Capture the flag (CTF)

Hackerfest Quaoar CTF Walkthrough

Warlock
March 31, 2017 by
Warlock

Quaoar is the first and easiest CTF from Hackerfest. We hosted the VM in Virtual box and ran nmap on its target IP.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

As can be seen above nmap has found a few ports are open. We started investigating from port 80 where http service is running on it. After opening the IP from the browser, we found a static web page.

We fired dirbuster for finding internal directories and files.

Dirbuster detected an upload directory so we opened it from the browser and we found it is built on Lepton CMC, after spending some time on enumeration we did not found any vulnerability on Lepton CMS. So we checked the robots.txt file, and we found another directory which was marked as allowed.

We opened the directory and found a web application running on it.

We ran Wpscan tool on the CMS for enumerating the vulnerable plugins, themes, and usernames.

It can be seen that the default admin user is still enabled on the application we tried to log in as admin by using password as admin and we successfully logged in into the application.

Now to upload a shell, we can simply use a Metasploit module named exploit/unix/webapp/wp_admin_shell_upload

After running the exploit module, we successfully got the meterpreter session. By executing the shell command, we started browsing all directories for the flag. Moreover, we got our first flag inside /home/wpadmin directory.

One more interesting thing found from config.php file from /var/www/upload directory which revealed the root password for the database.

By using the same database credential, we tried to log in as root via SSH, and we successfully logged in.

We browsed the root directory and found our final flag.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

References: https://www.vulnhub.com/entry/hackfest2016-sedna,181/

Warlock
Warlock

Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.