Walkthrough Tr0ll 2 VM (Vulnhub)



Tr0ll 2 vulnerable VM walkthrough.

1) Nmap scan:




2) Directory buster


3) Nikto scan


4) Checking port 80 on the vm


5) List of directories enumerated from robots.txt


6) Making a dictionary of directories names for enumerating live directories.



7) Running directory buster using the above made list.


8) Nothing actually found except for the clue 'cat_the_troll'


9)  Still nothing worked. Then I started brute-forcing using a custom made dictionary.
Got ftp credentials.

10) Checking out the ftp login. We can see a file named as lmao.zip


11) The file was password protected. Previously Tr0ll vm has given a dictionary. I used that dictionary to bruteforce.


12) Unzipping and getting the file.


13)  noob file contains ssh key


14) Trying to connect to the vm using noob as the user and ssh key of noob


15) Bit of googling


16) We can use shellshock to exploit over ssh. After doing some R&D I triggered the following command exploiting the shellshock vulnerability.


17) It seems that we can remotely execute the commands by exploiting the shellshock vulnerability.
18) Next we will check for presence of netcat or python on the system to spawn the shell.


19) It seems that netcat is not available for the use but python is present. After checking out http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet  I chose reverse bash shell code.



20) Connecting to port 8900. We get a shell.



Gaining root access by exploiting bufferoverflow.










Comments

Post a Comment

Popular posts from this blog

MY OSCP REVIEW

Image
MY OSCP REVIEW About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai. Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security. And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less. So I asked few question on some group in facebook regarding How can I learn more exploitation stuff. There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I
Read more

Minishare 1.4.1 Bufferoverflow

Image
You can download the server from: https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0 Exploit code in ruby: https://www.exploit-db.com/exploits/616/ The vulnerability is a long URL in the GET request. Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1 Lab Setup: 1) Windows xp ( I am using windows xp sp1) 2) Immunity debugger installed on the windows xp machine. 3) Minishare 1.4.1 installed on windows xp running on port 80. 2) Kali linux for scripting and exploiting. Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below. Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script. #!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*2000 buff+=" HTTP/1.1\r\n\r\n" s.send(buff) s.close
Read more