Hackerfest Quaoar CTF Walkthrough
Quaoar is the first and easiest CTF from Hackerfest. We hosted the VM in Virtual box and ran nmap on its target IP.
As can be seen above nmap has found a few ports are open. We started investigating from port 80 where http service is running on it. After opening the IP from the browser, we found a static web page.
We fired dirbuster for finding internal directories and files.
Dirbuster detected an upload directory so we opened it from the browser and we found it is built on Lepton CMC, after spending some time on enumeration we did not found any vulnerability on Lepton CMS. So we checked the robots.txt file, and we found another directory which was marked as allowed.
We opened the directory and found a web application running on it.
We ran Wpscan tool on the CMS for enumerating the vulnerable plugins, themes, and usernames.
It can be seen that the default admin user is still enabled on the application we tried to log in as admin by using password as admin and we successfully logged in into the application.
Now to upload a shell, we can simply use a Metasploit module named exploit/unix/webapp/wp_admin_shell_upload
After running the exploit module, we successfully got the meterpreter session. By executing the shell command, we started browsing all directories for the flag. Moreover, we got our first flag inside /home/wpadmin directory.
One more interesting thing found from config.php file from /var/www/upload directory which revealed the root password for the database.
By using the same database credential, we tried to log in as root via SSH, and we successfully logged in.
We browsed the root directory and found our final flag.