forged request to a server. As the unsuspecting user is authenticated by their application at the time of the attack, it’s impossible to distinguish a legitimate request from a forged one. Implement Synchronizer Tokens Synchronizer tokens are often referred to as “challenge” tokens. These challenge tokens are included within an HTML form and associated with sensitive server-side tasks. When a user wants to...
Read more

Amazing Places To Visit In The World

-
Image
The world we live in is full of wonderful things. It would be a beautiful experience to see all those wonderful things. So this article is to show you about such wonderful areas in the world. So you can see it with your family while on vacation. Spain Nobody can get over the excitement of celebrating Christmas in Spain. Whether it's bright lighting, shopping, festive avenues, everything, Spain's all-in-one destination for this December. Spain is one of the warmest countries in Europe. The winters here are milder, but they still have warm clothes and a jacket. Take a walk through Gran Via and enjoy the bright decor. Don't forget the fine wines and tapas from San Anton Market! Talented Spanish artist Gaudi's masterpiece work is much more appreciable. He embellished the city, Barcelona with many beautiful buildings, including the massive Roman Catholic Church, La Sagrada Familia. Costa Rica There are a number of destinations in Costa Rica that you can't c...
Read more