Happy Friday!
In today’s post, I’ll be exploiting another system downloaded from VulnHub! This one is called Quaoar, so let’s not waste any time and jump into it!
When Quaoar is booted up, we are shown it’s IP address. For me, it was located at 10.10.1.10. Alright, let’s boot up our attacking system and scan the target with Nmap.
We get a few options back here! One port that sticks out is port 80, which is of course used for http. Knowing this, let’s open up a web browser and head over to 10.10.1.10.
So we do see a website up and running! Doing a little bit of exploring around the website, we have an option to click on a link which states “Click here to know what you need to do”. So, let’s click it!
Hack the planet, eh? Well maybe some day, but for now, let’s continue to focus on this machine. If we check the robots.txt file, we see that there is a /wordpress/ directory that is allowed to be accessed.
Okay, time to check out the wordpress directory!
Now we’re going to see if we can login. Before we do any brute forcing or credential guessing, let’s just start with simple default credentials: admin/admin.
Easy-peasy! So now that we’re in, let’s see if we can try to establish a reverse shell. For this, let’s boot up Metasploit and see what we can find.
The exploit wp_admin_shell is the one we want, so let’s select it and set the options. We’ll need to set the RHOST to 10.10.1.10 (target IP), the username and password to admin (what we logged in as ), and finally the TargetURI is /wordpress.
Once our options are set, it’s time to fire off the exploit!
Alright, the exploit was successful! A whoami command shows we aren’t root yet, so we’ll need to escalate privileges.
First, let’s spawn a TTY shell which will give us more flexibility while browsing the system.
A good way to try and escalate privileges (on any system) is to look for configuration files. Why is this? Well, these files may have other credentials stored inside of them that we can use to our advantage! Seeing as how this is a WordPress site, let’s browse over to /var/www and see what’s inside.
Sure enough, we see a folder inside called wordpress.
Inside, we see the wp-config.php file! Let’s display the contents of it and see if there are any goodies inside.
Now would you look at that! We see a root username, and a password for that user (rootpassword!). This definitely seems what we’re looking for, so let’s try to connect via SSH with these credentials!
A whoami command returns the results that we want to see! We are root! Zero Cool would be proud!
Thanks for reading!