In this article we are going to solve another boot2root challenge Tr0ll . This is a beginner level machine . we can Download this machine from vulnhub.
Using the command netdiscover -i wlan0 we find out the IP address of the Target machine .
now we decided to check for the open ports using the command : nmap -A 192.168.43.140
3 ports are open , 21(FTP) , 22(SSH) , 80(HTTP) and we have also discovered that on port 21 anonymous login is allowed . So we decided to login anonymously at port 21 using credentials : username : anonymous password :
we downloaded this file in our local machine using the get command .
Now we decided to open this file, .pcap is an application programming interface (API) for capturing network traffic.
So it is a .pcap file we opened the file in wireshark by using the command : wireshark lol.pcap
after examining the captured traffic carefully we found a very interesting packet .
it means sup3rs3cr3tdirlol is a directory . so we decided to browse HTTP service and without wasting our time we opened the directory : /sup3rs3cr3tdirlol
we downloaded this file in our local machine and after giving executable permission we run this binary and found a very useful message .
0x0856BF can be another hidden directory so we decided to open it.
Here we found two new folders and after exploring them we found a list of username and password as Pass.txt so we decided to bruteforce using hydra using the command : hydra -L pass -p Pass.txt 192.168.43.140 ssh
So we decided to login to SSH as user overflow with password Pass.txt .
now by using the command uname -a we find out information about the system and it looks like that kernel version is old .
we searched on the google for the kernel version exploit and we found a exploit here. we downloaded this exploit in our local machine.
Now we transfered it to the targeted machine in /tmp directory . It is a C file so we decided to compile it by using the command : gcc 37292.c -o haclabs0 .
Now by changing the permission to executable we run this binary and we get root access!
Done we are root now and this completes our challenge!