Quaoar Virtual Machine - Walkthrough

“Quaoar” is a “Boot2Root” VM originally created for the Hackfest 2016 CTF. It aims to train your computer security skills. You just have to launch the Virtual Machine, and then find a way to get root ! This VM is in free access on Vulnhub.

We just ping the IP adress given by the VM to ensure everything is alright.

$ ping -c 3 192.168.56.101
PING 192.168.56.101 (192.168.56.101) 56(84) bytes of data.
64 bytes from 192.168.56.101: icmp_seq=1 ttl=64 time=0.275 ms
64 bytes from 192.168.56.101: icmp_seq=2 ttl=64 time=0.438 ms
64 bytes from 192.168.56.101: icmp_seq=3 ttl=64 time=0.265 ms

+++ 192.168.56.101 ping statistics +++
3 packets transmitted, 3 received, 0% packet loss, time 2039ms
rtt min/avg/max/mdev = 0.265/0.326/0.438/0.079 ms

And.. Let’s go!

Discovery

We first want to know what is running on the system and what we can access remotely, so, we start by scanning ports using Nmap.

$ sudo nmap -sS -O -sV -p- 192.168.56.101

Starting Nmap 7.31 ( https://nmap.org ) at 2017-04-10 12:23 CEST
Nmap scan report for 192.168.56.101
Host is up (0.00021s latency).
Not shown: 65526 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
53/tcp  open  domain      ISC BIND 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
995/tcp open  ssl/pop3    Dovecot pop3d
MAC Address: 08:00:27:BC:E9:82 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.15 seconds

Several open ports, let’s go deeper !

As long as there are often many possibilities concerning the web part, we will start our investigation on the HTTP service, running on the port 80. Let’s check what we have if we try to access the IP address on a browser.

quaoar_1.png

The nmap scan revealed we can access a robots.txt, let’s see how much information we can get!

quaoar_2.png

Hmm hmm.. It seems we have a wordpress running on that site! We use WPScan to check the wordpress version, possible vulnerabilites and enumerate users.

$ sudo wpscan --url http://192.168.56.101/wordpress --enumerate u
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.2
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.56.101/wordpress/
[+] Started: Mon Apr 10 12:53:49 2017

[!] The WordPress 'http://192.168.56.101/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3
[+] XML-RPC Interface available under: http://192.168.56.101/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.56.101/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.56.101/wordpress/wp-includes/

[+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
[!] 8 vulnerabilities identified from the version number

[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
    Reference: https://wpvulndb.com/vulnerabilities/8716
    Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
[i] Fixed in: 3.9.15


...


[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
    ++++-+++++++--+++++++--+
    | Id | Login  | Name   |
    ++++-+++++++--+++++++--+
    | 1  | admin  | admin  |
    | 2  | wpuser | wpuser |
    ++++-+++++++--+++++++--+
[!] Default first WordPress username 'admin' is still used

[+] Finished: Mon Apr 10 12:53:54 2017
[+] Requests Done: 61
[+] Memory used: 17.465 MB
[+] Elapsed time: 00:00:05

Old version.. Many vulns found! We will see later if one of these can be exploited, but for now, the most interesting thing is that the default user “admin” is still used!

Getting a web access and a Shell

Let’s try the connect on the /wp-admin/ using the default credentials, admin/admin.

quaoar_3.png

It works! Not sure if this is great or sad.. Anyway! WPScan didn’t find any plugins, let’s see manually if some plugins are installed.

quaoar_4.png

“Mail Masta” version 1.0.. After a quick search on Big Brother, we find out that this plug-in contains several vulnerabilities, like SQL Injection or Local File Inclusion. We will try to exploit this LFI and try to get the /etc/passwd file.

quaoar_5.png

Ok, nice, now we have a list of users on the target system. Many users are quite common on servers like this, but the last one can be quite interesting. We have a “wpadmin” user. If we think the same way as before, the wordpress administrator used the default password for his website, so why would he change his password on the machine ?

We saw in the previous scan that SSH service available on the port 22. Let’s try to connect in SSH using the wpadmin user.. and “wpadmin” as password!

$ ssh wpadmin@192.168.56.101
wpadmin@192.168.56.101's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Mon Apr 10 09:15:30 EDT 2017

  System load:  0.0               Processes:             99
  Usage of /:   35.4% of 7.21GB   Users logged in:       0
  Memory usage: 43%               IP address for eth0:   192.168.56.101
  Swap usage:   0%                IP address for virbr0: 192.168.122.1

  Graph this data and manage this system at https://landscape.canonical.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Mon Apr 10 08:02:43 2017 from 192.168.56.1
$ whoami
wpadmin
$

Once again, it works..!

We can grab the first flag 🙂

$ ls
flag.txt
$ cat flag.txt
2bafe61f03117ac66a73c3c514de796e

Rooting time !

From now, we are connected to the target system and we can start to collect more information. What’s the OS ? What is running on the system ?

$ uname -a
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux

Kernel 3.2.0.. Pretty old, let’s look for an exploit on internet..

We found several possible exploits, including the famous Dirtyc0w. Unfortunately, gcc is not installed on the system. We tried to cross compile exploits and then upload them on the system using the “scp” command, but no one worked. We have to find another way, maybe easier.. ?

One simple thing we didn’t check at the beginning was the usual files used by WordPress. Indeed, we know that CMS like WordPress use configuration files (e.g wp-config.php for WordPress). So let’s navigate to WordPress installation folder.

$ ls
index.php    wp-activate.php     wp-comments-post.php  wp-content   wp-links-opml.php  wp-mail.php  wp-trackback.php
license.txt  wp-admin        wp-config.php         wp-cron.php  wp-load.php        wp-settings.php  xmlrpc.php
readme.html  wp-blog-header.php  wp-config-sample.php  wp-includes  wp-login.php       wp-signup.php
$

And then, we try to diplay the content of the wp-config.php file.

$ cat wp-config.php
<?php
/**
 * The base configurations of the WordPress.
 *
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, WordPress Language, and ABSPATH. You can find more information
 * by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
 * wp-config.php} Codex page. You can get the MySQL settings from your web host.
 *
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/** */
define('WP_HOME','/wordpress/');
define('WP_SITEURL','/wordpress/');

...

Ok, another interesting thing, the WordPress MySQL database credentials, root/rootpassword! The username is root.. Maybe we could try these credentials to log in as root on the system ? we would be very lucky if it works.. But it already worked 2 times, why not a 3rd time ? Let’s try this !

$ whoami
wpadmin
$ su root
Password:
root@Quaoar:/home/wpadmin## whoami
root
root@Quaoar:/home/wpadmin#

w00t ! It works !

Now, we have the second flag !

Conclusion - Last word

Even if this Boot2Root VM was not very hard to root, and even if the technical part was not that hard, Quaoar teaches us important things.. Mistakes usually done in the real world.. So please, DON’T USE DEFAULT PASSWORDS AND CHANGE IT! 😉

It can really give free access to bad people!

Hack The Box - Haystack