Monday, 20 March 2017

hackfest2016: Quaoar

Hello everyone!

Today I would like to present to you the hackfest2016 Quaoar walkthrough :)

Nmap scanning

Wow, there is bunch of open ports.

I started from Samba enumeration, but I didn't find something interesting except information about samba version (3.6.3).

So I decided to try find something within the web application.

Dirbuster found some helpful (?) paths.

Now, we know that the web application utilizes a wordpress CMS. So, if we can know username from posts on the websites, we will be able to use wpscan to try bruteforce this user's password.

After admin:admin attemption - success!

Excellent! Let's try edit some plugin or something like that and upload reverse php shell..
I had edited existing Plugin - Aksimet and I activaed it.
I executed appropriate path to run our uploaded webshell.

Amazing, we have got limited shell. Now, we have to escalate our privileges.
I went to /var/www/wordpress and I found there config file.

Great! We have valid MySQL credentials. So, let's exploit it.
Hmmm rootpassword! maybe will be also valid for Linux root?

Game over!