Thursday, March 16, 2017

[VulnHub] hackfest2016: Quaoar

An nmap script scan of port 80 shows robots.txt is present. While there were other ports open, the details of the VM strongly suggested a web application is the correct rabbit hole so I decided to investigate that first.

I navigate to it in my browser and find a wordpress installation present.

I immediately go to the admin login and get through with "admin/admin" credentials. The description did say this was a very easy VM after all.

After logging in I navigated to "plugins > editor" and selected the "Mail Masta" plugin (since it was already active) and added a php reverse shell to one of the files. Simply clicking "update" gave me a shell.

I immediately noticed a "wpadmin" user in the /etc/passwd/ file and found the password to be "wpadmin" so I decided to ssh to that user for a more stable shell and I found the first flag.

Going through a file in the "/upload/" directory of the web root, I found a "config.php" file containing root credentials for the MySQL server.

Going along with the "very easy" theme, I tried logging into root with these credentials and was successful!

According to the VM description on VulnHub there is a post exploitation flag on the VM, however I have not been able to find it. I went through the MySQL database and searched through the file system for anything resembling a flag and had no luck. Other than that, this was a very easy VM that was still somewhat satisfying in a weird way. I will be sure to make time for the other two, more difficult hackfest VMs.