Thursday, April 6, 2017

hackfest2016: Quaoar

VMware Fusion
Attacker: Kali Linux
Network: Host-Only
Target IP:

This walk-through will be a little different from my previous posts, mainly the lack of images. I am transitioning to a new host computer and I went through this vm before setting up a good way to do screenshots. Oh well...

This VM is the first of a series of three that gets harder as you move on. The difficulty listed on vulnhub is very easy. When you start the VM it tells you that the VM is located at

To start I ran a basic port scan utilizing the command "nmap -sV -A".  This gave me quite a few results, but what I was most interested in was that port 80 was open and nmap told me that there were sites excluded in the robots.txt file. Time to head there and figure out whats going on.

Browsing to I am greeted with a basic landing page that has a link to an image. Not much to see here... lets look at robots.txt. In that file we can see that /wordpress/ is listed. Oh... and Hackers are disallowed... funny. Looks like we will be exploiting a wordpress site for shell access.

Browsing around /wordpress/ there isn't much here. I can see that Admin created the posts, so that is a login. I wonder how easy this really is...

Yep admin:admin let's you into the admin panel of the Wordpress site. My first thought was to upload a php reverse shell as media or as a new page, but I couldn't find a way to make that work. I thought about editing the plugins that were running php to run a reverse shell, but decided to Metasploit it for added practice of that tool.

Since I have the admin credentials, I can use the module exploit/unix/webapp/wp_admin_shell_upload. I set all my options and typed exploit. I now had meterpreter shell access into the system. This allowed me to start browsing around the directories. I quickly found the first flag in /home/wpadmin.

Flag1: 2bafe61f03117ac66a73c3c514de796e

Seeing that there was a wpadmin user I got curious and tried to ssh to the box using wpadmin:wpadmin to see if the admin had made the same mistake twice. Sure enough it let me in with a /bin/sh shell. I like to utilize /bin/bash so I ran the following python script to change my shell.

python -c 'import pty; pty.spawn("/bin/bash")'

I started browsing around the file system again looking for a way to become root. Knowing that in the past I've had luck with cron jobs being run as root I looked in the /etc/cron.d directory and found a file named php5. Inside of this file was not a way to root like I had hoped, but instead flag 3!!!

Flag 3: d46795f84148fd338603d0d6a9dbf8de

I continued looking and eventually found an upload directory in "/var/www". Inside of that directory there was a config.php file that had mysql credentials listed in it. root:rootpassword!

I ran "su root" and gave it the password I found and sure enough it worked!! I quickly navigated to /root/flag.txt to get the second flag.

Flag 2: 8e3f9ec016e3598c5eec11fd3d73f6fb

With all three flags found that closes out this challenge. Hopefully I'll find time to challenge myself with the others in this series.

No comments:

Post a Comment