VulnHub: Tr0ll 1 — Walkthrough | by Reap3rSkull

5 min readJun 6, 2024

Challenge Description

Tr0ll is a beginner-friendly “boot2root” challenge inspired by the frequent trolling of machines in the OSCP labs. The objective is straightforward: gain root access and retrieve the Proof.txt file from the /root directory. However, be prepared for some tricky surprises along the way!

Let’s Start Solving Tr0ll!

First i start searching for Tr0ll box ip using netdiscover

sudo netdiscover -i eth0

After finding ip let’s start scanning using nmap fast scan

nmap -F ip_address

Scan Output:

We find 3 open port i.e. ftp, ssh, http.

Accessing & Enumerating FTP

First we are planning to gain anonymous access to the FTP service using Username and Password as anonymous.

ftp <target_ip>

We’re Successfully login as anonymous user. Let’s start enumerating FTP service, after listing files we got lol.pcap file. We can analyze this file using wireshark. For this let’s first download this file in our local system using get command.

After downloading this file let’s start wireshark

wireshark -r lol.pcap

This command will open lol.pcap file inside wireshark

After little bit analyze i found something interesting on Frame 40

We got a message that say:

Well, well, well, aren’t you just a clever little devil, you almost found the sup3rs3cr3tdirlol :-P
Sucks, you were so close… gotta TRY HARDER!

it’s kind of like a directory we didn’t found anything else on FTP server.

Let’s move on to port 80.

Accessing & Enumerating Port 80

After accessing port 80 we got a Tr0ll image 😑

Let’s Start Directory Enumeration using dirb tool

dirb <target_url>

We found a secret directory and robots.txt file.

Now we had following directory:

robots.txt
/secret
/sup3rs3cr3tdirlol

Let’s access and Enumerate them one by one.

robots.txt contain /secret directory entry nothing else.

/secret directory contain another tr0ll image 😑 i.e.

/sup3rs3cr3tdirlol contain a file named as roflmao. Let’s download this file in our local system.

After analyzing roflmao file using strings command we found a address i.e. 0x0856BF

It took me some time to realize that this address is actually a web directory name.

Inside this directory we get two directory entries

Inside good_luck directory we find a file name as which_one_lol.txt it contain some username entries.

Let’s access second folder, we find Pass.txt file but this file contain only 1 entry i.e.

Good_job_:)

I downloaded both this files in my local system.

We don’t have anything else and only port 22 is left.

BruteForcing and Accessing User Shell

Before BruteForcing i fix user file entires and remove this line “ < — Definitely not this one”

Before Edit:

After Edit:

as our password list doesn’t contain anything that look like password i added file name and username entries inside Pass.txt file.

Before Edit:

After Edit:

Now using below command i start Brute Forcing attack on port 22

hydra -L which_one_lol.txt -P Pass.txt ssh://<target-ip -t 3

In above command you can see i added task value to 4 because increasing the number of parallel connections with a higher -t TASKS value can lead to a faster brute-force process but may also increase the likelihood of errors or missed attempts due to network instability, server rate limiting, or connection drops. And we don’t have lengthy user and password list so it not gonna take much time to BruteForce.