Troll2
Box url :- https://tryhackme.com/room/boxo1troll2
Hi folks,
In this article we are going to deal with an linux buffer overflow of box boxo1troll2, where we will learn a new techniques. It is a difficulty level
Without wasting time, we start the box
Deploy it
Connect to OVPN & check connectivity
Enumeration
Check for the open ports
#nmap -sS -sV -O 10.10.69.146
Port 21,22,80 is open
Check the web server
By viewing page-source, we got the Author name
We will login into ftp using the author name
We get a zip file
Run gobuster
Check robots.txt in web
By checking each dir & downloading the image, in one of the image we see the below
We got your_self dir from the dont-bother dir
We got an answer.txt file
It has the value in base64
Download it to our local system by using wget command
Since, all the contents are in base64, we will decode it & we will crack it using fcrackzip
We found the password for zip file, we will use it
We got, Let’s check it
In noob, it has private key
We will do ssh
Here, we can see that the session is closed
So, we will search for any other possibilities to get the shell using ssh
While googling I got something like shell socker
The syntax of the shell socker includes ‘( )[;:];
By using shell shocker, we got sessions
We got 3 doors.
In-order to check, in which door we have to execute, we use command du -sh *
We will check the doors, which has the highest value we will execute it
While executing ./root it asks for input
We will try with some of the input.
From this we will get to know that ./root acts as echo command
We will create a pattern for it
While checking each, we got it 268 char
To check JMP ESP, we will enter into “gdb” using “gdb root” command
We got JMP ESP
Linux Bad character is similar for all, which is shown below
We will execute the command using python to get root shell & flag
We got the flag
I hope you guys learnt a new technique in this box.
Happy Learning!!!!
