Thursday, March 16, 2017

[VulnHub] hackfest2016: Quaoar

An nmap script scan of port 80 shows robots.txt is present. While there were other ports open, the details of the VM strongly suggested a web application is the correct rabbit hole so I decided to investigate that first.


I navigate to it in my browser and find a wordpress installation present.


I immediately go to the admin login and get through with "admin/admin" credentials. The description did say this was a very easy VM after all.


After logging in I navigated to "plugins > editor" and selected the "Mail Masta" plugin (since it was already active) and added a php reverse shell to one of the files. Simply clicking "update" gave me a shell.


I immediately noticed a "wpadmin" user in the /etc/passwd/ file and found the password to be "wpadmin" so I decided to ssh to that user for a more stable shell and I found the first flag.


Going through a file in the "/upload/" directory of the web root, I found a "config.php" file containing root credentials for the MySQL server.


Going along with the "very easy" theme, I tried logging into root with these credentials and was successful!


According to the VM description on VulnHub there is a post exploitation flag on the VM, however I have not been able to find it. I went through the MySQL database and searched through the file system for anything resembling a flag and had no luck. Other than that, this was a very easy VM that was still somewhat satisfying in a weird way. I will be sure to make time for the other two, more difficult hackfest VMs.