Today we’ll begin the process of compromising one of Vulnhub’s latest VMs, “TrollCave”. The author, David Yates, says that this VM is attempting to be as realistic as possible, AKA straying from the usual contrived scenarios which pop up in some CTFs (port knocking, MP3 file waveform analysis etc.)
The author has also stressed that a kernel exploit isn’t required to root this box, so that’ll save some time when we come to privesc the box later.
This is the first VM which has tested me to the point where I’ve had to stop and take a break, as such this write up only covers from enumeration through to getting admin in the webapp – part 2 of the write up will detail how to shell the box and continue exploitation.
Let’s go and break stuff!
root@kali:~# nmap -sV -T5 -sC -p- 192.168.56.101
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-24 19:03 GMT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.101
Host is up (0.00068s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| 2048 4b:ab:d7:2e:58:74:aa:86:28:dd:98:77:2f:53:d9:73 (RSA)
| 256 57:5e:f4:77:b3:94:91:7e:9c:55:26:30:43:64:b1:72 (ECDSA)
|_ 256 17:4d:7b:04:44:53:d1:51:d2:93:e9:50:e0:b2:20:4c (EdDSA)
80/tcp open http nginx 1.10.3 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_http-server-header: nginx/1.10.3 (Ubuntu)
MAC Address: 08:00:27:D0:D7:C5 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.26 seconds
Nothing hugely exciting here, there’s an NGINX webserver and an SSH server. Let’s go and poke the webserver (whilst running the usual tools against it.)
root@kali:~# nikto -host http://192.168.56.101
- Nikto v2.1.6
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2018-03-24 19:07:59 (GMT0)
+ Server: nginx/1.10.3 (Ubuntu)
+ Cookie _thirtytwo_session created without the httponly flag
+ Uncommon header 'x-request-id' found, with contents: a9517fcb-1624-434f-983b-5099d46446e4
+ Uncommon header 'x-runtime' found, with contents: 0.029192
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3093: /login.php3?reason=chpass2%20: This might be interesting... has been seen in web logs from an unknown scanner.
+ /login.asp: Admin login page/section found.
+ /login.html: Admin login page/section found.
+ /login.php: Admin login page/section found.
+ 7537 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2018-03-24 19:09:36 (GMT0) (97 seconds)
+ 1 host(s) tested
A few interesting things pop out here. /login/ is obviously of interest to us, as is login.php. I have no idea why there’s a login.php3 and a login.asp there.. that requires some investigating.
Dirb found all the treats! There’s that weird pattern again, admin.cgi, admin.php, admin.pl… No admin.asp this time though (for some reason.) let’s fire up the app in our browser and go to town on it.
So at first glance it’s a nicely designed, well locked down blog.
All of the interesting findings from above are locked down with access control saying that you must be logged in. No obvious LFI vectors in the URLs, but there is is an IDOR problem that we can use to enumerate every user in the app.
When navigating to a user’s profile page the URL changes from user/1 to user/2 etc. so we can write a little script to enumerate all users –
root@kali:~# for f in `seq 1 20`; do curl --silent http://192.168.56.101/users/$f | grep -i recipient_name | cut -d= -f3 | cut -d\" -f1 ; done
Yeah the script’s a little ugly but hey, I’m a programmer and sometimes it’s fun to be a bit sloppy! 😉
So we’ve got a list of all users now. We notice that when we try and log in we get given a little password hint by the app.. Let’s use this lovely data to get all of the password hints using Burpsuite –
I used the awesome Intruder module in burpsuite to query for every user, then used the results processing options to pull out just the hints from the results!
Over fire and over stone…
i am the dankest
It’s super secure
Your normal password
mother’s maiden name
no one is
It is what it is
And we’re done! So now we can start trying to guess some passwords using these cryptic hints..
And get nowhere. Blargh.
Password Reset Pwnage
So after looking over all of the blog posts a bit closer, I spot one which mentions a half-implemented password reset function written in Ruby! So after Googling how to do password resets in Ruby on Rails I came across this absolute belter, which lead me to trying various password_reset URLs until I came across this gem (see what I did there..!)
Uh oh… That doesn’t look good does it! 😉
Let’s reset King, the SuperAdmin’s password.
Bah! It’ll still let us progress further anyway, let’s pick a member and reset their password.
Ugh! More roadblocks! Although look at that URL.. What would happen if we swapped ‘xer’ for ‘King’..?
So far so good, it’s given us a proper password reset form. Let’s add a password and see if it works.
BINGO! We’re King the Superadmin! How awesome is that?
I’ve decided to park this VM for now, until my skills improve a little more and I’m able to fully compromise this box. Part 2 will be written and posted within the next few months, all being well.
Huge thanks to this box’s creator (link in Introduction) this is a really unique challenge which I’ve thoroughly enjoyed so far.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.