Vulnhub: Tr0ll 1 Writeup (OSCP PREP) [by dollarboysushil]

InfoSec Write-ups
Published in
5 min readDec 10, 2023

Link to Troll1 :,100/
Difficulty: Beginner ; Type: boot2root

The goal is simple, gain root and get Proof.txt from the /root directory.

Disclaimer: Not for the easily frustrated! Fair warning, there be trolls ahead!

Lets start.
You can get the ip of Tr0ll 1 using tool netdiscover
In my case:
Victim (Tr0ll 1 ‘s IP):

I am using VMware workstation pro, network connection is set to bridged.

Nmap Scan

nmap -sC -sV -p- -oN vulos2
-sC for default scripts,-sV for version enumeration and -p- to scan all ports and -oN to save the result
In the result we can see services running
Port 21 Ftp
port 22 ssh
port 80 http

Note that we have anonymous FTP login allowed.

we have simple http site when visiting the ip .

Running gobuster reveals the directory /secret

/secret is nothing but a simple troll page.

Running gobuster at /secret reveals nothing.

so our next step would be to use anonymous login to ftp.

password is not required while login.

we can see a file called lol.pcap
lets download this file to our machine

get lol.pcap

Lets analyse the .pcap file using wireshark.

looking at packet 40 we have something interesting.

It is saying we almost found directory sup3rs3cr3tdir
lets visit this directory

there is file named roflmao
click and download this file.

From the file we can see there is address /0x0856BF
lets visit this address, we might find something interesting

we have two folders.

under good_luck folder we have username wordlist.
copy this wordlist and keep it in your machine.

Now the tricky / troll part,

We have Good_job_:) string under this_folder_contains_this_password .
At first i thought this should be the password.
but when i tried brute forcing it didn’t work.

this_folder_contains_this_password if you read the folder name, it is saying this folder contains this password. And this folder contains Pass.txt . So the password is Pass.txt

we now have username list and password>
lets use hydra to brute force username.

hydra -l username.txt -p Pass.txt ssh://
here -l flag is used to specify the username list.
-p flag is used to specify password string which is Pass.txt
so the username is overflow and password is Pass.txt

lets ssh login with this username and password

we now have shell as user overflow.

Make shell interactive using
python -c ‘import pty; pty.spawn(“/bin/bash”)’

I then looked around files like /etc/passwd , /home etc in a hope to find any thing interesting. aNd found nothing of interest.

Privilege Escalation

for privilege escalation we will use our best friend linpeas (Linux Privilege Escalation Awesome Script )

  1. Move to /tmp directory
  2. download the script wget
  3. Make script executable chmod +x

And comes another troll. Our ssh connection is closed after certain time.
When connection is closed, again login to ssh and download the script.
Once you run the script and get the output we dont need to download the script again .

Looking at the result, we can see machine is vulnerable to various exploit.
Among the exploit I first tried using the dirty cow 2 but g++ was not installed in the machine so i choosed overlafs exploit

copy the download url.

download the exploit using wget url

Rename the exploit from 37292 to 37292.c

compile the exploit.

Then execute the exploit using ./ofc
This should give us a root shell.

now go to root directory using cd /root
Inside the root directory we have proof.txt
Which contains the flag we need to complete this lab.

cat proof.txt

For any correction / query /suggestion contact on
Instagram dollarboysushil
Twitter (X) dollarboysushil
Youtube dollarboysushil

Sign up to discover human stories that deepen your understanding of the world.


Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates:

Written by dollarboysushil

CPTS | @dollarboysushil on Twitter , Instagram , Github , Linkedin OSCP & CPTS Notes are available here

No responses yet

What are your thoughts?