"Quaoar" is a "Boot2Root" VM originally created for the Hackfest 2016 CTF. It aims to train your computer security skills. You just have to launch the Virtual Machine, and then find a way to get root ! This VM is in free access on Vulnhub.
We just ping the IP adress given by the VM to ensure everything is alright.
And.. Let's go!
We first want to know what is running on the system and what we can access remotely, so, we start by scanning ports using Nmap.
Several open ports, let's go deeper on these 9 ports.
As long as there are often many possibilities concerning the web part, we will start our investigation on the HTTP service, running on the port 80. Let's check what we have if we try to access the IP address on a browser.
The nmap scan revealed we can access a robots.txt, let's see how much information we can get!
Hmm hmm.. It seems we have a wordpress running on that site! We use WPScan to check the wordpress version, possible vulnerabilites and enumerate users.
Old version.. Many vulns found! We will see later if one of these can be exploited, but for now, the most interesting thing is that the default user "admin" is still used!
Getting web access and a Shell
Let's try the connect on the /wp-admin/ using the default credentials, admin/admin.
It works! Not sure if this is great or sad.. Anyway! WPScan didn't find any plugins, let's see manually if some plugins are installed.
"Mail Masta" version 1.0.. After a quick search on Big Brother, we find out that this plug-in contains several vulnerabilities, like SQL Injection or Local File Inclusion. We will try to exploit this LFI and try to get the /etc/passwd file.
Ok, nice, now we have a list of users on the target system. Many users are quite common on servers like this, but the last one can be quite interesting. We have a "wpadmin" user. If we think the same way as before, the wordpress administrator used the default password for his website, so why would he change his password on the machine ?
We saw in the previous scan that SSH service available on the port 22. Let's try to connect in SSH using the wpadmin user.. and "wpadmin" as password!
Once again, it works..!
We can grab the first flag 🙂
The Root way!
From now, we are connected to the target system and we can start to collect more information. What's the OS ? What is running on the system ?
Kernel 3.2.0.. Pretty old, let's look for an exploit on internet..
We found several possible exploits, including the famous Dirtyc0w. Unfortunately, gcc is not installed on the system. We tried to cross compile exploits and then upload them on the system using the "scp" command, but no one worked. We have to find another way, maybe easier.. ?
One simple thing we didn't check at the beginning was the usual files used by WordPress. Indeed, we know that CMS like WordPress use configuration files (e.g wp-config.php for WordPress). So let's navigate to WordPress installation folder.
And then, we try to diplay the content of the wp-config.php file.
Ok, another interesting thing, the WordPress MySQL database credentials, root/rootpassword! !
The username is root.. Maybe we could try these credentials to log in as root on the system ?
We would be very lucky if it works.. But it already worked 2 times, why not a 3rd time ?
Let's try this !
w00t ! It works !
Now, we have the second flag !
Conclusion - One last word
Even if this Boot2Root VM was not very hard to root, and even if the technical part was not that hard, Quaoar teaches us important things.. Mistakes usually done in the real world.. So please, DON'T USE DEFAULT PASSWORDS AND CHANGE IT! 😉
It can really give free access to bad people!