Today I would like to present to you the hackfest2016 Quaoar walkthrough :)
Nmap scanning
Wow, there is bunch of open ports.
I started from Samba enumeration, but I didn't find something interesting except information about samba version (3.6.3).
So I decided to try find something within the web application.
Dirbuster found some helpful (?) paths.
Now, we know that the web application utilizes a wordpress CMS. So, if we can know username from posts on the websites, we will be able to use wpscan to try bruteforce this user's password.
After admin:admin attemption - success!
Excellent! Let's try edit some plugin or something like that and upload reverse php shell..
I had edited existing Plugin - Aksimet and I activaed it.
I executed appropriate path to run our uploaded webshell.
Amazing, we have got limited shell. Now, we have to escalate our privileges.
I went to /var/www/wordpress and I found there config file.
Great! We have valid MySQL credentials. So, let's exploit it.
Hmmm rootpassword! maybe will be also valid for Linux root?
BINGO!
Game over!
