• VM: Tr0ll: 1
  • Goal: acquire root access
  • Approach: solve without automated exploitation tools


Target Discovery

First locate the IP address of my target:

nmap -n -sn

Port Scanning

nmap -P- -A
nmap scanning
Ports Service/Banner
TCP: 21 vsftpd 3.0.2
TCP: 22 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2
TCP: 80 Apache 2.4.7

Checkout website


Lol, there isn’t much info on the website. So I check robots.txt file and it shows a folder /secret.

secret folder

Ha, the author is trolling. Ok, not much so far on the website. Let’s turn to the ftp.

FTP anonymous login

Try to login as anonymous.


Ok, there’s a file lol.pcap. Looks like a packet capture file. Download it and check it out using wireshark. In wireshark, there are several TCP Streams I can follow, 2 of them with interesting info.: (at display filter, type tcp.stream eq 0 to see first stream and increment the number for the next stream)

TCP stream 0

The first stream reveals a file secret_stuff.txt.

TCP stream 2

The second stream so a word sup3rs3cr3tdirlol. Try to plug them in to the website. I can’t find secret_stuff.txt but sup3rs3cr3tdirlol is a folder on the website:


Click on roflmao shows that it’s a binary file to download.


Using hexeditor to check out the file I find a message:

hexeditor roflmao

The message is: Find address 0x0856BF to proceed

I search the address in the hex editor but couldn’t find the address. Turns out it’s also a folder on the website:


Follow the good_luck directory and I find a list of names. I save the list to a file names.txt


Then I check out this_folder_contains_the_password/


I save both the file name (Pass.txt) and content (Good_job_:))to the file passwords.txt


With a list of names & some passwords to try, let’s do a online password cracking using hydra.

hydra -L names.txt -P passwords.txt ssh -f -V

After running it for a while, the attack receives bunch of connection refused errors and then failed. Looks like the SSH server denied the login attempts after some failure. But it comes back after a while. So I slow down the attack using -c 10 flag.

hydra -L names.txt -P passwords.txt ssh -f -V -c 10


It takes longer to crack but I did find a valid user/password pair: overflow/Pass.txt

SSH Login

ssh overflow@

Login success. All right. Finally have my foot in. 🙂

Privilege Escalation

Did some enumeration like sudo -l, crontabs & etc without finding anything fruitful. The author is really trolling. I got kicked out every 5 minutes. That’s the most annoying part. lol

Finally catch something interesting when looking for world writable files:

find / -perm -o+w -type f 2> /dev/null | grep /proc -v

‘grep /proc -v’ to exclude files in /proc folder, which are not relevant.

The cleaner.py looks interesting. Let’s check out the script:

cleaner script

It’s a script to remove (cleanup) all files in the /tmp folder. It would be useful if there’s a cron job defined to run this script regularly. So I create a file at /tmp to test it out:

test file

And wait a while…

test file gone

Looking good. The test.txt file is gone! Now I am going to modify the script to create a shell with setuid privilege:

modify script

Wait for a while again…

shell created

The file dash is created and owned by root. Awesome, with setuid privilege, the shell is running as root. Root shell obtained!

Capture the Flag

root flag


As it turns out, the cron job is located at /var/spool/cron/crontabs. It executes /opt/lmao.py every 5 minutes to kick us out of our login and /lib/log/cleaner.py every 2 minutes


Thank you author Maleus for the box Tr0ll 1 and all the trolling!

Leave a Reply

Close Menu