So since I’ve got a little time off from work, I figured it would be a good time to do a CTF/Boot2Root. This one, “Quaoar“, is the 1st in a series by Viper called “Hackfest2016”. I’ll dig through the other two probably later this week.
First things first let’s get this thing fired up. I downloaded the .ova and opened it in VMware.
It appears to have a static IP, so that at least saves me the hassle of having to scan around to find it. I did a quick ping to make sure it was alive, and after a good response I kicked off a quick Nmap scan to see what I’m working with.
Looks like I’ve got an OpenSSH server, DNS, an Apache server, a mail server on a few different ports, Samba, and it’s probably running Linux. Great! Plenty of info to get me going.
Whenever I see web servers I always like to start there. So I hop on over through my browser and am greeted with the following images:
Really nothing of note here, although I enjoyed the joke ;). A quick look at the HTML doesn’t reveal anything I care about either.
So next I’ll always check out the robots.txt file and see if there’s anything interesting…
Nice! I can see it’s probably running WordPress. After a bit of browsing I land on /wp-login/ where I’m prompted with a login screen. I spray it with the usual horribly insecure username/password combos and get a bite with “admin:admin“. We’re in!
I’ve got admin access to the website now, but I want more than that. Typically here I’d use MSFVENOM to create a reverse tcp PHP file and upload that as a plugin. But, I’m a lazy hacker and I found an awesome tool recently that does all the work for me! A guy by the name of “n00py” has an awesome toolset out on GitHub called “WPForce”; part of that toolset is a python script called “Yertle” that makes the process of getting a shell a whole lot faster. I grabbed his script, loaded it up, and in seconds had my shell to the box.
I always tell people “one is none and two is one”, so now I’ve got my second way to get at this machine. Once I drop into the shell I look around and take stock of who I am and where I’m at.
Looking through what’s available to me, that WordPress directory looked interesting. So I drop in and take a look.
After digging around a bit in here I finally started going through “wp-config.php“, where I started to find some interesting things. Inside that file I find that there’s credentials for a MySQL database.
Seeing as password security hasn’t been this box’s strong suit I decided to open another terminal and see if these might be the root users credentials as well…
Winner winner!! Again I do some basic checks to see what’s around me and voila, flag.txt is sitting right there. After a quick search for any more files, I was able to find the 2nd flag in /home/wpadmin.
All in all it was a fun box to break. The common theme of weak passwords definitely does mirror real life scenarios since there are plenty of admins out there that practice terrible password security. I’m excited to check out the next box in the series and see how Viper ups the difficulty!
Until next time….