Innogen security

RECENT BLOG

Trollcave 1:2 Walkthrough Part 1

 
While looking for a hacking challenge my first port of call for a CTF style VM is vulnhub, the description of Trollcave 1:2 sounded very close to an OSCP type lab machine and based on that I decided to give this a shot; now its completed and root was obtained I can safely say this was a very close contender to an OSCP lab style machine and for anyone practicing for the OSCP course I would advise giving this one a shot, as this was an extremely enjoyable machine and a fantastic change from the sqli/php shell injection routes.
 

Download Link:

 
https://www.vulnhub.com/entry/trollcave-12,230/

 

Initial Setup

 
Once downloaded the VM was loaded into Virtualbox as the writeup on vulnhub clearly stated the VM did not function with VMWare, my Attacking machine which is running Kali will be running in VMWare fusion and to keep things simple and in order to easily grab the DHCP assigned address the NIC settings for Virtualbox were set to use the VMWare NIC as shown:

 

 

Once this is setup and running I was able to obtain the IP Address via OSX Terminal as follows:

 

cat /var/db/vmware/vmnet-dhcpd-vmnet8.leases

# All times in this file are in UTC (GMT), not your local timezone.   This is
# not a bug, so please don't ask about it.   There is no portable way to
# store leases in the local timezone, so please don't request this as a
# feature.   If this is inconvenient or confusing to you, we sincerely
# apologize.   Seriously, though - don't ask.
# The format of this file is documented in the dhcpd.leases(5) manual page.

lease 192.168.96.146 {
starts 3 2018/04/11 16:13:01;
ends 3 2018/04/11 16:43:01;
hardware ethernet 00:0c:29:a1:ec:a1;
client-hostname "kali";
}
lease 192.168.96.128 {
starts 3 2018/04/11 16:32:46;
ends 3 2018/04/11 17:02:46;
hardware ethernet 08:00:27:d0:d7:c5;
client-hostname "trollcave";
}

 

Nmap Scan

First port of call is of course the NMAP scan, as its a local VM network I went straight in for a heavier scan which returned open ports:

  • 22 – SSH
  • 80 – http

 

root@kali:~$ nmap -p- -v -sS -sC -sV -A -O  192.168.96.128

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-27 18:00 GMT
NSE: Loaded 146 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
Initiating NSE at 18:00
Completed NSE at 18:00, 0.00s elapsed
Initiating ARP Ping Scan at 18:00
Scanning 192.168.96.128 [1 port]
Completed ARP Ping Scan at 18:00, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:00
Completed Parallel DNS resolution of 1 host. at 18:00, 0.04s elapsed
Initiating SYN Stealth Scan at 18:00
Scanning 192.168.96.128 [65535 ports]
Discovered open port 22/tcp on 192.168.96.128
Discovered open port 80/tcp on 192.168.96.128
Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 11.61% done; ETC: 18:03 (0:02:32 remaining)
Stats: 0:00:39 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 27.30% done; ETC: 18:03 (0:01:44 remaining)
SYN Stealth Scan Timing: About 57.02% done; ETC: 18:02 (0:00:52 remaining)
Completed SYN Stealth Scan at 18:02, 104.30s elapsed (65535 total ports)
Initiating Service scan at 18:02
Scanning 2 services on 192.168.96.128
Completed Service scan at 18:02, 6.04s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 192.168.96.128
NSE: Script scanning 192.168.96.128.
Initiating NSE at 18:02
Completed NSE at 18:02, 0.47s elapsed
Initiating NSE at 18:02
Completed NSE at 18:02, 0.00s elapsed
Nmap scan report for 192.168.96.128
Host is up (0.00062s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4b:ab:d7:2e:58:74:aa:86:28:dd:98:77:2f:53:d9:73 (RSA)
|   256 57:5e:f4:77:b3:94:91:7e:9c:55:26:30:43:64:b1:72 (ECDSA)
|_  256 17:4d:7b:04:44:53:d1:51:d2:93:e9:50:e0:b2:20:4c (EdDSA)
80/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Trollcave
MAC Address: 08:00:27:D0:D7:C5 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8, Linux 3.16 - 4.6, Linux 3.2 - 4.8, Linux 4.4
Uptime guess: 0.005 days (since Tue Feb 27 17:55:46 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.62 ms 192.168.96.128

NSE: Script Post-scanning.
Initiating NSE at 18:02
Completed NSE at 18:02, 0.00s elapsed
Initiating NSE at 18:02
Completed NSE at 18:02, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.64 seconds
           Raw packets sent: 131186 (5.774MB) | Rcvd: 96 (4.542KB)

 

Add to Hosts and Check HTTP Landing page

To make things easier going forward the sensible thing to do is edit the hosts file and test by testing the open port 80 to validate routing and grab that initial view of the website landing page:

/etc/hosts editing:

Main Landing page:

 

Excellent, now to run through the initial basic tests and checks ie dirb, wpscan etc in order to gain enough information about our target.

 

Basic Web scan results

Nikto Results:

root@kali:~$ nikto -C all -h trollcave.ctf
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.96.128
+ Target Hostname:    trollcave.ctf
+ Target Port:        80
+ Start Time:         2018-02-27 18:06:21 (GMT0)
---------------------------------------------------------------------------
+ Server: nginx/1.10.3 (Ubuntu)
+ Cookie _thirtytwo_session created without the httponly flag
+ Uncommon header 'x-request-id' found, with contents: e6dc0a24-558c-4f04-976e-9d8ce47f2144
+ Uncommon header 'x-runtime' found, with contents: 0.017726
+ OSVDB-3092: /login/: This might be interesting...
+ OSVDB-3093: /login.php3?reason=chpass2%20: This might be interesting... has been seen in web logs from an unknown scanner.
+ /login.asp: Admin login page/section found.
+ /login.html: Admin login page/section found.
+ /login.php: Admin login page/section found.
+ 26077 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2018-02-27 18:08:28 (GMT0) (127 seconds)

Nothing out of the ordinary turned up during the scan, the 3093 was a red herring.

DIRB Results:

dirb http://trollcave.ctf

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue Feb 27 18:14:56 2018
URL_BASE: http://trollcave.ctf/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://trollcave.ctf/ ----
+ http://trollcave.ctf/404 (CODE:200|SIZE:1564)                                                                                                        
+ http://trollcave.ctf/500 (CODE:200|SIZE:1477)                                                                                                        
+ http://trollcave.ctf/admin (CODE:302|SIZE:92)                                                                                                        
+ http://trollcave.ctf/admin.cgi (CODE:302|SIZE:92)                                                                                                    
+ http://trollcave.ctf/admin.php (CODE:302|SIZE:92)                                                                                                    
+ http://trollcave.ctf/admin.pl (CODE:302|SIZE:92)                                                                                                     
+ http://trollcave.ctf/comments (CODE:302|SIZE:92)                                                                                                     
+ http://trollcave.ctf/favicon.ico (CODE:200|SIZE:0)                                                                                                   
+ http://trollcave.ctf/inbox (CODE:302|SIZE:92)                                                                                                        
+ http://trollcave.ctf/login (CODE:200|SIZE:2208)                                                                                                      
+ http://trollcave.ctf/register (CODE:302|SIZE:87)                                                                                                     
+ http://trollcave.ctf/reports (CODE:302|SIZE:92)                                                                                                      
+ http://trollcave.ctf/robots.txt (CODE:200|SIZE:202)                                                                                                  
+ http://trollcave.ctf/users (CODE:302|SIZE:92)                                                                                                        
                                                                                                                                                       
-----------------
END_TIME: Tue Feb 27 18:15:15 2018
DOWNLOADED: 4612 - FOUND: 14

Two useful items came out of the dirb scan and that was reports and users, although initially these redirect to a login page, appending a number to the end produces a result.

UsersBy iterating the numbers we are able to enumerate the user names on the system as the link returns posts made by the user id.

ReportsThis is a rabbit hole, or at least as far as I could tell? The reports page shows (from what I can tell) is a misconfigured ruby variable and returning an object id, the content section is editable but seems to return plain text and all attempts at javascript, ssi, sqli, basic html failed so after giving this 10 minutes I moved on:

The Next part will explore the web application itself in search of flaws and misconfigurations, as we can see in the reports page there are already some issues with the ruby coding and its likely more misconfigurations are yet to be found and hopefully exploited…

Innogen security

RECENT BLOG

Exploiting Sudo 1.8.27 The following brief is a quick demonstration of the issue faced by cve-2019-14287. This issue is presented when the user is allowed to run a specified command as any user other than the root user account, specified …

17 Oct 2019

SMB LFI Exploitation The following outlines a very short overview of LFI using SMB in form of a crib sheet. Install Samba: apt-get install samba Remove default Samba config: rm -f /etc/samba/smb.conf Create New smb.conf: vi /etc/samba/smb.conf The following config …

13 Oct 2019

Linux reverse shell without python. During a recent application exploit into an interactive shell the typical path to spawn a reverse shell and upgrade it to tty was sought. It was found that the go to technologies such as python, …

19 Sep 2019