Today we’ll begin the process of compromising one of Vulnhub’s latest VMs, “TrollCave”. The author, David Yates, says that this VM is attempting to be as realistic as possible, AKA straying from the usual contrived scenarios which pop up in some CTFs (port knocking, MP3 file waveform analysis etc.)
The author has also stressed that a kernel exploit isn’t required to root this box, so that’ll save some time when we come to privesc the box later.
This is the first VM which has tested me to the point where I’ve had to stop and take a break, as such this write up only covers from enumeration through to getting admin in the webapp – part 2 of the write up will detail how to shell the box and continue exploitation.
Let’s go and break stuff!
root@kali:~# nmap -sV -T5 -sC -p- 192.168.56.101
Starting Nmap7.60(https://nmap.org ) at 2018-03-24 19:03 GMT
mass_dns:warning:Unable todetermine any DNS servers.Reverse DNS isdisabled.Tryusing--system-dns orspecify valid servers with--dns-servers
Nmap scan report for192.168.56.101
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH7.2p2Ubuntu4ubuntu2.4(Ubuntu Linux;protocol2.0)
Dirb found all the treats! There’s that weird pattern again, admin.cgi, admin.php, admin.pl… No admin.asp this time though (for some reason.) let’s fire up the app in our browser and go to town on it.
So at first glance it’s a nicely designed, well locked down blog.
All of the interesting findings from above are locked down with access control saying that you must be logged in. No obvious LFI vectors in the URLs, but there is is an IDOR problem that we can use to enumerate every user in the app.
When navigating to a user’s profile page the URL changes from user/1 to user/2 etc. so we can write a little script to enumerate all users –
root@kali:~# for f in `seq 1 20`; do curl --silent http://192.168.56.101/users/$f | grep -i recipient_name | cut -d= -f3 | cut -d\" -f1 ; done
Yeah the script’s a little ugly but hey, I’m a programmer and sometimes it’s fun to be a bit sloppy! 😉
So we’ve got a list of all users now. We notice that when we try and log in we get given a little password hint by the app.. Let’s use this lovely data to get all of the password hints using Burpsuite –
I used the awesome Intruder module in burpsuite to query for every user, then used the results processing options to pull out just the hints from the results!
Over fire and over stone…
i am the dankest
It’s super secure
Your normal password
mother’s maiden name
no one is
It is what it is
And we’re done! So now we can start trying to guess some passwords using these cryptic hints..
And get nowhere. Blargh.
Password Reset Pwnage
So after looking over all of the blog posts a bit closer, I spot one which mentions a half-implemented password reset function written in Ruby! So after Googling how to do password resets in Ruby on Rails I came across this absolute belter, which lead me to trying various password_reset URLs until I came across this gem (see what I did there..!)
Uh oh… That doesn’t look good does it! 😉
Let’s reset King, the SuperAdmin’s password.
Bah! It’ll still let us progress further anyway, let’s pick a member and reset their password.
Ugh! More roadblocks! Although look at that URL.. What would happen if we swapped ‘xer’ for ‘King’..?
So far so good, it’s given us a proper password reset form. Let’s add a password and see if it works.
BINGO! We’re King the Superadmin! How awesome is that?
I’ve decided to park this VM for now, until my skills improve a little more and I’m able to fully compromise this box. Part 2 will be written and posted within the next few months, all being well.
Huge thanks to this box’s creator (link in Introduction) this is a really unique challenge which I’ve thoroughly enjoyed so far.