Quaoar vulnhub challenge

Back again with another vulnhub challenge,  the hackfest2016: Quaoar challenge found here. This challenge is definitely on the easy side of challenges with just three flags to get:

  1. Reverse shell into the server.
  2. Get root access.
  3. Get the root flag.

Simple enough so lets get to it.

booting up the vm gives you the ip address of the box so all we have to do is give it a scan with good old nmap.

# Nmap 7.40 scan initiated Fri Jun 16 20:08:35 2017 as: nmap -p- -A -sSVC -oN nmap-scan 192.168.1.37
Nmap scan report for 192.168.1.37
Host is up (0.00059s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
| 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp open domain ISC BIND 9.8.1-P1
| dns-nsid:
|_ bind.version: 9.8.1-P1
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3?
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
MAC Address: 08:00:27:AD:E4:D6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

A bunch of ports open but the one we’re gonna focus on is port 80. Going to the site reveals just a couple of images, nothing special.

Now time for a nikto scan to see what it can find:

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.37
+ Target Hostname: 192.168.1.37
+ Target Port: 80
+ Start Time: 2017-06-16 20:14:13 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, inode: 133975, size: 100, mtime: Mon Oct 24 00:00:10 2016
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wordpress/: A WordPress installation was found.
+ 8348 requests: 0 error(s) and 13 item(s) reported on remote host
+ End Time: 2017-06-16 20:14:38 (GMT-4) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Awesome a wordpress install, lets see what’s on the site. Navigating to the site shows a single post by the user admin.

Now lets get onto the login page and try ton get into that account.
Before we get into brute-forcing the login page, lets try some weak passwords like password, password123, admin etc. Well what ya’ know, admin was the password, that was easy. So now that we are in lets take a look around and see if there is anything interesting.

Nope nothing interesting, so lets use the reverse shell by pentestmonkey get a reverse shell into the server. Setting up netcat and to receive the connection and boom I’m in.

So that’s flag one done. Looking around, the root folder is locked down so to get into it i need the root account. Snooping around,I happened across the wpadmin folder and the flag.txt file.

Flag: 2bafe61f03117ac66a73c3c514de796e

Awesome now on to the final two flags of the challenges. Trying various methods to get root got me nowhere. Then it hit me, this is a wordpress site with a database, therefore needs a username and password to get access to the database. So on to the wp-config file. Cating the file reveals the root username and password.

username:root
password:rootpassword!

Now time to spawn a shell and switch to the root user with the following command:

python -c "import pty;pty.spawn('/bin/sh');"

Now that we are root user, lets get the final flag which is most likely in the root folder.

Flag: 8e3f9ec016e3598c5eec11fd3d73f6fb

That’s it for this challenge, overall very easy and great for those looking to get into pentesting. Thanks for reading and stay classy.

Moxley