Exercise : Quaoar, Penetration Testing

Dear All,

Yes I am back to write some tutorial on penetration testing. This time I will make some detail on the walkthrough Quaoar box that is provided in vulnhub.com

As usual our journey will start with nmap tools that will scan the remote server to check the service available. The target server will be in

run nmap -sS -sV -O -vvv

I found that there are alot open service on this server as below

22/tcp open ssh syn-ack ttl 64 OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
53/tcp open domain syn-ack ttl 64 ISC BIND 9.8.1-P1
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.22 ((Ubuntu))
110/tcp open pop3 syn-ack ttl 64 Dovecot pop3d
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
143/tcp open imap syn-ack ttl 64 Dovecot imapd
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
993/tcp open ssl/imaps? syn-ack ttl 64
995/tcp open ssl/pop3s? syn-ack ttl 64
MAC Address: 00:0C:29:08:8C:65 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 – 3.5

As show above, I find the most interesting target is the port 80 and 22. This should be remeber which often give us an easy access to the system. 🙂

As the begining let get some more detailed information about the services and start checking the searchploit db.

  1. Port 22  is SSH server which running version OpenSSH 5.9p1 on ubuntu server with kernel 2.6.32 – 3.5. Possible vulnerability is OpenSSH 2.3 < 7.7 – Username Enumeration
  2. port 53  is DNS server that is running ISC BIND 9.8.1-P1 where the possible vulnerability is https://securityintelligence.com/subverting-binds-srtt-algorithm-derandomizing-ns-selection/
  3. Port 110,993,995 and 143 is Dovecot email manager https://www.dovecot.org/ and potential vulnerability are
    Dovecot 1.1.x – Invalid Message Address Parsing Denial of Service | exploits/linux/dos/32551.txt
    Dovecot IMAP 1.0.10 < 1.1rc2 – Remote Email Disclosure | exploits/multiple/remote/5257.py
    Dovecot with Exim – ‘sender_address’ Remote Command Execution | exploits/linux/remote/25297.txt
  4. Port 139 and 445 is Samba 3X or 4X. Samba is a very large implementation, We need to enumerate this service using enum4linux such as belowI found username on the server :
    |    Users on    |
    index: 0x1 RID: 0x1f5 acb: 0x00000010 Account: nobody Name: nobody Desc: 
    index: 0x2 RID: 0x3e8 acb: 0x00000010 Account: viper Name: viper Desc: 
    index: 0x3 RID: 0x3ea acb: 0x00000010 Account: wpadmin Name: Desc: 
    index: 0x4 RID: 0x3e9 acb: 0x00000010 Account: root Name: root Desc:
  5. Port 80 is Apache Httpd running on ubuntu. We can enumerate this using gobuster or burpsuite.
    gobuster -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 2 -qoutput:
    /index (Status: 200)
    /upload (Status: 301)
    /wordpress (Status: 301)
    /hacking (Status: 200)
    /robots (Status: 200)
    /INSTALL (Status: 200)
    /LICENSE (Status: 200)
    /COPYING (Status: 200)
    /CHANGELOG (Status: 200)
    /server-status (Status: 403)

Based on the above enumeration I can see that the best way to start the attack is to check the port 80 because we can see it has wordpress and for sure we have some user name that we got from enumerating the samba. Let get started ..

I will post my next tutorial but to make it a bit harder, I will put the target server behind the F5 Web Application Firewall which will do the necessary intruder detection.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s