[CTF] hackfest2016: Quaoar
hackfest2016: Quaoar
CTF: Quaoar
Difficulty Rating: Easy (Beginner)
Hello guys! This is going to be one of the first proper write-ups that I have done in a long time. Leave any feedback down in the comments! Today, we will be taking on Quaoar. It's one of a series of CTFs from hackfest2016.
Let's begin!
The creator was nice and gives you the machine's IP address straight away:
To quickly sum up the exploit, it automatically uploads a PHP reverse shell and spawns a meterpreter session. I guess you could do this manually, but like I said: easy route. After the exploit finished running, I did some snooping around and found, wp-config.php. Looking through it, I found some things that look very familiar:
I tried to ssh into the machine using these credentials (root/rootpassword!) and it were in. We now have full, root access to the machine. The flag can be found in the same directory.
Conclusion
This was an easy, but fun machine to take over. I wasn't timing myself, but I don't think I took more than an hour to complete it. It is definitely beginner friendly and the core principles of recon, exploiting and priv. escalation are there. I would definitely recommend this to new people looking to learn.
CTF: Quaoar
Difficulty Rating: Easy (Beginner)
Hello guys! This is going to be one of the first proper write-ups that I have done in a long time. Leave any feedback down in the comments! Today, we will be taking on Quaoar. It's one of a series of CTFs from hackfest2016.
Let's begin!
The creator was nice and gives you the machine's IP address straight away:
Here are the results from running a simple nmap scan:
The landing page of the web server:
Judging by the services running, we could have many different attack vectors. The creator mentioned the use of tools such as dirbuster, wpscan and other web app. tools to pwn the machine. I decided to continue on this path.
These are the results of a crawl with Uniscan:
We see that WordPress is running on this website, and I navigated to the login page and used the default admin login (admin/admin). Unsurprisingly, it worked. This is an easy machine. Most people would try enumerating users by using WPScan, which gives you this result:
wpscan -u http://ip.goes.here/wordpress/ --enumerate u
Seeing the default users still in place gives me reasonable suspicion that nothings been configured. I now have admin access to WordPress. From here, there are a lot of different ways to get continue and get control of the machine. I chose the easy route and looked through Metasploit for something useful. I came across an exploit called: wp_admin_shell_upload
Conclusion
This was an easy, but fun machine to take over. I wasn't timing myself, but I don't think I took more than an hour to complete it. It is definitely beginner friendly and the core principles of recon, exploiting and priv. escalation are there. I would definitely recommend this to new people looking to learn.
Comments
Post a Comment