Onto the second VM for the night: Quaoar.  With a difficulty of “Easy”, this should hopefully be a piece of cake.


When booting the VM for the first time, we were given the VM’s IP address (, so let’s start with a comprehensive nmap scan to find any interesting ports open:


HTTP is up, SMB is another interesting one, a few imap/pop3 services, and ssh.  Trying an SMB null session got nowhere, so let’s continue to http.


We’re greeted with a “start” page:


Clicking takes us to a “hack the planet” jpg:


Running exiftool and steghide on these doesn’t provide anything useful.  Let’s move onto wfuzz:


We’ve got a couple interesting entries here.  Starting with upload, we’re taken to a site running the LEPTON CMS.  All of the vulnerabilities found are for authenticated users.  So it’s a dead end.  Moving onto the next potentially low hanging fruit, WordPress.

I try to make a cewl password list based on that wikipedia link, but cewl isn’t cooperating, so I move onto wpscan to enumerate users:


Default admin account is still enabled, and attempting to log in with admin:admin works!  Awesome, so we have a way to get shell.  I have a particular fondness of the web_delivery metasploit module, so that’s what we’re going to use here:


Now we’re going to add a part of that command to the header.php file in the appearance editor in WordPress:


Next, navigate to the main wordpress page and catch a shell in metasploit:


Now that we’re in, I grab the contents of the wp-config.php file for those sweet sweet mysql creds:


Now that we’ve got those, I figure I might as well try to “su” into the root account with what we’ve got:


Nice!  We’ve got root and subsequently, the flag.  Another flag can be found in /home/wpadmin/flag.txt.  I would say the difficulty rating of this VM was perfectly estimated.

Until next time.