Walkthrough - VulnHub Tr0ll-3

The VulnHub Tr0ll-3 is a privilege escalation boot2root box. The level of the box is simple as there are no binary exploits and no enumeration and accessing the initial shell. We are treated with the initial login credential that is start:here. You can download the box here Tr0ll-3.

Target IP address: 192.168.1.64

Kali IP address: 192.168.1.80

Box type: boot2root, privilege escalation

I import the box into our VMWare Workstation and it automatically picks an IP address from my bridged office network. As we know the initial credentials were start:here, we start with an SSH connection to the target IP address after an initial network discovery for the target IP address.

USER:START

After that, I note down available users and apply some initial commands on the machine. I initially apply the 'PTRACE_TRACEME' pkexec Local Privilege Escalation kernel exploit available on Exploit-DB, but no vain, this machine is a patched version.

Then I try to find the user in the SUDOER file, but the user start is not the part of the SUDOER file. Then I start navigating into the files and folders available in the user's home directory. There are two folders in the user home directory bluepill and redpill. Folder bluepill contains a file named awesome_work which further contains a link, which is just to troll us.

Directory redpill contains some information to investigate further. As we know there is a user named step2 and this file contains the password for user step2. So I tried to su with username step2 and password Password1!, but I got trolled again, as this is not the right password and not the right way to proceed further.

I start investigating the logs, backups, SUID binaries, and corn jobs, and I ended up with two suspicious files gold_star.txt and wytshadow.cap on the machine and I copied both of these to my Kali instance.

After opening the .cap file in the Wireshark, I see there is a lot of authentication packets and there is a 4-way handshake in the file at last, and you also guess it right, that was a WPA handshake capture file also the ESSID and the file name also matches an existing username wytshadow. I then quickly apply the aircrack-ng with the rockyou.txt dictionary on it and no vain at last. The other file gold_star.txt is just an ASCII file that contains all 10 digits words and it resembles me of a dictionary file. I then use this file as a dictionary file on the WPA handshake file with aircrack-ng and got the password as gaUoCe34t1. 

USER: WYTSHADOW

Then I quickly apply the username wytshadow and password gaUoCe34t1 on the shell with su command and enters into the wytshadow user's account. When enters into this user I applied commands to check it is a member of other groups or whether a part of the sudoers file or not and found that this user can give /usr/sbin/service nginx start command as root and start the Nginx server as the root user. Another thing is there is a file inside the home directory of the user wytshadow named as oohfun, which is a SUID binary file for user genphlux that prints "iM Cr@zY L1k3 AAA LYNX" continuously. So I tried to focus first on our Nginx server.

After starting the Nginx server I check for the open port of the Nginx server and it found to be port 8080. I navigate to the IP address and this new find port number of the target on our Kali machine and serves with a 403 Forbidden page. After going through the configuration file of the Nginx server "/etc/nginx/sites-available/default", I ended up with the that the server only allows the Lynx user agent to have access to it. 

The one way is to download and install the Lynx browser and access the server and the second is to just change the user agent of current firefox browser with a plugin and have access on the server, I choose the second and the easy one. After accessing the server on port 8080 we can see the user genphlux's credential (genphlux:HF9nd0cR! ) in front of us. 

USER: GENPHLUX

After logging into the genphlux user account we can see a file with the name maleus, which is also a system user. After opening it, I found it to be an RSA private key, which can be of the user's maleus, hopefully. So I change the file permissions of the private key file and try to login with the private key file and voila we got access to the maleus user account.

USER: MALEUS

After logging into the user maleus we can see an executable file with the name dont_even_bother. After exploring the file we can see that this file will just display us the message 'Your reward is just knowing you did it! :-P' after providing the password 'xl8Fpx%6', which I found by applying command strings on it. There is another file in the home directory of the user maleus, which is .viminfo. After opening this file I found a credential that can be of the same user maleus, and I found it is a valid credential for the same user. Then again I checked for the user entry in the sudoers file and this time we got the same file /home/maleus/dont_even_bother, that we can run as the root. Next, we can achieve root in many ways, I simply copy and paste the /bin/bash at the place of the /home/maleus/dont_even_bother and run it with sudo /home/maleus/dont_even_bother. That is it we got the root. 

This is my first boot2root writeup, please share your valuable feedback for how I can improve in future write-ups, Thank you for reading, Happy hacking :)