Wednesday 22 March 2017

Hackfest2016: Quaoar CTF





First step

Recently I've found brand new CTF uploaded on vulnhub.com. It's marked as very easy but it gave me a lot of fun during my trials to breach it.

Nikto scan showed me that there is an instance of wordpress installed on the machine and I've found that credentials to admin panel were obvious. ;)

Mail Sqli-masta

I've crawled for some time in the admin panel and found installed and active mail-masta plugin (version 1.0). As far as I know wordpress plugins are often very eager to be vulnerable. ;) And I was right, because of this: CVE-2017-6577.





Request with vulnerable "list_id" parameter





And here is confirmation:



Sqlmap




In database I've found another CMS called Lepton. Honestly I've never seen it before and it attracted my attention.

I slipped in to the Lepton database and I've found this:



Hashed password, login and strange ip address








I've quick checked hashed password:



password:password ;)







I've got login and password for Lepton CMS, great. But I wasn't able to find the way to this CMS instance. I thought that maybe I'll find anything useful in documentation. And I found it:



Here is your way 




Now I was able to get into CMS example site but, as I realised, nothong more...

Lepton tea time

I've stucked here for some time but I didn't wanted to surrender. When I was trying to get into /admins, the machine was redirecting me to different ip and I wasn't able to connect to it. So I thought that maybe some simple proxy with redirect will work.






And it worked. I could get into admin panel. Media and settings tabs were things that interested me most. In settings tab I was able to add .php extension for uploading files and set option to write files with 777 permissions.



Extensions




777




Now I was able to upload simple shell in media tab.



But, honestly, it gave me almost nothing. I couldn't set any reverse-shell from here...





I was able to download it from my machine but I couldn't execute it from this place. Had to find another way... I've searched for some editable config files in admin panel and I've found droplets tab in administration tools. And here comes the reverse-shell.




Hell yeah!







Indashell





I've thought that some kernel-exploit will work now to gain root but I was wrong. ;) So I decided to search for some valuable config files. And in wordpress config.php I've found this:




Is it real root password? ;)



I've found wpadmin flag also:






And checked "rootpassword!" for root:






And it worked! Time for root flag:


THE END

Many thanks to @ViperBlackSkull and vulnhub.com for VM upload!