Hello everyone, another week, another challenge from Vulnhub. This time we're going to work on a short machine called Quaoar.
Attacker: Kali Linux 192.168.56.103
Victim: Quaoar 192.168.56.102
Let's start by firstly scanning the machine with nmap.
Wow, that's a lot of open ports. I decided to begin from looking at the port 80. In addition nmap scan showed disallowed entry, which we have to check out.
Main directory of the web pages showes only two images.
Now let's take a look at robots.txt
Wordpress directory? Seems interesting. By looking at the source code, we know that it's an old version of this CMS.
Let's run a wpscan, while in meantime I decided to look for common usernames on the wp-login page.
But wait, there's an admin account?
And there's even more, password of this account is simply admin! Now we're in the administrator panel of Wordpress, from where we can deploy a PHP Reverse Shell.
Reemeber to change the IP address.
To put it in the site, I decided to modify the code of 404.php page from the theme.
Then, we only have to set up the listener and navigate to the url of the page.
Let's look for flags! I've found the first one in /home directory.
Now, it's time to escalate our privilages. And to my amusement, in wp-config.php there was root password for mysql database.
Will it work?
We have the last flag, together with the root access!