Quaoar

Onto the second VM for the night: Quaoar.  With a difficulty of “Easy”, this should hopefully be a piece of cake.

 

When booting the VM for the first time, we were given the VM’s IP address (192.168.110.130), so let’s start with a comprehensive nmap scan to find any interesting ports open:

 

HTTP is up, SMB is another interesting one, a few imap/pop3 services, and ssh.  Trying an SMB null session got nowhere, so let’s continue to http.

 

We’re greeted with a “start” page:

 

Clicking takes us to a “hack the planet” jpg:

 

Running exiftool and steghide on these doesn’t provide anything useful.  Let’s move onto wfuzz:

 

We’ve got a couple interesting entries here.  Starting with upload, we’re taken to a site running the LEPTON CMS.  All of the vulnerabilities found are for authenticated users.  So it’s a dead end.  Moving onto the next potentially low hanging fruit, WordPress.

I try to make a cewl password list based on that wikipedia link, but cewl isn’t cooperating, so I move onto wpscan to enumerate users:

 

Default admin account is still enabled, and attempting to log in with admin:admin works!  Awesome, so we have a way to get shell.  I have a particular fondness of the web_delivery metasploit module, so that’s what we’re going to use here:

 

Now we’re going to add a part of that command to the header.php file in the appearance editor in WordPress:

 

Next, navigate to the main wordpress page and catch a shell in metasploit:

 

Now that we’re in, I grab the contents of the wp-config.php file for those sweet sweet mysql creds:

 

Now that we’ve got those, I figure I might as well try to “su” into the root account with what we’ve got:

 

Nice!  We’ve got root and subsequently, the flag.  Another flag can be found in /home/wpadmin/flag.txt.  I would say the difficulty rating of this VM was perfectly estimated.

Until next time.