This shall be a record of my escapades into the world of ones and zeros.
wwrdpldnadmin | 17 March, 2017 14:05
This is my first public publishing of a pen test. I have been pen testing for about 3 years as a hobby and I enjoy it immensely. I realize that part of pen testing is the ability to write reports that can be handed over to the concerned parties receiving the pen test so I have decided to begin practicing this art. I also decided to start with an easy one so that I could focus on the report and not the actual penetration of the machine.
I chose Quaoar for this purpose as it explicitly stated it was easy.
I launched the ova in vmware player and it present me with instructions and the ip address as 192.168.25.137. The first thing I did was launch zenmap,...yes zenmap. I hear you groan. I like gui's,...bite me.
#nmap -T4 -A -v 192.168.255.137
Zenmap spit out the following information:
Discovered open port 110/tcp on 192.168.255.137
Discovered open port 139/tcp on 192.168.255.137
Discovered open port 22/tcp on 192.168.255.137
Discovered open port 995/tcp on 192.168.255.137
Discovered open port 53/tcp on 192.168.255.137
Discovered open port 445/tcp on 192.168.255.137
Discovered open port 143/tcp on 192.168.255.137
Discovered open port 80/tcp on 192.168.255.137
Discovered open port 993/tcp on 192.168.255.137
Since I already know this is supposed to be easy and I wanted to focus on the report I decided to go straight to dirbuster without even opening a webpage.
I ran dirbuster and pointed it to http://192.168.255.137:80 and immediately found wordpress. Now anyone who has ever done anything with wordpress knows that it has always been plagued with vulnerabilities. Again, knowing this is supposed to be easy, I go straight to the login page and find the user/password is set to admin/admin.
A quick google search shows a plethora of easy hacks for authenticated admin privileged wordpress control panels, namely, direct coding of template pages.
I navigate to the "twenty thirteen" template page and select the 404.php page. I delete all of the code and paste in
I save the page and navigate to it and issue a cat against /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
colord:x:104:109:colord colour management daemon,,,:/var/lib/colord:/bin/false
avahi:x:106:115:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dovecot:x:109:120:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:110:65534:Dovecot login user,,,:/nonexistent:/bin/false
I see the only user other than root is wpadmin. I recall SSH was open on port 22. I think about brute forcing wpadmin but I remember, once again, that this is supposed to be easy. So before brute forcing it I ssh as wpadmin.
$ ssh email@example.com using wpadmin as the password.
Success! Wow this one really is easy.
The first flag was in the wpadmin home directory.
$ cat flag.txt
I moved to a bash prompt just to make things easier
I verified wpadmin does not have sudo priv so I grab some info on the system.
wpadmin@Quaoar:/$ cat /etc/*release*
DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"
wpadmin@Quaoar:/$ cat /proc/version
Linux version 3.2.0-23-generic-pae (buildd@palmer) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu4) ) #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012
I tried a couple privilege escalations but the wpadmin user's privileges were too low to execute them. I began searching through folders for anything useful. When I got to the www folder I found a folder called uploads. It had shown up in the dirbuster scan also but I had put it in the back of my mind. I open the folder and I find the config.php file located there. The file has the connection string for the databse and it showing the connection credentials in clear text. The username/password is root/rootpassword! I start wondering about digging through the database but then I realize,..could this actually be the password for the root user?
I ssh'd back into the box:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Thu Mar 16 13:25:52 EDT 2017
System load: 0.01 Processes: 106
Usage of /: 30.1% of 7.21GB Users logged in: 1
Memory usage: 38% IP address for eth0: 192.168.255.137
Swap usage: 0% IP address for virbr0: 192.168.122.1
Graph this data and manage this system at https://landscape.canonical.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun Jan 15 11:23:45 2017 from desktop-g0lhb7o.snolet.com
Success! Again, Wow, that was easy!
root@Quaoar:~# cat flag.txt
Now, there is supposed to be a third flag. I searched for various terms and came up wanting. I wouldn't think this third flag would be hard to find given that everything else has been ridiculously easy. I look through a couple of walkthroughs from others and I see no one else is finding it either, actually only a couple even mention it. I have sent an email asking for verification that there is a third flag. I have not received an answer as of this posting. I will update it if I receive confirmation that it exists and again if I manage to find it.